On 6/18/20 3:41 PM, John Harrold wrote:> Hello Kristin, > > Are you talking about risk analysis from the perspective of software > vulnerabilities?It appears that is exactly what is being asked. What is not clear is whether the installation would be offered to persons or groups on the network with no other security wrappers. R has never claimed to be "web-safe". It offers access to system level commands and file system manipulation that would probably compromise security arrangements.? In fact, over the course of the last 12 years when I've been reading this mailing list, there has never been a credible suggestion to offer R applications to untrusted users. Quite the opposite. Naked R is surely not going to pass any sort threat or risk scrutiny. My suggestion would be to investigate various wrappers for R such as Rstudio or the Microsoft re-worked version of what used to be Revolution R. They have lawyers and offer "enterprise solutions" and would presumably be able to speak to some sort of security analysis.? Whether either of those approaches would provide the level of security needed by a healthcare organization would be an interesting question. Perhaps yopu can report back after completing your investigation? -- David.> > John > > On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <WaitK at amc.edu> wrote: > >> HI all, >> >> I am with a NYS major trauma center and all programs that our >> employees/providers use must be vetted through the IT Department by way of >> a Risk Analysis. >> Is there someone I would talk to about this? >> >> I scoured your website and could not find a specific person. >> >> Thank you so much >> Kristin Wait >> Albany, NY >> ----------------------------------------- CONFIDENTIALITY NOTICE: This >> email and any attachments may contain confidential information that is >> protected by law and is for the sole use of the individuals or entities to >> which it is addressed. If you are not the intended recipient, please notify >> the sender by replying to this email and destroying all copies of the >> communication and attachments. Further use, disclosure, copying, >> distribution of, or reliance upon the contents of this email and >> attachments is strictly prohibited. To contact Albany Medical Center, or >> for a copy of our privacy practices, please visit us on the Internet at >> www.amc.edu. >> >> [[alternative HTML version deleted]] >> >> ______________________________________________ >> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see >> https://stat.ethz.ch/mailman/listinfo/r-help >> PLEASE do read the posting guide >> http://www.R-project.org/posting-guide.html >> and provide commented, minimal, self-contained, reproducible code. >> >
I work in Pharma and we use R in all the companies I've worked for. They are really paranoid and it's used in regulated environments as well with patient data. So there should be something they can do. Kristin: I can put you in touch with vendors who do our regulated work in R if you're interested. On Thu, Jun 18, 2020 at 4:45 PM David Winsemius <dwinsemius at comcast.net> wrote:> > On 6/18/20 3:41 PM, John Harrold wrote: > > Hello Kristin, > > > > Are you talking about risk analysis from the perspective of software > > vulnerabilities? > > > It appears that is exactly what is being asked. What is not clear is > whether the installation would be offered to persons or groups on the > network with no other security wrappers. R has never claimed to be > "web-safe". It offers access to system level commands and file system > manipulation that would probably compromise security arrangements. In > fact, over the course of the last 12 years when I've been reading this > mailing list, there has never been a credible suggestion to offer R > applications to untrusted users. Quite the opposite. Naked R is surely > not going to pass any sort threat or risk scrutiny. > > > My suggestion would be to investigate various wrappers for R such as > Rstudio or the Microsoft re-worked version of what used to be Revolution > R. They have lawyers and offer "enterprise solutions" and would > presumably be able to speak to some sort of security analysis. Whether > either of those approaches would provide the level of security needed by > a healthcare organization would be an interesting question. Perhaps yopu > can report back after completing your investigation? > > > -- > > David. > > > > > John > > > > On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <WaitK at amc.edu> wrote: > > > >> HI all, > >> > >> I am with a NYS major trauma center and all programs that our > >> employees/providers use must be vetted through the IT Department by way > of > >> a Risk Analysis. > >> Is there someone I would talk to about this? > >> > >> I scoured your website and could not find a specific person. > >> > >> Thank you so much > >> Kristin Wait > >> Albany, NY > >> ----------------------------------------- CONFIDENTIALITY NOTICE: This > >> email and any attachments may contain confidential information that is > >> protected by law and is for the sole use of the individuals or entities > to > >> which it is addressed. If you are not the intended recipient, please > notify > >> the sender by replying to this email and destroying all copies of the > >> communication and attachments. Further use, disclosure, copying, > >> distribution of, or reliance upon the contents of this email and > >> attachments is strictly prohibited. To contact Albany Medical Center, or > >> for a copy of our privacy practices, please visit us on the Internet at > >> www.amc.edu. > >> > >> [[alternative HTML version deleted]] > >> > >> ______________________________________________ > >> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > >> https://stat.ethz.ch/mailman/listinfo/r-help > >> PLEASE do read the posting guide > >> http://www.R-project.org/posting-guide.html > >> and provide commented, minimal, self-contained, reproducible code. > >> > > >-- John :wq [[alternative HTML version deleted]]
You should start by reading R: Regulatory Compliance and Validation Issues: A guidance document for the use of R in regulated clinical trial environments. https://www.r-project.org/doc/R-FDA.pdf The official link to that file is at the R home page https://www.r-project.org/ In the left column, click on Certification. That takes you to the page that offers the Compliance paper and a paper on the R Development cycle. Rich On Thu, Jun 18, 2020 at 7:46 PM David Winsemius <dwinsemius at comcast.net> wrote:> > > On 6/18/20 3:41 PM, John Harrold wrote: > > Hello Kristin, > > > > Are you talking about risk analysis from the perspective of software > > vulnerabilities? > > > It appears that is exactly what is being asked. What is not clear is > whether the installation would be offered to persons or groups on the > network with no other security wrappers. R has never claimed to be > "web-safe". It offers access to system level commands and file system > manipulation that would probably compromise security arrangements. In > fact, over the course of the last 12 years when I've been reading this > mailing list, there has never been a credible suggestion to offer R > applications to untrusted users. Quite the opposite. Naked R is surely > not going to pass any sort threat or risk scrutiny. > > > My suggestion would be to investigate various wrappers for R such as > Rstudio or the Microsoft re-worked version of what used to be Revolution > R. They have lawyers and offer "enterprise solutions" and would > presumably be able to speak to some sort of security analysis. Whether > either of those approaches would provide the level of security needed by > a healthcare organization would be an interesting question. Perhaps yopu > can report back after completing your investigation? > > > -- > > David. > > > > > John > > > > On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <WaitK at amc.edu> wrote: > > > >> HI all, > >> > >> I am with a NYS major trauma center and all programs that our > >> employees/providers use must be vetted through the IT Department by way of > >> a Risk Analysis. > >> Is there someone I would talk to about this? > >> > >> I scoured your website and could not find a specific person. > >> > >> Thank you so much > >> Kristin Wait > >> Albany, NY > >> ----------------------------------------- CONFIDENTIALITY NOTICE: This > >> email and any attachments may contain confidential information that is > >> protected by law and is for the sole use of the individuals or entities to > >> which it is addressed. If you are not the intended recipient, please notify > >> the sender by replying to this email and destroying all copies of the > >> communication and attachments. Further use, disclosure, copying, > >> distribution of, or reliance upon the contents of this email and > >> attachments is strictly prohibited. To contact Albany Medical Center, or > >> for a copy of our privacy practices, please visit us on the Internet at > >> www.amc.edu. > >> > >> [[alternative HTML version deleted]] > >> > >> ______________________________________________ > >> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > >> https://stat.ethz.ch/mailman/listinfo/r-help > >> PLEASE do read the posting guide > >> http://www.R-project.org/posting-guide.html > >> and provide commented, minimal, self-contained, reproducible code. > >> > > > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code.
As others have noted, R's vulnerabilities depend on the environments in which it is used. Perhaps the other issue is whether any downloaded R software could be problematic, perhaps due to malware. R's core functionality is, I'm sure fine. For the 20,000 or so packages on CRAN and elsewhere -- ?? One would have to probaby check the security on CRAN's (or others') servers for that. My ignorant expectation is that the most such university associated servers are quite secure. Bert Gunter "The trouble with having an open mind is that people keep coming along and sticking things into it." -- Opus (aka Berkeley Breathed in his "Bloom County" comic strip ) On Thu, Jun 18, 2020 at 5:27 PM Richard M. Heiberger <rmh at temple.edu> wrote:> You should start by reading > R: Regulatory Compliance and Validation Issues: A guidance document > for the use of R in regulated clinical trial environments. > https://www.r-project.org/doc/R-FDA.pdf > > The official link to that file is at the R home page > https://www.r-project.org/ > In the left column, click on Certification. > > That takes you to the page that offers the Compliance paper and a > paper on the R Development cycle. > > Rich > > On Thu, Jun 18, 2020 at 7:46 PM David Winsemius <dwinsemius at comcast.net> > wrote: > > > > > > On 6/18/20 3:41 PM, John Harrold wrote: > > > Hello Kristin, > > > > > > Are you talking about risk analysis from the perspective of software > > > vulnerabilities? > > > > > > It appears that is exactly what is being asked. What is not clear is > > whether the installation would be offered to persons or groups on the > > network with no other security wrappers. R has never claimed to be > > "web-safe". It offers access to system level commands and file system > > manipulation that would probably compromise security arrangements. In > > fact, over the course of the last 12 years when I've been reading this > > mailing list, there has never been a credible suggestion to offer R > > applications to untrusted users. Quite the opposite. Naked R is surely > > not going to pass any sort threat or risk scrutiny. > > > > > > My suggestion would be to investigate various wrappers for R such as > > Rstudio or the Microsoft re-worked version of what used to be Revolution > > R. They have lawyers and offer "enterprise solutions" and would > > presumably be able to speak to some sort of security analysis. Whether > > either of those approaches would provide the level of security needed by > > a healthcare organization would be an interesting question. Perhaps yopu > > can report back after completing your investigation? > > > > > > -- > > > > David. > > > > > > > > John > > > > > > On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <WaitK at amc.edu> wrote: > > > > > >> HI all, > > >> > > >> I am with a NYS major trauma center and all programs that our > > >> employees/providers use must be vetted through the IT Department by > way of > > >> a Risk Analysis. > > >> Is there someone I would talk to about this? > > >> > > >> I scoured your website and could not find a specific person. > > >> > > >> Thank you so much > > >> Kristin Wait > > >> Albany, NY > > >> ----------------------------------------- CONFIDENTIALITY NOTICE: This > > >> email and any attachments may contain confidential information that is > > >> protected by law and is for the sole use of the individuals or > entities to > > >> which it is addressed. If you are not the intended recipient, please > notify > > >> the sender by replying to this email and destroying all copies of the > > >> communication and attachments. Further use, disclosure, copying, > > >> distribution of, or reliance upon the contents of this email and > > >> attachments is strictly prohibited. To contact Albany Medical Center, > or > > >> for a copy of our privacy practices, please visit us on the Internet > at > > >> www.amc.edu. > > >> > > >> [[alternative HTML version deleted]] > > >> > > >> ______________________________________________ > > >> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > > >> https://stat.ethz.ch/mailman/listinfo/r-help > > >> PLEASE do read the posting guide > > >> http://www.R-project.org/posting-guide.html > > >> and provide commented, minimal, self-contained, reproducible code. > > >> > > > > > > > ______________________________________________ > > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > > https://stat.ethz.ch/mailman/listinfo/r-help > > PLEASE do read the posting guide > http://www.R-project.org/posting-guide.html > > and provide commented, minimal, self-contained, reproducible code. > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide > http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. >[[alternative HTML version deleted]]