It’s no big secret that the regulated industry of the life sciences is regarded as extremely conservative, detail-oriented and risk-averse. As a result, when compared to other industries, life science companies have been slower to adopt cloud-based solutions including SaaS, PaaS, and IaaS.
One of the reasons giving companies ‘cold feet’ when it comes to making the transition is due to concern over the shift in control regarding software, platform and infrastructure design and development. The traditional ways of implementing change control, configuration management, and logical security are challenged as responsibilities transfer towards the cloud service provider making changes in the system.
Despite reservations, more and more life science companies are recognizing the need to transition to cloud technologies in order to encourage innovation and to remain competitive. Cloud service providers can facilitate these customers’ transition to the cloud by being fully transparent about the standards and practices they follow. Providing this information reassures life science organizations that the service provider’s processes are in line with the expectations of GxP regulated industries.
Microsoft is no exception. Just like other cloud service providers, Microsoft must earn the trust of its customers and potential customers. For life science companies who are considering Office 365 as a business solution, here is a list of qualifying resources that may alleviate some of the concerns about Microsoft’s ability to provide Office 365 services in a manner that meets GxP expectations.
Office 365 functionality is affirmed by industry experts
Office 365 regularly (annually) undergoes independent audits by third-party accredited assessors. These audits cover several standards and security frameworks, including:
- SOC 1 Type II (SSAE 18)
- SOC 2 Type II (SSAE 18)
- ISO/IEC 27001:2013
- ISO/IEC 27017:2015
- ISO/IEC 27018:2014
- HITRUST
- FedRAMP (NIST SP 800-53 Rev. 4)
The latest certificates and audit reports are available to customers in Microsoft’s Service Trust Portal.
Although none of these certifications and attestations are specifically targeted for GxP compliance, their scope is closely aligned with the controls required to meet regulatory requirements, such as FDA 21 CFR Part 11 and EU Volume 4 Annex 11.
Office 365 customers have shared responsibilities with Microsoft to manage applicable controls. It is possible – and recommended – to review the controls identified within the certificates and audit reports, to map them to regulatory requirements, and to ensure that no compliance deficiencies are identified for activities carried out under Microsoft’s purview.
Contractual commitments are clear-cut
Life science companies are driven by regulatory guidance to establish mutual expectations of services delivery in a formal Service Level Agreement (SLA) or Quality Agreement.
Microsoft imparts SLA that describes their commitments regarding uptime and connectivity for Office 365 services, maintaining a financially-backed 99.9% uptime guarantee that your services and documents are available. Built-in diagnostic tools allow administrators to monitor Office 365 service health, including critical issues affecting service availability (active incidents) and posted advisories which help with application troubleshooting.
The SLA also describes the conditions for obtaining service credits and the process for submitting claims. Moreover, Microsoft publishes Online Services Terms (OST) which is updated monthly and explains Microsoft’s contractual commitments towards services delivery and protection of customer data.
The latest SLA and OST are publicly available for download on the Licensing terms page of Microsoft’s website. Microsoft’s SLA and OST are relevant and provide coverage of the commitments defined in a typical Quality Agreement.
Ample GxP training resources provided
Microsoft offers an Office 365 Training Center that provides a wide range of training material and online learning resources as a hub for “modern workplace training” to empower end users to comply with GxP regulations. The content is updated constantly to reflect the current spectrum of features and service offerings. Subscribers can find cheat sheets, videos, tips, guides, templates and more to learn the basics, get up to speed, and increase productivity.
As a platform for ongoing knowledge support, this provides customers with the opportunity to acquire the knowledge and skills needed to continuously use and maintain their collaborative Office 365 environment.
Transparent product roadmap updates
Transparency of upcoming updates is crucial to life science customers who have a traditional change control mindset and wish to evaluate changes before they are implemented.
The Office 365 Roadmap has recently been updated to become a part of the Microsoft 365 Roadmap, where the latest updates on products are shared in one consolidated place. The Microsoft 365 Roadmap lists planned updates on products, features, and services - providing foresight on updates that are in development. As an update in development gets closer to being rolled out and then launched, it is communicated to customers in detail via the Roadmap.
Detailed GxP Guidelines
The Microsoft Office 365 GxP Guidelines is a handbook written for life sciences organizations using Office 365 to manage GxP-regulated content. Containing a great amount of useful information, the document includes an overview of the processes and controls used by Microsoft to preserve the confidentiality, integrity and availability of customers’ data.
The Guidelines also provide an overview of key Office 365 features that customers should use to meet regulatory requirements and recommendations for validation. If you're interested in learning more on the topic, check out Chrysa's article on how to implement a risk-based approach to validating Office 365 and SharePoint Online.
Final Words
As discussed, Office 365 is a line of subscription services offered by Microsoft, a global leader in computing technologies making impressive strides in the life sciences space. Any concerns that life sciences organizations may have about security and data integrity in Office 365 for GxP content management are arguably unfounded.
Cloud compliance and data protection is part of Microsoft’s core business and it is inconceivable that a life sciences company (whose core business is not computing technologies) could ever have the same standard of resources and experts for data security as Microsoft does.
Many useful and reputable sources are available that demonstrate how Microsoft follows best practices and provides Office 365 services in a manner that meets GxP expectations. Life sciences organizations are encouraged to consult and leverage these resources as they seek to benefit from the full potential of cloud-based solutions, including Office 365. Our Office 365 Compliance Toolkits enable organizations in regulated industries to move towards operating in alignment with GxP compliance standards in the cloud.
