Life sciences organizations ranging from large global companies down to smaller industry players all face the same burdens of increasing cost pressure, fragmenting value chains, expanding regulatory compliance [expectations] and exploding content volumes1. Moreover, with an estimated $1B required to bring a new drug to market, it’s no wonder life sciences organizations are now looking to cloud computing as a way to keep costs in check while maintaining strict compliance.
Despite the many advantages of cloud-based computing, organizations are still finding it difficult and too risky to move their regulated applications into the cloud. A recent study conducted by OCR international found that of the life sciences organizations interviewed, a mere 15% of them were using the cloud for functions beyond sales and marketing.
Even with the benefits of cloud computing becoming clearer, it doesn’t come without its challenges (if it were that easy, then I probably wouldn’t be writing this article). According to recent research, the top cloud compliance challenges that life sciences organizations face are:
- Risk Aversion towards Computerized Systems Compliance
- Specific Requirements around Quality and Compliance
- Qualification and Validation Requirements
- Identifying and Documenting System Components
- Unclear on Ownership and Responsibility
- Ability to manage System Changes
Whether you’re new to cloud computing or looking to scale your existing IT strategy, you will need to have a good understanding of the key compliance challenges in the cloud. This article discusses these challenges and provides further insight and thoughts on how we can meet these challenges as an industry.
Risk Aversion in the Life Sciences towards computerized systems compliance
We’ve typically been a very conservative and risk-averse industry when it comes to computerized systems and compliance. This is something that we have to get past if we want to evolve as an industry. The introduction of new regulations and guidance will certainly help clarify the intent and thinking of the regulatory agencies when it comes to cloud computing.
How to combat this…
If we think back to when we wanted to leverage advancements in technology for such things as electronic signatures, this was equally unclear. Yet as an industry, we got together with the regulators to push forward e-signature controls that are now a fundamental part of how we manage content electronically in regulated companies. The message here is that we must look to affect change, not wait for it. Getting involved in industry groups such as ISPE who are actively working on cloud frameworks for GxP environments will help us move in the direction we want to go in.
Specific Requirements around Quality and Compliance
When we talk about the life sciences industry there are very specific requirements with regards to quality and compliance, and the different controls that we need to have in place. While some life science industry-specific cloud solutions exist, most cloud service providers are industry agnostic. There are often some ongoing regulatory compliance concerns with cloud service providers who don’t specifically serve the life sciences as they may not have the exact same controls as what we are typically used to seeing in a life sciences environment. It is important to understand what controls your cloud service providers (CSP’s) has in place to meet life science-specific requirements.
In addition, it is often the case that large cloud service providers that do not specifically cater to life sciences industry are not willing to allow individual customer audits of their facilities.
How to combat this…
To overcome this, it is important to look for life science vendors and cloud service providers (CSP’s) with specific expertise around the quality and compliance requirements within your environment. It’s important for you to understand how the CSP deals with disaster recovery and how often they undergo audits or certifications such as ISO or SOC which review their quality systems against industry standards. The cloud service provider may provide access to these audit and certification reports which can be leveraged as part of the vendor assessment. Some life sciences vendors may even provide statements of compliance that their cloud has the ability to satisfy the regulatory requirements for data integrity, disaster recovery, validation and so on.
Qualification & Validation
Traditionally, when looking to qualify environments we have focused on individual machines and specific hardware and software. With the cloud, this changes. When trying to understand compliance in the cloud we must look at the cloud as one machine that has been qualified, rather than individual infrastructure components. Let’s be clear, global regulations expect:
- Applications to be validated
- IT infrastructure to be qualified
- Data availability, integrity and security to be maintained
It’s important to remember that when outsourcing to 3rd parties, accountability for compliance remains with the regulated company, but compliance controls may be delegated to others with appropriate management control.
How to combat this…
Most reputable cloud platform providers like Microsoft will provide its customers with documentation that demonstrates the controls that they have in place to satisfy the requirements set forth by the regulatory agencies. This enables the life science software vendor or life science organization to leverage these controls and minimize the qualification and validation effort required.
Tip: GAMP and cross-industry guides such as ITIL, ISO 27001, IEEE, ASTM, TickIT, CMMI have provided guidance on application and infrastructure development, validation/qualification, operation, support and retirement. Reviewing these will enable you to build a big picture strategy for cloud qualification.
The regulated company should ensure that the controls are regularity audited or certified against industry standards to demonstrate that the hosted platform is maintained in a state of control that is in accordance with the applicable regulatory requirements. We have developed a cloud qualification guideline that could be useful here.
A risk assessment should be performed as part of the qualification and validation strategy to identify specific risks associated with hosting the GxP application in a cloud environment. The qualification and validation testing should be focused on areas that pose the highest risk.
Identifying and Documenting System Components
In order to be able to maintain control over computerized systems and to demonstrate compliance with regulations, we need to be able to identify and document the key system components. In Europe for example, Eudralex, Vol. 4 Annex 11 requires us to have a detailed description of the system that describes the principles, objectives security measures and scope of the system. When we start to think about the cloud this can be quite challenging as a lot of the components are managed by the cloud provider.
How to combat this…
Regardless of whether we are working with an on-premise or cloud solution, a system description document should be produced and maintained throughout the lifetime of the system. The scope of the system description could vary depending on the application type and whether it is being hosted in the cloud, but the overall purpose of the document remains the same. This document should identify the main system functionality, its regulatory impact, the system architecture, including the main components that make up the computing environment. It could also include a description of the system interfaces, how access is given to the system, as well as security features that are employed to protect data and records. The types of electronic records and associated electronic signatures created or managed within the system should also be described, if applicable.
The level of detail to which the system components are specified depends largely on the impact and risk associated with the system and its components. For example, in the case of a hosted application, where the vendor is completely responsible for managing the physical infrastructure, it is less critical to know the specific details about type of server on which the application is hosted, so long as this is adequately managed by the vendor under the terms of a legally binding contract, such as a Service Level Agreement (SLA).
Unclear on Ownership and Responsibility
It is sometimes unclear who is responsible for what when we are talking about the cloud. Often unclear ownership can lead to difficulties in maintaining compliance. Ultimately, the ability to demonstrate compliance with regulatory agencies is the responsibility of the regulated customer. The regulated customer may not be in control of certain aspects of the cloud environment, however, it is still important to demonstrate that due diligence has been performed and that the level of risk associated with this lack of control has been mitigated to an acceptable level.
How to combat this…
An SLA should be in place which clearly defines the cloud provider’s responsibilities with regards to maintaining system availability, integrity and security. The SLA should include key performance indicators which the regulated customer should verify periodically to ensure that the terms are being respected. Having clear accountability on how the cloud provider addresses your requirements will be critical in achieving and maintaining a compliant environment. Here’s a great visual representation released by ISPE that shows the increasing scope and risk for cloud providers and regulated companies.
Ability to Manage System Changes
By its very nature, cloud computing is subject to updates which are not necessarily in our control. We need to be able to adapt to that, affecting the way we structure and manage our change control process. However, understanding how these changes affect your business needs and if they may negatively impact your cloud environment is key to maintaining compliance.
How to combat this…
In an attempt to mitigate the risk of an unplanned change it’s important to request your cloud service provider (CSP) or your life science software vendor to give advanced notice prior to the application of software patches or updates. This will enable you to have redundancies in place to ensure that risks from patches and upgrades are minimal. You can also set up periodic meetings where the appropriate internal IT staff could approve and monitor the scheduled changes put forward by the cloud service provider.
There are still many challenges from moving from an on-premise to an on-cloud environment, however, as the cloud becomes more stable and more economically attractive we are seeing a shift towards cloud-based computing within the life sciences. More and more companies are starting to move regulated applications to this environment and are benefiting from increased scalability, lower costs, higher specification infrastructure and improved stability. There is also work ongoing, such as the SIG from ISPE, to develop frameworks to qualify and manage cloud-based environments. These frameworks will integrate existing standards and practices with the new cloud paradigm, paving the way for a cloud-based future for life sciences.