In today’s connected world, cloud technology has become a prevalent part of our everyday lives. With the global nature of drug development and clinical research, more life science organizations are looking to leverage solutions that can be used anytime, anywhere to support critical business processes.
With a lack of regulatory and industry guidance specific to the cloud, maintaining security in a multi-tenant environment, and a limited visibility of cloud service vendor’s quality controls - life sciences organizations are challenged as they transition to the cloud. However, in recent years cloud systems have played a big part in transforming and improving good life science (GxP) practices and adherence with the necessary regulatory requirements all while contributing to the reduction of commercialization timelines.
One such cloud system that has emerged as an ideal fit for the life sciences transition to the cloud is Microsoft’s Office 365 ecosystem. Let's uncover why Office 365 is an obvious choice for life science organizations as well as how to go about getting started with using the system to manage GxP content.
Why Microsoft Office 365?
Microsoft’s Office 365 ecosystem provides a rich feature set well suited for life science teams looking to create an environment for regulated and non-regulated content in one centralized location. Features such as user access control, permissions management, audit logs, co-authoring, automated workflows, and external sharing can support a broad range of life science activity while maintaining regulatory compliance.
The Office 365 GxP Guidelines, co-authored by Montrium’s Professional Services team, outlines a proven methodology for life sciences organizations looking to reduce the stress of cloud migration, maintain governance and continued system validation. The Guidelines cover a range of topics to help teams navigate the services, tools and capabilities available in the multi-tenant cloud.
As an extension of our knowledge from our long-standing partnership with Microsoft, life science organizations now have a comprehensive game plan when it comes to managing regulated content electronically in Office 365 and SharePoint Online as a tool to increase collaboration.
The main takeaways of the Guidelines are a combination of proven practices from existing life science customers and global industry standards to help you build out your own comprehensive cloud strategy for managing GxP content in Office 365.
1. Service Offerings Available in the Office 365 Cloud
Any life science team will bring specific needs and expectations to the table - whether that be managing both regulated and non-regulated content, security and privacy requirements for certain jurisdictions, user requirements specifications, etc. Once you’ve established your comprehensive list and defined your intended use of the system, explore Office 365 service offerings and options available to create, store, and manage your GxP regulated content.
The Guidelines specifically focus on the content management functionality of both Software-as-a-Service (SaaS) applications within Office 365; SharePoint Online and OneDrive for Business. Both applications can be configured to create secure content repositories for storing GxP content in compliance with many global regulations. Our recommended application of choice for managing regulated content is SharePoint Online, a critical component for streamlining document review and collaboration as well as reducing the approval workflow time.
2. Certifications and Attestations of the System
When considering moving GxP content to Office 365, teams that perform due diligence on the software service will be better positioned for achieving global compliance. Microsoft values establishing and retaining trust with their customers as a broadly-used cloud services provider within the heavily regulated life sciences industry.
While customers are unable to perform on-site audits of most enterprise cloud vendors, Office 365’s processes and controls are regularly audited and verified by trusted third parties for industry-relevant certifications and in-depth attestations for SOC 1 and SOC 2, ISO/IEC, HITRUST, and FedRAMP standards. The reports following the audits can only be accessed by customers, but anyone wanting to learn more on Microsoft’s cloud can visit the Trust Center.
By employing a security framework that comprises industry best practices across a number of global standards, Office 365’s compliance offering removes a large portion of the system qualification burden on customers. Now that warrants a big sigh of relief!
3. Shared Responsibilities Between Microsoft and the Customer
As is the case with most third-party SaaS offerings, Microsoft and its life sciences customers share responsibilities for meeting global regulatory requirements including FDA 21 CFR Part 11 and Eudralex Volume 4 Annex 11, data compliance legislation such as GDPR, as well as industry standards like ISPE’s GAMP 5. In this case, formal agreements are to be established between Microsoft and the customer that account for statements of responsibilities.
The key to achieving and maintaining a compliant cloud-based solution is having well-defined controls and processes to support those shared responsibilities. Life science customers are encouraged to follow recommended activities to protect the security and privacy of their data and are offered support by Microsoft’s Account Managers.
At the end of the day, customers are responsible for establishing proper data governance, access and account management. Yet a huge burden is relieved due to Microsoft handling all the maintenance and installation behind physical infrastructure (data center, network, hosts) and application controls. I’ll talk more on that subject later in this article.
4. Understanding Quality and Secure Development of Office 365
Those concerned over a limited visibility of Microsoft’s quality controls will be happy to know that Microsoft is quite transparent when it comes to quality and secure development of Office 365.
Life science organizations looking to leverage Office 365 should emphasize honing a deep understanding of the extensive controls, processes, and procedures across Office 365’s software development lifecycle (SDLC). Customers should verify that the platform functionalities are appropriately configured to mitigate risks and meet GxP requirements for hosting regulated content in the cloud.
Any concerns over data security in a multi-tenant environment are largely unfounded as with a comprehensive strategy in place, your data can benefit from multiple layers of security and governance technologies, operational practices, and compliance policies in the system.
To support operations and system maintenance, customers can also use the Security & Compliance Center to monitor user activities, security threats, and incidents that may result in data loss. Customers are also able to access Microsoft’s Security Policy to learn how Microsoft takes active measures to protect customer data. This seems like a win-win to me!
5. Implementing a GxP Compliance Life-Cycle
The secure development of the Office 365 system fosters a supportive technical environment which the customer can leverage to help maintain a state of control over their GxP regulated data.
Given shared responsibilities, implementing an effective governance and compliance strategy in Office 365 means defining technical and procedural controls to satisfy your internal policies and regulatory requirements. From authorizing users, configuring an audit log, viewing relevant activity to enforcing retention rules, configuring role-based access and scheduling routine evaluations of the service - these controls demonstrate that your content is managed with proper data integrity.
Part of your shared responsibility as a customer also means developing a permissions strategy to maintain security, keep control over the environment, reduce maintenance costs, and ensure compliance with your data governance policies.
6. The Validation of GxP Applications
How is it possible to manage business priorities with the added responsibility of proving that you are working in a qualified, validated cloud environment? With so many process owners and stakeholders added to the everyday trial process, this can spiral into a task that is incredibly difficult to manage.
A large concern of those looking to adopt cloud technology is validating continuous changes to the application. To mitigate this problem, Microsoft as a vendor is responsible for change management around implementing software, hardware, and network changes that support the Office 365 applications in use. Microsoft also takes a risk-based, progressive approach to validation, with targeted releases for customer’s power users tested before deploying a standard release for all users. Montrium’s Chrysa Plagiannos has written in more depth on how organizations can apply a risk-based approach to validating Office 365 (and SharePoint Online).
Coming back to shared responsibilities, the customer should determine the appropriate validation strategy associated with their existing GxP processes for continued validation over their subscription period. Customers should refer to the most recent licensing terms and commitments on Microsoft’s behalf such as a Service Level Agreement for legal backing that the service can fulfill your requirements for security, availability, integrity, confidentiality, etc.
Microsoft has made impressive strides in eHealth solutions to build industry confidence around Office 365 as a compliant cloud system. But as is often the case when working with third-party solutions, customers must implement technical and procedural controls to support validation and governance for their specific use cases. Teams that leverage resources and proven methodologies will accelerate the process of moving to Office 365 while minimizing the burden of transitioning GxP content.
Whether you are looking to make Office 365 a major part of your IT strategy or are simply just curious about this topic, we highly recommend attending the Office 365 in the Life Sciences: The Compliance Playbook webinar series hosted by Montrium's Professional Services team. Montrium has developed Office 365 Cloud Compliance Toolkits to support vendor assessment, validation, and governance efforts of those interested in leveraging Office 365 cloud services for regulated business processes.