home > > autumn 2014 > secure environment

Secure Environment

Companies are required to ensure and prove that their promotional materials comply with regulatory guidelines relating to computerised systems, such as the FDA’s 21 CFR Part 11, the US Health Insurance Portability and Accountability Act, and Annex 11 in the EU. The need to demonstrate this has led to a surge in interest in cloud-based computing systems for compliance management.

Most life sciences companies cite data security as their biggest fear when considering the adoption of a cloud system. However, many completely fail to give due consideration to the need to actively maintain a validated compliant environment.

The Cloud and Pharma

Research from the International Data Corporation shows that 71% of all businesses in North America are already using, planning or researching cloud-based computing (1). In contrast, 54.6% of pharmaceutical companies are not using such services, despite the recognised advantages that these systems bring to the management of life sciences data. These benefits include:

  • Enabling compliance across multiple applications
  • Providing a platform for collaboration within large multi-site and multi-geography organisations, and the seamless sharing of content within a controlled environment between various stakeholders
  • Enabling the management and use of Big Data, digital materials and social media
  • Reducing IT infrastructure maintenance costs and capital expenditure
In the pharma industry, the cloud is being utilised throughout the entire product lifecycle, from clinical research right through to the management of post-approval promotional materials. The cloud lends itself to the management of such materials that require a standard process for their development, authorisation and storage, as well as being subject to the rigorous regulatory requirements relating to elements such as electronic records and signatures, healthcare data privacy and contingency planning, and business resilience.

So why is pharma lagging behind other industries in cloud adoption, particularly when it comes to promotional materials? There are a number of misconceptions that commonly emerge when discussing cloud computing solutions in pharma. These often lead either to failure to adopt, or to the deployment of an incorrect cloud-based system for the application in question, thus reinforcing the previously held misconceptions.

Myth 1: Maintaining Validation with a Cloud is Virtually Impossible

This myth arises out of the experience of multi-tenant cloud users. Multitenant systems use vendor-provided architecture where all users’ data reside in the same environment without physical segregation. When the vendor provides patches and upgrades to the system, all clients are subject to that change automatically, which affects the core application code base and therefore repositions the clients’ validated instance into an invalidated status. Such an outcome is clearly a sub-optimal environment for managing compliant data and processes.

Conversely, in a private cloud environment, different clients benefit from a separate code base and secure data repository from one another. This means that deployment patches and upgrades can be conducted at a time that suits each client individually. Cloud systems are practical and proven environments which enable users to stay ahead of validation requirements and maintain a state of validated compliance.

However, these controls require the provider to have the technical and procedural controls in place to define their operation. Regulatory bodies demand that third-party providers implement and follow a formal quality system, such as ISO9001: 2008. To accomplish this, in advance of an upgrade, they must leverage validation support documentation from the cloud provider, on areas including:

  •  Application software testing (pre-release functionality testing based on the client’s configuration)
  • Application installation (installation qualification)
  • User acceptance testing/performance qualification test scripts (to validate the entire system architecture at point of use)
Phrases such as ‘validated out of the box’, ‘validation ready’ and ‘pre-validated’ are often synonymous with vendor-acquired solutions. These assertions should, however, be carefully analysed to ensure that the level of validation is consistent with the FDA’s requirements for computer systems.

The FDA expects the final, deployed version of the solution to be validated, thus a vendor’s claim of pre-validation alone will not be acceptable. In fact, the FDA has an expectation that the acquirer confirms the whole cloud computing solution is validated.

Myth 2: Private Cloud Environments Take Longer to Implement

Multi-tenant systems are sometimes marketed as being made available pre-validated for installation and operational qualification, in order to streamline customers’ system validation efforts. While this means that the cloud system can be in the hands of a user quickly, it does not result in ultimate time savings. The client must attempt to anticipate the provider’s patch and upgrade schedule in order for the system to remain continuously validated.

If a private cloud is deployed, more time is needed up-front to plan a validation strategy, but this enables the creation of controls to ensure the system remains in a validated state in the long term.

Myth 3: The Biggest Issue When Specifying a Cloud Solution is Data Security

In a literature review conducted in 2012, when considering deploying a cloud system in life sciences, data security, privacy and integrity were named as the biggest areas of concern in 70% of cases (2). However, security should not be the major issue; in reality, many studies have shown that secure cloud services are now available which unequivocally support security, privacy and audit requirements necessary for comprehensive compliance (3).

Validation and compliance should be the critical factors when scoping out a cloud platform for post-approval materials. The controls and auditing requirements of the regulatory landscape – specifically, 21 CFR Part 11 and Annex 11 – mean that any cloud system selected needs to maintain a secure architecture environment, to ensure the integrity of data and electronic signatures.

Myth 4: It is Not Possible to Ensure Data Security, Privacy and Integrity in a Cloud Environment

Ensuring Security of Data

As private clouds are customer-owned, they offer a more secure environment because they can only be used by their owners; and as large IT organisations discover potentially harmful issues with public cloud systems, many are now considering their own private infrastructures (4). This trend is echoed in the life sciences industry, with Deloitte noting: “Private cloud services are used only by their owners, and thus can provide the most secure environment. Private clouds are typically the starting point for most life sciences implementations” (3).

Ensuring Security of Software
All servers and applications must be protected through appropriate, logistical security measures. Special consideration must be given to processes such as user authentications and user access restrictions, intrusion prevention security systems, and full back-up and disaster recovery protection systems.

Ensuring Security of Data Centre

Firstly, attention must be given to physical security, in terms of the protection of the data centre itself, through to appropriate personnel staffing and site security. Thought should also be put towards environmental factors; in cases such as natural disasters, appropriate systems must be installed in order to prevent major data losses.

Myth 5: You Cannot Segregate Your Data From Another Company’s Using the Cloud

A single-tenant, private cloud environment allows users’ software to be segregated from another company’s, as each client has its own code base. A private architecture enables the establishment of logical and physical boundaries and controls around the data, setting permissions with regards to who can have access to the computing environment.

Securing the Future

In summary, private cloud environments provide a secure solution that enables data to be segregated, and functionality changes to be safely, effectively and productively managed, in order to remain in a continuously validated state. Because life sciences companies are ultimately responsible for the authenticity and security of their data within the compliance framework, businesses should be focused on mapping out a validation framework to ensure that a solution can remain validated for the long term, and that all requirements are accounted for.


1. Hanover J and Knickle K, Advancing cloud computing in North American manufacturing and health: From IT efficiency to business innovation, 2013
2. Saleem Y et al, High security and privacy in cloud computing paradigm through single sign on, Life Science Journal 9(4), 2012
3. Goverman I, Weitz C and Hall J, Cloud computing: Prime time for life sciences, Deloitte, April 2013
4. Ruth G, Private cloud storage favoured by IT organizations, Gartner, 2012

Read full article from PDF >>

Rate this article You must be a member of the site to make a vote.  
Average rating:

There are no comments in regards to this article.

James Brown is founder and Chief Executive Officer of Zinc Ahead, a leading provider of cloud-based compliance solutions for the life sciences industry. Having graduated with a degree in Biochemistry from Nottingham University in 1992, James spent nine years at Merck & Co in sales and marketing roles, before leaving in 2001 to start Zinc Ahead. Over the last 13 years, Zinc has firmly established itself as the gold-standard compliance solution for life sciences companies, and now employs over 125 staff across its six global offices.
James Brown
Print this page
Send to a friend
Privacy statement
News and Press Releases

Annual General Meeting of Gerresheimer AG approves dividend increase to EUR 1.20 per share

Duesseldorf, June 24, 2020—Payment of a dividend of EUR 1.20 per share was approved at the virtual Annual General Meeting of Gerresheimer AG.
More info >>

White Papers
Industry Events

World Vaccine Congress Washington

27-29 September 2020, Walter E Washington Convention Center, Washington, US

The World Vaccine Congress is an award-winning series of conferences and exhibitions that have grown to become the largest and most established vaccine meeting of its kind across the globe. Our credibility is show through the prestigious scientific advisory board that spend months of hard work creating a new and topical agenda, year on year.
More info >>



©2000-2011 Samedan Ltd.
Add to favourites

Print this page

Send to a friend
Privacy statement