home > epc > autumn 2014 > secure environment
European Pharmaceutical Contractor

Secure Environment

Companies are required to ensure and prove that their promotional materials comply with regulatory guidelines relating to computerised systems, such as the FDA’s 21 CFR Part 11, the US Health Insurance Portability and Accountability Act, and Annex 11 in the EU. The need to demonstrate this has led to a surge in interest in cloud-based computing systems for compliance management.

Most life sciences companies cite data security as their biggest fear when considering the adoption of a cloud system. However, many completely fail to give due consideration to the need to actively maintain a validated compliant environment.

The Cloud and Pharma

Research from the International Data Corporation shows that 71% of all businesses in North America are already using, planning or researching cloud-based computing (1). In contrast, 54.6% of pharmaceutical companies are not using such services, despite the recognised advantages that these systems bring to the management of life sciences data. These benefits include:

  • Enabling compliance across multiple applications
  • Providing a platform for collaboration within large multi-site and multi-geography organisations, and the seamless sharing of content within a controlled environment between various stakeholders
  • Enabling the management and use of Big Data, digital materials and social media
  • Reducing IT infrastructure maintenance costs and capital expenditure
In the pharma industry, the cloud is being utilised throughout the entire product lifecycle, from clinical research right through to the management of post-approval promotional materials. The cloud lends itself to the management of such materials that require a standard process for their development, authorisation and storage, as well as being subject to the rigorous regulatory requirements relating to elements such as electronic records and signatures, healthcare data privacy and contingency planning, and business resilience.

So why is pharma lagging behind other industries in cloud adoption, particularly when it comes to promotional materials? There are a number of misconceptions that commonly emerge when discussing cloud computing solutions in pharma. These often lead either to failure to adopt, or to the deployment of an incorrect cloud-based system for the application in question, thus reinforcing the previously held misconceptions.

Myth 1: Maintaining Validation with a Cloud is Virtually Impossible

This myth arises out of the experience of multi-tenant cloud users. Multitenant systems use vendor-provided architecture where all users’ data reside in the same environment without physical segregation. When the vendor provides patches and upgrades to the system, all clients are subject to that change automatically, which affects the core application code base and therefore repositions the clients’ validated instance into an invalidated status. Such an outcome is clearly a sub-optimal environment for managing compliant data and processes.

Conversely, in a private cloud environment, different clients benefit from a separate code base and secure data repository from one another. This means that deployment patches and upgrades can be conducted at a time that suits each client individually. Cloud systems are practical and proven environments which enable users to stay ahead of validation requirements and maintain a state of validated compliance.

However, these controls require the provider to have the technical and procedural controls in place to define their operation. Regulatory bodies demand that third-party providers implement and follow a formal quality system, such as ISO9001: 2008. To accomplish this, in advance of an upgrade, they must leverage validation support documentation from the cloud provider, on areas including:

  •  Application software testing (pre-release functionality testing based on the client’s configuration)
  • Application installation (installation qualification)
  • User acceptance testing/performance qualification test scripts (to validate the entire system architecture at point of use)
Phrases such as ‘validated out of the box’, ‘validation ready’ and ‘pre-validated’ are often synonymous with vendor-acquired solutions. These assertions should, however, be carefully analysed to ensure that the level of validation is consistent with the FDA’s requirements for computer systems.

The FDA expects the final, deployed version of the solution to be validated, thus a vendor’s claim of pre-validation alone will not be acceptable. In fact, the FDA has an expectation that the acquirer confirms the whole cloud computing solution is validated.

Myth 2: Private Cloud Environments Take Longer to Implement

Multi-tenant systems are sometimes marketed as being made available pre-validated for installation and operational qualification, in order to streamline customers’ system validation efforts. While this means that the cloud system can be in the hands of a user quickly, it does not result in ultimate time savings. The client must attempt to anticipate the provider’s patch and upgrade schedule in order for the system to remain continuously validated.

If a private cloud is deployed, more time is needed up-front to plan a validation strategy, but this enables the creation of controls to ensure the system remains in a validated state in the long term.

Myth 3: The Biggest Issue When Specifying a Cloud Solution is Data Security

In a literature review conducted in 2012, when considering deploying a cloud system in life sciences, data security, privacy and integrity were named as the biggest areas of concern in 70% of cases (2). However, security should not be the major issue; in reality, many studies have shown that secure cloud services are now available which unequivocally support security, privacy and audit requirements necessary for comprehensive compliance (3).

Validation and compliance should be the critical factors when scoping out a cloud platform for post-approval materials. The controls and auditing requirements of the regulatory landscape – specifically, 21 CFR Part 11 and Annex 11 – mean that any cloud system selected needs to maintain a secure architecture environment, to ensure the integrity of data and electronic signatures.

Myth 4: It is Not Possible to Ensure Data Security, Privacy and Integrity in a Cloud Environment

Ensuring Security of Data

As private clouds are customer-owned, they offer a more secure environment because they can only be used by their owners; and as large IT organisations discover potentially harmful issues with public cloud systems, many are now considering their own private infrastructures (4). This trend is echoed in the life sciences industry, with Deloitte noting: “Private cloud services are used only by their owners, and thus can provide the most secure environment. Private clouds are typically the starting point for most life sciences implementations” (3).

Ensuring Security of Software
All servers and applications must be protected through appropriate, logistical security measures. Special consideration must be given to processes such as user authentications and user access restrictions, intrusion prevention security systems, and full back-up and disaster recovery protection systems.

Ensuring Security of Data Centre

Firstly, attention must be given to physical security, in terms of the protection of the data centre itself, through to appropriate personnel staffing and site security. Thought should also be put towards environmental factors; in cases such as natural disasters, appropriate systems must be installed in order to prevent major data losses.

Myth 5: You Cannot Segregate Your Data From Another Company’s Using the Cloud

A single-tenant, private cloud environment allows users’ software to be segregated from another company’s, as each client has its own code base. A private architecture enables the establishment of logical and physical boundaries and controls around the data, setting permissions with regards to who can have access to the computing environment.

Securing the Future

In summary, private cloud environments provide a secure solution that enables data to be segregated, and functionality changes to be safely, effectively and productively managed, in order to remain in a continuously validated state. Because life sciences companies are ultimately responsible for the authenticity and security of their data within the compliance framework, businesses should be focused on mapping out a validation framework to ensure that a solution can remain validated for the long term, and that all requirements are accounted for.


1. Hanover J and Knickle K, Advancing cloud computing in North American manufacturing and health: From IT efficiency to business innovation, 2013
2. Saleem Y et al, High security and privacy in cloud computing paradigm through single sign on, Life Science Journal 9(4), 2012
3. Goverman I, Weitz C and Hall J, Cloud computing: Prime time for life sciences, Deloitte, April 2013
4. Ruth G, Private cloud storage favoured by IT organizations, Gartner, 2012

Read full article from PDF >>

Rate this article You must be a member of the site to make a vote.  
Average rating:

There are no comments in regards to this article.

James Brown is founder and Chief Executive Officer of Zinc Ahead, a leading provider of cloud-based compliance solutions for the life sciences industry. Having graduated with a degree in Biochemistry from Nottingham University in 1992, James spent nine years at Merck & Co in sales and marketing roles, before leaving in 2001 to start Zinc Ahead. Over the last 13 years, Zinc has firmly established itself as the gold-standard compliance solution for life sciences companies, and now employs over 125 staff across its six global offices.
James Brown
Print this page
Send to a friend
Privacy statement
News and Press Releases

Turkish Cargo maintains its dual-terminal operations seamlessly

Completing the gradual transition process to Istanbul Airport, one of the largest airports of the world, the global air cargo brand Turkish Cargo maintains its dual-terminal operations with full capacity on 7/24 basis without any sales restriction.
More info >>

White Papers

Medpace Reference Laboratories establishes state of the art Flow Cytometry techniques for flexible approaches to clinical trials across multiple therapeutic areas.


Cytometry is the process of measuring the properties of individual cells. These properties may include gene or protein expression, chemical properties, deoxyribonucleic acid (DNA) content, and various cellular functions. The earliest methods of cytometry relied upon light microscopy for the classification and observation of cells and cellular components. Microscopy permitted direct visual observation of cells for the first time, leading to the classification of cells by morphology and insight into cellular functions. However, the time required for microscopic analysis constrains the number of samples or number of cells in each sample that can be examined. Therefore, the utility of microscopy for analysis of rare cells or in situations where sample throughput is a priority is limited. Flow cytometry was developed largely to improve upon these limitations.
More info >>

Industry Events

Nordic Life Science Days 10/12 September 2019

10-12 September 2019, Malmo Sweden

Nordic Life Science Days is the largest Nordic partnering conference for the global Life Science industry. Bringing together the best talents in Life Science, offering amazing networking and partnering opportunities, providing inputs and content on the most recent trends. Nordic Life Science Days attracts leading decision makers from the Life Science sector, not only from biotech, pharma and medtech but also from finances, research, policy and regulatory authorities.
More info >>



©2000-2011 Samedan Ltd.
Add to favourites

Print this page

Send to a friend
Privacy statement