Paul Attridge at 2016 Knowledge and Network Day

Epista Life Science

/@epistalifescience6136

Published: November 11, 2016

Open in YouTube
Insights

This video provides an in-depth exploration of the compliance challenges and vendor assessment requirements facing the Life Science industry as it shifts toward a data-centric IT model utilizing regulated cloud environments. Paul Attridge, Senior Director at Veeva Vault R&D Europe, offers a vendor's perspective on how pharmaceutical and biotech companies can maintain data integrity and regulatory adherence while adopting cloud solutions. The core premise is that the cloud introduces new variables, but the fundamental need for rigorous supplier control remains paramount, stressing that cloud vendors must be treated exactly like any other general supplier providing solutions to a regulated environment.

The presentation details several critical areas for customer due diligence. First, addressing the common anxiety around data residency, Attridge clarifies that customers must actively engage with vendors to ensure data is stored in a location suitable for their regulatory needs, countering the perception that cloud data is "just anywhere." Second, security is highlighted as a foundational requirement, specifically demanding dual-level encryption: data must be encrypted both while housed in storage (at rest) and while being transmitted across the internet (in transit). Customers must be able to test and verify the efficacy of both encryption layers to assure confidence in the security controls.

The discussion also focuses heavily on vendor qualifications, emphasizing that a robust Quality Management System (QMS) is essential for any cloud provider in this space. The QMS must govern the vendor's environment, development processes, and infrastructure management to ensure consistency and compliance. Furthermore, given that cloud provision is a relatively new field, vendor experience is critical, as the provider must understand the business-critical nature of regulated data and the specific regulatory controls in place. Attridge concludes by emphasizing that the relationship with a cloud vendor is a long-term partnership built on trust, recommending that customers vet vendors based on verifiable certifications, accreditations, and their preparedness for emerging regulations such as the EU GDPR.

Key Takeaways:

  • Rigorous Vendor Assessment is Mandatory: Customers must treat cloud vendors with the same level of control and scrutiny applied to traditional general suppliers, ensuring comprehensive oversight of their processes and infrastructure, especially when handling regulated data.
  • Demand Specific Data Residency Confirmation: Contrary to popular belief, cloud data location is not arbitrary. Customers must actively discuss and confirm with vendors that the physical location of their data storage meets all necessary regulatory and jurisdictional requirements.
  • Verify Dual-Layer Encryption: Security protocols must include encryption for data both at rest (while stored on servers) and in transit (while transmitted over the internet), and customers must have the ability to test and assure the efficacy of both layers.
  • QMS is the Foundation of Compliance: A vendor must possess a mature and verifiable Quality Management System (QMS) that manages their development lifecycle, infrastructure, and operational environment, which is vital for maintaining GxP compliance.
  • Prioritize Experience in Regulated Business: Because cloud technology is relatively new, customers must select vendors who demonstrate deep experience and understanding of the specific regulatory controls and business-critical nature of life sciences data.
  • Leverage SOC Reports for Due Diligence: Vendors must be prepared to provide Service Organization Control (SOC) reports, specifically Type 1 and Type 2, which enable customers to perform their own assessment of the vendor's internal controls and compliance posture.
  • Assess Regulatory Foresight: Vendors should demonstrate active preparation and adherence to evolving global regulatory frameworks, such as the upcoming EU GDPR regulations, ensuring their platform remains compliant with future standards.
  • Trust is Built on Certifications: Long-term trust is established through verifiable credentials. Customers should look for standard security certifications and accreditations that validate the vendor's quality management processes and security controls.
  • Subscription Model Ensures Vendor Attention: The subscription nature of cloud services means vendors must continuously work hard to retain the customer, often resulting in a high level of ongoing engagement and attention that customers should leverage to ensure service quality.

Tools/Resources Mentioned:

  • Veeva Vault R&D (Example of a regulated cloud solution)
  • SOC Type 1 and Type 2 (Service Organization Control reports)

Key Concepts:

  • Data Integrity: The core principle ensuring the accuracy, consistency, and reliability of data throughout its lifecycle, which is complicated by the transition to cloud infrastructure in regulated sectors.
  • Regulated Cloud Environment: The use of cloud services (SaaS, PaaS, IaaS) for handling GxP data, necessitating specific controls for security, validation, audit trails, and compliance with regulations like 21 CFR Part 11.
  • Quality Management System (QMS): The formal system used by vendors to manage their development, infrastructure, and operational processes to ensure consistent quality and regulatory adherence.
  • Data-Centric IT Approach: A strategic shift in IT infrastructure that prioritizes the management and sharing of data over the maintenance of individual, siloed systems, driven by modern regulatory requirements (e.g., IDMP, UDI).
  • Encryption (At Rest and In Transit): The essential security measure ensuring that sensitive data is protected both when stored on servers and when actively moving across networks.