Preparing for an MHRA Inspection Part 3: Disaster Recovery Planning

In my last blog, I talked about considerations around systems and data backup when preparing for an MHRA inspection. Today I wanted to talk in more depth about disaster recovery.

With the best planning in the world, sometimes the unexpected does happen. We only have to look at the chaos caused in the NHS by the Wannacry ransomware attack to see the operational and commercial impact that computer systems downtime can cause. As such, disaster recovery planning is something that may well come under the spotlight at an MHRA inspection; it is also a subject that is increasingly being raised at audits which your customers may be carrying out on their supply chain.

The MHRA inspector is likely to be looking to see that you have the appropriate incident response and recovery plans in place to handle such a situation. Part of this will be about having a technical disaster recovery plan in place that ensures you can recover your data and systems successfully and in a timely manner. Equally importantly, there also need to be plans in place to cover how you would operate in the interim and how you would communicate details of an IT failure to customers, staff, suppliers and the relevant regulator(s) to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many pharmaceuticals I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable. For example, according to Intermedia, 72% of companies infected with ransomware suffer two days or more without access to their files, while 32% are locked out of their files for at least 5 days.

Whether an outage is caused by ransomware, hardware failure, software failure or a wider scale disaster, it is critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. I find many businesses that put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as use of technology in pharmaceuticals has moved on rapidly, and what was an acceptable recovery plan even a year or two ago may now be totally inadequate. In addition, systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that the board of pharma companies we work with continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:

1. How long could your business manage without access to each of its IT systems and data repositories?

This is likely to vary from system to system; for example you may be able to tolerate no downtime on your email, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your disaster recovery plan needs to consider each system and data repository that you use, assessing how long your business could cope without access to that system or data repository.

2. How much data, if any, could you afford to lose?

 For each IT system and data repository you need to be clear how much data loss, if any, would be acceptable to the business, in both commercial and regulatory terms, and tailor your backup and disaster recovery plans accordingly. If no data loss is acceptable, then a real-time replication solution should be considered, as part of a multi-layered backup approach (see more details in this blog). If some data loss is acceptable in a disaster scenario, then backups which run daily or hourly may be acceptable.

3. Does your current disaster recovery plan accurately reflect 1 and 2 above?

Your disaster recovery plan needs to be designed such that your objectives around downtime and data loss as defined above can be met.

4. Would your plan work if used “in anger” and are you able to demonstrate this in an inspection? 

 In order to ensure success it is vital that the disaster recovery plan is tested on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. Whether that’s a practical problem (something technical or operational in the plan doesn’t work) or whether it reveals that the time taken to carry out the recovery does not meet business objectives, or that all data cannot be recovered successfully, testing is paramount to provide the peace of mind that the plan will actually work when used “in anger”. Tests of disaster recovery plans also need to be documented, so there is clear evidence that plans exist, testing has been conducted, the plan has been shown to meet business and regulatory requirements and that any necessary remedial actions highlighted by the test have been actioned.

5. What is the process for reviewing and updating your disaster recovery plan?

With our use of technology constantly evolving, and regular changes to legislation, it is important that plans around backup and disaster recovery are regularly reviewed and re-assessed against the commercial and operational needs of the business, as well as regulatory compliance requirements such as GxP, GDPR and HIPAA.

I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing for an MHRA inspection. If, having read this article, you are concerned that your current disaster recovery plan may not be fully compliant, or may no longer meet your business needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include providing independent consultancy as well as (where required) implementing technologies and processes to ensure your disaster recovery plans meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

Preparing for an MHRA Inspection Part 2: Data and Systems Backup Procedures

In my earlier blog, 5 Key Considerations for an MHRA Inspection, I outlined some of the key questions to think about regarding data security, data integrity, data retention, data backup and disaster recovery when preparing for an MHRA inspection. Since then a number of you have been in touch with questions, so I thought it would be useful to elaborate further on this topic. In today’s article I wanted to focus on backup, as I find that there can be much confusion about effective, compliant backup, and it is quite common for organisations to think their data is safely backed up, only to find that when a problem arises which causes them to revert to their backup, that for any number of reasons, it doesn’t work as they anticipated. As such backup frequently comes under the spotlight at an MHRA inspection and is also a subject that is being increasing examined by pharma company’s clients as part of their supply chain due diligence.

There are a whole host of reasons why you need to backup your systems and data, for example to protect against:-

• Ransomware attacks
• Deletions – accidental or malicious
• Data corruption
• Hardware failures
• Software problems
• Fire, flood or natural disaster

Having effective backup strategies in place to mitigate these types of risks is a requirement for GxP, HIPAA and GDPR compliance.

It is important to realise that there are many different types of backup, and they each provide protection against one or more of the above scenarios, but they do not all necessarily provide full protection against every scenario, so it may well be appropriate to deploy several different layers of backup.

A few things to think about include:-

• If you are using removable media (hard disks or tapes) to backup your system, where do you store your backups? If they are onsite, then there is a danger that say a fire or natural disaster that incapacitates your live system could also wipe out your backup system. If you store them offsite, what is the procedure for recalling them to site in a disaster and how long would it take to retrieve them?

• How often do you backup your data? If it is only nightly, then in a disaster you could lose up to a whole days work. What are your procedures to re-create this data? What about emails that have been lost? Would this be acceptable to the business, to the regulator and to your clients? If the answer is No, then you need to review the frequency that you are taking backups.

• Are your backups permanently connected to your live system (e.g. hard disks or online backup that presents itself as a drive on your machine or server)? If so, in the case of a ransomware attack, there is the danger that your backups could be encrypted as well as your live system and effectively rendered useless.

• How many copies of your backups do you hold? Some organisations rely on a real-time cloud based backup or replication to another server to hold up-to-date backup data. Whilst this is very useful in some scenarios (e.g. a server hardware failure), as it ensures there is no data loss, in other scenarios in may not work well at all – for example a data corruption that affects your live system will be immediately replicated to your cloud backup or standby server, thereby rendering it useless. It is therefore important that you also have a process in place that allows you to restore your data back to a given point-in-time: in this example, to before the corruption occurred.

• Then there’s the question of what to restore your backups onto, which is something not everyone considers. In the case of a deletion, data corruption or ransomware attack you can restore your data back onto your existing hardware. But in the case of a hardware failure, flood, fire or natural disaster, you may no longer have server(s) to restore your backups onto. Purchasing new hardware and restoring backups onto it is no small task and you can expect to be without your data and IT systems for several days if you haven’t pre-planned for this scenario.

  • This brings me onto the difference between data and systems backups, which is a fine distinction that is not always appreciated, but can make a huge difference in the event of an entire system needing to be restored. With data backups alone, whilst you have copies of your data, you do not have copies of your entire servers, which contain operating systems, software applications, settings, user IDs, policies and a myriad of other configuration settings as well as your data. Data backups provide excellent protection against things like data deletion, but do not provide a quick and easy way to recover a working IT network in the event of a complete server failure or fire, flood or natural disaster. In this case, if the recovery is to be in any way timely, you really need to be looking at a backup that takes a complete image of your entire server, not just your data.

• Finally, any data recovery will only be successful if your backups have worked in the first place. I am constantly surprised by the number of businesses who fall foul of this and believe they have a working backup until the day they need to recover some data, or their entire system, when they find that those backups haven’t worked in full or in some cases at all. Having a business process in place to monitor the success of backups is paramount, as is regular testing to ensure the integrity and restorability of your backups.

I hope that this article has helped to highlight that data and systems backup is actually a complex issue, which almost always requires a multi-layered approach, combined with structured business processes, to be successful. Connexion have been working with Pharmaceutical companies for over 2 decades to help them leverage technology successfully, whilst carefully managing risks to the business, and ensuring regulatory compliance, through a highly structured and managed approach to delivering IT. If, having read this article, you are concerned that your current backup strategy may not be fully compliant, or may no longer meet your business needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include undertaking an independent audit of your backup procedures, and/or providing technologies and processes that ensure your backups meet your regulatory obligations and your business needs.

-------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

How to Protect your Pharma Business from Cyber Threats: Think like a Hacker!

With so many pharma businesses I speak to concerned about cyber security threats, and the potentially devastating compliance and reputational consequences of a data breach or ransomware attack, I today wanted to explain some of the more sophisticated ways you can mitigate the risks around these threats.

In understanding how Pharma businesses can protect themselves against the reputational damage and the MHRA, GDPR and HIPAA compliance breaches that will occur if they experience a cyber-attack, it is important firstly to understand the different types of cyber-attack that exist. These broadly fall into two categories: commodity attacks and bespoke attacks.

Commodity Attacks

Commodity attacks are where cyber criminals use widely available tools that exploit known vulnerabilities in software or operating systems in order to hack into your system or compromise it.

These types of attacks are easy to deploy and don’t need much technical knowledge. Indeed, some of the most destructive types of cyber-attacks, such as ransomware, are now widely available for would-be cyber criminals to purchase as an off-the-shelf package and deploy as they wish. This type of ransomware-as-a-service means that cyber criminals need minimal technical knowledge and have the opportunity to make plenty of quick and easy money.

So it is little wonder that this type of threat is becoming more and more prevalent. In fact a recent survey by Kaspersky showed that the number of ransomware attacks on businesses tripled last year, with a company now being hit with ransomware every 40 seconds. The same survey showed that 71% of companies targeted by ransomware attacks have been infected.

We now also have the situation where the more sophisticated hackers are making a point of reverse engineering security fixes that vendors like Microsoft bring out to patch newly discovered security loopholes. This means that unless you have applied the security fixes to every device on your network very promptly, there is a real danger that you will be compromised.

As the motivation behind these sort of attacks is generally about making money, whether that be through demanding ransoms to give you back your data or through stealing confidential information to sell it on, the cyber-criminal is generally not picky who he targets and as such commodity attacks tend to be widespread.

Bespoke Attacks

While the vast majority of cyber security attacks are commodity attacks, a small number are bespoke attacks. These are very different, as they are attacks where cyber criminals target one or more individual companies for a specific reason e.g. to steal IP, or cause reputational damage.

Again cyber criminals will start by using commodity attack tools to find out if there is an easy way to compromise your system. In many cases this will provide a route in, but if not, then the cyber criminals will take time to research your organisation, your security, individual employees, social media activities and much more through a wide range of digital reconnaissance and sometimes physical reconnaissance measures and then develop bespoke hacking tools to attempt to breach your defences. These types of attacks are carried out by much more sophisticated and determined cyber criminals.

So how can Pharma companies manage their risk around Cyber Threats?

Well putting yourself into the mindset of the cyber-criminal is a really good starting place. He or she’s going to be looking for known vulnerabilities in your system where they can get in. These vulnerabilities are a constantly moving target, because software updates are coming out from software application vendors, operating system vendors like Microsoft and security software vendors the whole time. So the scary reality of the situation is that while your data may be fully protected at 9am this morning, by 10am you may be vulnerable.

So the key here is to be constantly, in real-time, scanning your system for vulnerabilities, using the same tools that the cyber-criminal is using. This way you see your network through the eyes of the hacker and can pre-empt his next move. Of course, the quantity and skillset of human resources required to do this manually would be cost prohibitive for most small and medium sized companies. However, we are now working with Pharma businesses to implement new automated real-time unified security management systems which carry out just this function. So rather than a vulnerability scan being carried out on the network say once a year (which provides a useful benchmark, but only tells you that your data is secure at that one moment in time), these systems carry out a continuous vulnerability scan on your system, all day, every day. Such continuous vulnerability scanning allows risks to be highlighted immediately, and reported back in real-time to our Security Operations Centre. Working with our clients we then ensure these latest security loopholes are closed down immediately and that thus your organisation is kept one step ahead of the cyber criminals.

I hope this article has given you some useful insight into the approach of cyber criminals and the ways you can minimise your risk of becoming a target of cyber-crime. If you would like to find out more about this topic, or you would like information on our continuous vulnerability scanning solution or would like to arrange a one-off vulnerability scan of your network to see how your cyber defences currently measure up, then please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when it will be my pleasure to speak with you.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

Cyber Security in Pharma: Practical Ways to Manage Risk and Gain Competitive Advantage

In my last blog, I talked about one of the key ways I believe Pharma companies can differentiate themselves from their competitors, as well as addressing challenges around GxP and GDPR compliance, and that is by tackling the thorny issue of cyber security.

We only have to open a newspaper or turn on the news these days to hear about some new cyber threat which has caused major disruption to businesses, and there is increasing pressure in Pharma to ensure that everyone in the supply chain has taken adequate measures to protect their business from cyber threats, since it only takes one organisation in the supply chain to be unable, for example, to ship product, for widespread disruption and reputational damage to occur to all parties.

So today I wanted to talk about practical ways in which pharma companies can implement effective cyber security policies, processes and technologies that will dramatically reduce their risk and help to elevate them above their competitors and put them at the front of the queue to win more contracts.

Firstly, I would say that it is vital that a joined-up approach is taken to cyber security management, as in the ever evolving threat landscape, it is nowhere near enough to just be relying on one or two technical measures like some anti-virus software and a firewall. Rather the company’s cyber security strategy must involve the Board, as well as technical personnel, and be formulated as an integrated suite of risk management measures encompassing business processes, technologies, staff training and procedures.

As a starting point, I always recommend that pharma companies we are working with look at the Cyber Essentials scheme, a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:

1. Boundary firewalls 
2. Secure configuration 
3. User Access control 
4. Malware protection (including Ransomware) 
5. Patch management 

Already the government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme, and there is no doubt in my mind that this will become the de facto standard which one day every business in the UK will have to achieve, as organisations increasingly demand that everyone in their supply chain is certified to at least this minimum standard of cyber security management. In the interim period though, those Pharma companies who choose to implement these types of standards and accreditations early on, are immediately giving themselves a competitive advantage, by presenting themselves as a low risk option to their potential customer and winning more points in tenders by demonstrating they are taking cyber security threats seriously and acting accordingly.

We are already in the throes of working with several of our clients to Implement Cyber Essentials, which, aside from the obvious commercial benefits, they see as having a plethora of other business benefits including assisting with MHRA and HIPAA compliance, demonstrating care of personal data for GDPR compliance purposes and ensuring that their company’s risk of suffering costly downtime and/or reputational damage is minimised.

Whilst Cyber Essentials won’t protect your business against every possible cyber threat – and in my next blog I will go on to talk about the different types of threats that exist in more detail, and some of the more sophisticated ways you can mitigate the risks around these threats - it certainly provides a very good foundation as the first step towards good practice in cyber security management.

If you would like more information on the Cyber Essentials scheme or you would like to explore ways in which you can successfully manage your business risk around cyber security and gain competitive advantage, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

--------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

How your Pharma Company can win more business and address key GDPR and MHRA compliance challenges

Perhaps this sounds too good to be true, but my experience working with pharmaceutical companies has shown me that there is a key area where Pharma companies can gain competitive advantage today, putting themselves in a strong position to win contracts over their competitors, while simultaneously addressing key compliance challenges in relation to GDPR, GxP and HIPAA.

So what is this area?

Well it’s the subject that’s increasingly worrying the government, business owners and directors in every sector: namely Cyber Security.

So how does effective cyber security management help pharmaceutical businesses to win more contracts? Well, in selecting a supplier, every potential customer of your firm is going to be carrying out due diligence to ensure your firm is safeguarding data as it should be, and is demonstrating best practice in relation to managing cyber threats. After all, the last thing your customer wants is for their supply chain to grind to a halt because, for example, a ransomware attack has meant you can no longer produce or ship product.

And recent ransomware attacks like Wannacry and Petya which have hit the headlines by causing major disruption in healthcare and pharmaceuticals, with organisations such as the NHS, Merck and Reckitt Benckiser being affected, will only serve to make your prospective customers more aware of these issues, and the risks they pose to their business, if they, or anyone in their supply chain, falls victim to such an attack.

Already the government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme, a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks (more about which in my next article). But it is clear to me that these types of accreditations and requirements are only set to continue and grow, as they inevitably percolate all the way up through the supply chain.

Then, on the other side of the coin, there is the reputational damage that a cyber-security issue causes to your firm. If you have had a high profile data breach (and let’s bear in mind that GDPR imposes an obligation on you to declare breaches within 72 hours, so a breach is going to be high profile), then how will it impact on your prospective customer’s decision making process when they are evaluating whether or not to work with your organisation? What does it say about your company procedures? Your risk management processes? Your ability to safeguard your data and theirs? And ultimately your ability to deliver to your customers?

So if your company can demonstrate they have in place effective risk management processes and technologies in relation to cyber-security then you have clearly placed yourself in a very powerful position to secure new business, since your prospective customer is immediately re-assured that he is minimising the risk in his supply chain.

And there is a dual benefit here, because effectively addressing cyber security challenges also ticks many compliance boxes, since GxP, HIPAA and GDPR all have requirements surrounding effective protection of your data from cyber security threats.

So the same business processes and technologies that will help you win more business, will also help you to address key challenges around GxP data integrity, MHRA inspections, compliance with the HIPAA security rule and safeguarding the personal data your company holds under GDPR.

I hope by now you will agree that effective cyber security management is pivotal to commercial success. But just how do pharma companies achieve the holy grail of effective cyber security risk management, in today’s constantly evolving, and increasingly complex threat landscape? There’s no doubt, it’s a complex issue that requires a specialist skillset and a multi-faceted approach – but for those Pharmaceutical businesses willing to make the investment in people with the right skills, along with the right technologies, the commercial opportunities to get ahead abound.

In my coming blogs I will be discussing practical ways in which pharma companies can implement effective cyber security policies, processes and technologies that will dramatically reduce their risk and help to elevate them above their competitors and put them at the front of the queue to win more contracts. If in the meantime, you have any questions, or you would like to explore how Connexion can help your company win more business through effective cyber security management, then please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

--------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

GDPR Compliance for Pharmaceuticals: Controlling Access to Your Data

In my previous blogs I talked about 6 Key Issues to Consider in Preparing your Pharmaceuticals business for GDPR compliance and the importance of understanding just where your confidential data actually is. Since then, I’ve had several requests for more information on this topic, so I thought it would be useful to put pen to paper again and share some more information.

Securing your data in readiness for GDPR broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access). Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your pharmaceutical company’s data, and forms an important part of preparing your company’s information systems for GDPR compliance.

GDPR places accountability on pharmaceutical firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that personal data can be anything that identifies an EU citizen, which can be as simple as a name or email address, and it becomes apparent this is likely to cover the vast majority of a company’s data.

Therefore, for each piece of data that you hold, it is important to understand, and have documented, who has access to that data and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to do their job. Allowing staff wider access to data puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats.

As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Appropriate password policies are also very important, since if policies allow passwords to remain unchanged indefinitely, or indeed allow staff to choose an easily guessable password, then there is a danger that data security will be compromised, which does not demonstrate the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your data. In this case this needs to be secured in just the same way, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to the company’s security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures any spreadsheets or databases that have been developed by an individual or department and which contain personal data.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for pharmaceuticals. In the meantime, if you are concerned about your company’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for directors of Pharmaceutical companies, please visit our blog at http://ITinPharma.blogspot.co.uk

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

GDPR Compliance for Pharmaceuticals: Just Where is your Confidential Data?

This may sound like an odd question, as I’m sure many of you will be certain you know just where all your confidential and personal data is held. But do you really?

A pharmaceutical company’s data is precious. Not only does it contain personal data like names and contact details of clients and employees, which are governed by the Data Protection Act and forthcoming GDPR legislation, it also likely contains medically confidential details of patient health information. Then there may be clinical trial data, not to mention a wealth of commercially
confidential details of contracts, agreements, research, IP and email correspondence.

And the startling reality nowadays is that your business data may well be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails?

And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

There’s also copies of data taken for backup purposes. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee owned devices, which is copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs.

So do you really know where all your data is held? And does it matter?

Well the more widespread and less controlled your data is, the more vulnerable you leave your business to a security breach. And this has implications on many levels: firstly, it does not demonstrate due care of personal data under GDPR, and that in turn has the potential to lead to massive financial and reputation damage once GDPR comes into force in May 2018. Additionally, uncontrolled data presents a problem from an MHRA inspection standpoint around data security and data integrity. And if that wasn’t bad enough, for those of you based in or doing business in the US, it also raises questions around HIPAA compliance in relation to data integrity, availability and confidentiality. And on a commercial level of course there are also major issues around the need to guard your business’ competitive IP.

So understanding what data you hold, where it is stored and who has access to it, is absolutely critical. This in turn needs to be documented, both so that the Board have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts businesses back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for pharmaceutical companies. In the meantime, if you are concerned about your business’ GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for directors of Pharmaceutical companies, please visit our blog at http://ITinPharma.blogspot.co.uk

-------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

GDPR Compliance for Pharmaceuticals: 6 Key Issues to Consider

The new EU general data protection regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years.  GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Failure to comply will have potentially catastrophic implications for companies, for two reasons:

1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.

2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the business concerned highly exposed to brand damage and potential customer pay outs.

Whilst pharmaceutical businesses already have onerous MHRA compliance responsibilities to meet in relation to the protection and integrity of data, many may still need to broaden their security measures and precautions in order to meet GDPR, as well as ensuring that they have in place the necessary written SOP’s and can provide documentary evidence to demonstrate compliance.

So what do pharmaceutical businesses need to be doing to prepare for GDPR?

 
Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name, email address or reference number. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.

2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if companies are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and the associated potential for crippling fines and reputational damage.

4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.

5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection.

6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your business.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for pharmaceutical companies. In the meantime, if you are concerned about your business’ GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

--------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size  Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/

5 Key IT Considerations for an MHRA Inspection

Preparing for an MHRA inspection is always a stressful time, and one where I frequently get asked by our pharmaceuticals clients for advice on best practice in relation to IT systems.

Computerised systems are an area where MHRA inspectors often find deficiencies, indeed the recently released “MHRA GMP Inspection Deficiency Data Trend 2016” revealed that in the 324 GMP inspections conducted in 2016, a total of 120 Computerised Systems deficiencies were cited.

So today I thought it would be useful to highlight some of the key areas to think about when you are preparing your information systems for an MHRA inspection.

1. IT Security

Who has access to your systems and data, both within and outside the company? What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers? How is your network secured from threats like malware, ransomware and hackers? What are your procedures for applying security updates to your systems? What safeguards and procedures do you have in place around mobile working? What are your procedures around physical security of your servers and IT equipment? How do you manage secure disposal of old PC and server equipment? How is all of this documented? How are your procedures updated in the light of a constantly changing cyber security landscape?
 
2. Data Integrity

How do you ensure that your data does not get changed or erased?  Do you transfer data manually between different systems? If so how do you ensure the data is the same in both systems? How do you stop outsiders accessing your system to change, delete or steal data? Does any of your data go outside your organisation and if so how is this controlled and secured? How is all of this documented?
 
3. Data Archiving and Retention

How long is data kept for?  How is archived data kept safe? Do you have automated archiving/deletion processes?  If so, do the archiving/retention policies in place tie-in with your written documentation around data retention times? Is it held in a format/on media that is still readable?

4. Backup

How is your data backed up? Where are the backups held?  Would a disaster potentially destroy your backups as well as your live systems? How often are backups taken? Who is responsible? How much data would you lose if you had to recover your backups? How long would it take to restore your backups? Are you able to restore back to a specific point-in-time?. How are your backup procedures documented?

5. Disaster Recovery

Who is responsible? Do you have a written disaster recovery plan? Where is it stored? How often is it reviewed? When was it last tested? What was the outcome? How long would a total disaster recovery of your systems take? Would it be successful? How would you operate in the interim? How much data would be lost? How would it be communicated? How is all of this documented?

In future blogs, I will be exploring in more depth some of the key issues around successful use of IT in pharmaceuticals, including issues around MHRA, GxP and HIPAA compliance. In the meantime, if you are concerned about your business’s compliance position in regard to IT systems, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size  Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/