Preparing for an MHRA inspection is always a stressful time, and
one where I frequently get asked by our pharmaceuticals clients for advice on
best practice in relation to IT systems.
Computerised systems are an area where MHRA inspectors often find
deficiencies, indeed the recently released “MHRA GMP Inspection Deficiency Data
Trend 2016” revealed that in the 324 GMP inspections conducted in 2016, a total
of 120 Computerised Systems deficiencies were cited.
So today I thought it would be useful to highlight some of the key
areas to think about when you are preparing your information systems for an
MHRA inspection.
1. IT Security
Who has access to your systems and data, both within and outside the company? What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers? How is your network secured from threats like malware, ransomware and hackers? What are your procedures for applying security updates to your systems? What safeguards and procedures do you have in place around mobile working? What are your procedures around physical security of your servers and IT equipment? How do you manage secure disposal of old PC and server equipment? How is all of this documented? How are your procedures updated in the light of a constantly changing cyber security landscape?
2. Data Integrity
1. IT Security
Who has access to your systems and data, both within and outside the company? What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers? How is your network secured from threats like malware, ransomware and hackers? What are your procedures for applying security updates to your systems? What safeguards and procedures do you have in place around mobile working? What are your procedures around physical security of your servers and IT equipment? How do you manage secure disposal of old PC and server equipment? How is all of this documented? How are your procedures updated in the light of a constantly changing cyber security landscape?
2. Data Integrity
How do you ensure that your data does not get changed or
erased? Do you transfer data manually between
different systems? If so how do you ensure the data is the same in both
systems? How do you stop outsiders accessing your system to change, delete or
steal data? Does any of your data go outside your organisation and if so how is
this controlled and secured? How is all of this documented?
3. Data Archiving and Retention
3. Data Archiving and Retention
How long is data kept for?
How is archived data kept safe? Do you have automated archiving/deletion
processes? If so, do the
archiving/retention policies in place tie-in with your written documentation
around data retention times? Is it held in a format/on media that is still
readable?
4. Backup
How is your data backed up? Where are the backups held? Would a disaster potentially destroy your backups as well as your live systems? How often are backups taken? Who is responsible? How much data would you lose if you had to recover your backups? How long would it take to restore your backups? Are you able to restore back to a specific point-in-time?. How are your backup procedures documented?
5. Disaster Recovery
Who is responsible? Do you have a written disaster recovery plan? Where is it stored? How often is it reviewed? When was it last tested? What was the outcome? How long would a total disaster recovery of your systems take? Would it be successful? How would you operate in the interim? How much data would be lost? How would it be communicated? How is all of this documented?
In future blogs, I will be exploring in more depth some of the key issues around successful use of IT in pharmaceuticals, including issues around MHRA, GxP and HIPAA compliance. In the meantime, if you are concerned about your business’s compliance position in regard to IT systems, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.
How is your data backed up? Where are the backups held? Would a disaster potentially destroy your backups as well as your live systems? How often are backups taken? Who is responsible? How much data would you lose if you had to recover your backups? How long would it take to restore your backups? Are you able to restore back to a specific point-in-time?. How are your backup procedures documented?
5. Disaster Recovery
Who is responsible? Do you have a written disaster recovery plan? Where is it stored? How often is it reviewed? When was it last tested? What was the outcome? How long would a total disaster recovery of your systems take? Would it be successful? How would you operate in the interim? How much data would be lost? How would it be communicated? How is all of this documented?
In future blogs, I will be exploring in more depth some of the key issues around successful use of IT in pharmaceuticals, including issues around MHRA, GxP and HIPAA compliance. In the meantime, if you are concerned about your business’s compliance position in regard to IT systems, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Established in 1994,
Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research
organisations, Biotechnology and Medical Device companies throughout the UK.
Our focus is on delivering IT solutions that create real value to our clients' businesses.
Working closely with our customers’ in-house IT Managers, our structured and
managed approach to delivering IT is paramount in ensuring our clients can
maximise the business advantages technology can offer them, whilst minimising
their risks and maintaining regulatory compliance. For more information about
our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/
No comments:
Post a Comment