In my earlier blog, 5 Key Considerations for an MHRA Inspection, I outlined some of the key questions to think about regarding data security, data integrity, data retention, data backup and disaster recovery when preparing for an MHRA inspection. Since then a number of you have been in touch with questions, so I thought it would be useful to elaborate further on this topic. In today’s article I wanted to focus on backup, as I find that there can be much confusion about effective, compliant backup, and it is quite common for organisations to think their data is safely backed up, only to find that when a problem arises which causes them to revert to their backup, that for any number of reasons, it doesn’t work as they anticipated. As such backup frequently comes under the spotlight at an MHRA inspection and is also a subject that is being increasing examined by pharma company’s clients as part of their supply chain due diligence.
There are a whole host of reasons why you need to backup your systems and data, for example to protect against:-
• Ransomware attacks
• Deletions – accidental or malicious
• Data corruption
• Hardware failures
• Software problems
• Fire, flood or natural disaster
Having effective backup strategies in place to mitigate these types of risks is a requirement for GxP, HIPAA and GDPR compliance.
It is important to realise that there are many different types of backup, and they each provide protection against one or more of the above scenarios, but they do not all necessarily provide full protection against every scenario, so it may well be appropriate to deploy several different layers of backup.
A few things to think about include:-
• If you are using removable media (hard disks or tapes) to backup your system, where do you store your backups? If they are onsite, then there is a danger that say a fire or natural disaster that incapacitates your live system could also wipe out your backup system. If you store them offsite, what is the procedure for recalling them to site in a disaster and how long would it take to retrieve them?
• How often do you backup your data? If it is only nightly, then in a disaster you could lose up to a whole days work. What are your procedures to re-create this data? What about emails that have been lost? Would this be acceptable to the business, to the regulator and to your clients? If the answer is No, then you need to review the frequency that you are taking backups.
• Are your backups permanently connected to your live system (e.g. hard disks or online backup that presents itself as a drive on your machine or server)? If so, in the case of a ransomware attack, there is the danger that your backups could be encrypted as well as your live system and effectively rendered useless.
• How many copies of your backups do you hold? Some organisations rely on a real-time cloud based backup or replication to another server to hold up-to-date backup data. Whilst this is very useful in some scenarios (e.g. a server hardware failure), as it ensures there is no data loss, in other scenarios in may not work well at all – for example a data corruption that affects your live system will be immediately replicated to your cloud backup or standby server, thereby rendering it useless. It is therefore important that you also have a process in place that allows you to restore your data back to a given point-in-time: in this example, to before the corruption occurred.
• Then there’s the question of what to restore your backups onto, which is something not everyone considers. In the case of a deletion, data corruption or ransomware attack you can restore your data back onto your existing hardware. But in the case of a hardware failure, flood, fire or natural disaster, you may no longer have server(s) to restore your backups onto. Purchasing new hardware and restoring backups onto it is no small task and you can expect to be without your data and IT systems for several days if you haven’t pre-planned for this scenario.
• This brings me onto the difference between data and systems backups, which is a fine distinction that is not always appreciated, but can make a huge difference in the event of an entire system needing to be restored. With data backups alone, whilst you have copies of your data, you do not have copies of your entire servers, which contain operating systems, software applications, settings, user IDs, policies and a myriad of other configuration settings as well as your data. Data backups provide excellent protection against things like data deletion, but do not provide a quick and easy way to recover a working IT network in the event of a complete server failure or fire, flood or natural disaster. In this case, if the recovery is to be in any way timely, you really need to be looking at a backup that takes a complete image of your entire server, not just your data.
• Finally, any data recovery will only be successful if your backups have worked in the first place. I am constantly surprised by the number of businesses who fall foul of this and believe they have a working backup until the day they need to recover some data, or their entire system, when they find that those backups haven’t worked in full or in some cases at all. Having a business process in place to monitor the success of backups is paramount, as is regular testing to ensure the integrity and restorability of your backups.
I hope that this article has helped to highlight that data and systems backup is actually a complex issue, which almost always requires a multi-layered approach, combined with structured business processes, to be successful. Connexion have been working with Pharmaceutical companies for over 2 decades to help them leverage technology successfully, whilst carefully managing risks to the business, and ensuring regulatory compliance, through a highly structured and managed approach to delivering IT. If, having read this article, you are concerned that your current backup strategy may not be fully compliant, or may no longer meet your business needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include undertaking an independent audit of your backup procedures, and/or providing technologies and processes that ensure your backups meet your regulatory obligations and your business needs.
-------------------------------------------------------------------------------------------------------------
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/
