In my last blog, I talked about considerations around systems and data backup when preparing for an MHRA inspection. Today I wanted to talk in more depth about disaster recovery.
With the best planning in the world, sometimes the unexpected does happen. We only have to look at the chaos caused in the NHS by the Wannacry ransomware attack to see the operational and commercial impact that computer systems downtime can cause. As such, disaster recovery planning is something that may well come under the spotlight at an MHRA inspection; it is also a subject that is increasingly being raised at audits which your customers may be carrying out on their supply chain.
The MHRA inspector is likely to be looking to see that you have the appropriate incident response and recovery plans in place to handle such a situation. Part of this will be about having a technical disaster recovery plan in place that ensures you can recover your data and systems successfully and in a timely manner. Equally importantly, there also need to be plans in place to cover how you would operate in the interim and how you would communicate details of an IT failure to customers, staff, suppliers and the relevant regulator(s) to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.
And to bring the subject of disaster recovery planning into perspective, whilst many pharmaceuticals I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable. For example, according to Intermedia, 72% of companies infected with ransomware suffer two days or more without access to their files, while 32% are locked out of their files for at least 5 days.
Whether an outage is caused by ransomware, hardware failure, software failure or a wider scale disaster, it is critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. I find many businesses that put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as use of technology in pharmaceuticals has moved on rapidly, and what was an acceptable recovery plan even a year or two ago may now be totally inadequate. In addition, systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.
So in order to ensure ongoing compliance and relevance, I always recommend that the board of pharma companies we work with continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:
1. How long could your business manage without access to each of its IT systems and data repositories?
This is likely to vary from system to system; for example you may be able to tolerate no downtime on your email, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your disaster recovery plan needs to consider each system and data repository that you use, assessing how long your business could cope without access to that system or data repository.
2. How much data, if any, could you afford to lose?
For each IT system and data repository you need to be clear how much data loss, if any, would be acceptable to the business, in both commercial and regulatory terms, and tailor your backup and disaster recovery plans accordingly. If no data loss is acceptable, then a real-time replication solution should be considered, as part of a multi-layered backup approach (see more details in this blog). If some data loss is acceptable in a disaster scenario, then backups which run daily or hourly may be acceptable.
3. Does your current disaster recovery plan accurately reflect 1 and 2 above?
Your disaster recovery plan needs to be designed such that your objectives around downtime and data loss as defined above can be met.
4. Would your plan work if used “in anger” and are you able to demonstrate this in an inspection?
In order to ensure success it is vital that the disaster recovery plan is tested on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. Whether that’s a practical problem (something technical or operational in the plan doesn’t work) or whether it reveals that the time taken to carry out the recovery does not meet business objectives, or that all data cannot be recovered successfully, testing is paramount to provide the peace of mind that the plan will actually work when used “in anger”. Tests of disaster recovery plans also need to be documented, so there is clear evidence that plans exist, testing has been conducted, the plan has been shown to meet business and regulatory requirements and that any necessary remedial actions highlighted by the test have been actioned.
5. What is the process for reviewing and updating your disaster recovery plan?
With our use of technology constantly evolving, and regular changes to legislation, it is important that plans around backup and disaster recovery are regularly reviewed and re-assessed against the commercial and operational needs of the business, as well as regulatory compliance requirements such as GxP, GDPR and HIPAA.
I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing for an MHRA inspection. If, having read this article, you are concerned that your current disaster recovery plan may not be fully compliant, or may no longer meet your business needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include providing independent consultancy as well as (where required) implementing technologies and processes to ensure your disaster recovery plans meet your regulatory obligations and your business needs.
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research organisations, Biotechnology and Medical Device companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' businesses. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks and maintaining regulatory compliance. For more information about our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/
No comments:
Post a Comment