Cloud control: maintaining compliance as regulated apps move off premise

As pharmaceutical companies become more confident and ambitious in their use of the cloud to host, run and source applications, more recently extending the model to regulated applications, important considerations arise – particularly around associated systems validation and data governance.

At Amplexor BE THE EXPERT 2022, I will discuss the different levels of cloud use and the best approaches to ensuring compliance in each case, as regulators pay closer attention to cloud-based data management.

The general trend toward cloud-based IT and cloud-hosted applications use shows no signs of abating, and the life sciences industry – albeit behind the curve – has been making its own steady progress in moving its systems off premise.

Now that they have tested the water with unregulated applications, many of these companies are exploring the potential to move more sensitive systems off site, in the expectation that this will enable greater flexibility, collaborative potential, productivity and efficiency, and improved dynamism in an environment that is evolving continuously.

Balancing risks & rewards

As team leaders and/or IT departments become more persuasive about the benefits of running more activities via the cloud, it’s important that companies are not exposed to increased risk, however. New measures may need to include additional levels of protection as data travels across the Internet and more ‘open’ systems (for example, harnessing end-to-end data encryption).

While sharing much of the enthusiasm about the potential for cloud-based process transformation, regulators too are well aware of the associated scope for data breaches, data losses/corruption, and other new vulnerabilities – and the changing emphasis of their inspections reflects this.

Neither the regulators, nor company Quality managers, want to risk data quality, process continuity, or patient safety in the rush to make more comprehensive use of the cloud. There is a balance to be struck, they realize, between greater agility, system security, and data integrity. After all, even if ownership of the IT systems is transferring to a cloud-based system provider, legal accountability for the data and what happens to it remains squarely with the regulated company.

Not all cloud deployments are equal

It’s this delicate balancing act that I’ll be speaking about in my session at BE THE EXPERT 2022, with consideration for the different levels of cloud use.

That’s because internal system and data controls will vary depending on whether the company is merely taking advantage of a cloud-based infrastructure (via Infrastructure as a Service, or IaaS); whether they are harnessing a cloud-based platform (Platform as a Service, or PaaS) as the means to develop or integrate applications; or whether they are subscribing to an application under the ownership and control of a third party (Software as a Service, or SaaS).

Given this granularity, it follows that validation and data integrity/governance strategies will need to be developed or adapted according to the specific cloud approach, to ensure that companies retain – and can demonstrate – appropriate levels of control.

More often than not, pharma companies will lack the nuanced knowledge and resources to cope with all of this, but there is help available and it’s important that they draw on this as needed to fulfil their obligations.

 I look forward to discussing these themes with you. Register for the event here!

About the author

Dr. Thierry Dietrich serves in leading and consulting positions within the pharmaceutical and medical devices industries for more than 20 years. He founded pharm@dviser in 2016, and acts as management consultant.

His areas of focus are data integrity auditing, auditing of IT suppliers and IT organizations, leading of large IT projects in GxP regulated areas, validation of computerized systems, as well as the building and optimization of quality management systems with focus on IT and data quality.

Thierry Dietrich was/is leader resp. member of several GAMP® SIGs and ISPE. He also is the author of numerous technical publications, co-author on data integrity related books, and speaker on technical conferences. He received his PhD in natural sciences and master degree in chemistry from Johann Wolfgang Goethe University Frankfurt.