1. You are here:
  2. Homepage
  3. News & Insights Search
  4. IT Security for Regulatory Professionals

rf-fullcolor.png

 

Regulatory News
December 6, 2012
by RAPS

IT Security for Regulatory Professionals

In an age of smartphones, tablet computers and wireless communication, one could be forgiven for assuming the digital generation is risk aware and especially cautious when it comes to managing sensitive electronic data and information. On the contrary, much education is needed to create appropriate levels of risk awareness and encourage risk-averse behavior.

Regulatory professionals have access to and manage highly sensitive and confidential company data and information (i.e., intellectual property) on a daily basis. A high level of trust is placed in this group of people: trust that these data or information are protected against loss, theft and accidental or deliberate disclosure. Often, only some simple measures are enough to deter thieves or avoid loss.

This article looks at some of the tricks of the (espionage) trade and how to protect digital information.

Working With Computers

Working without computers is unthinkable in this day and age. Many in regulatory have become experts in diverse applications, not just submission management programs.

While you work in a corporate office environment, many unseen helpers, including the information technology (IT) team, will have provided several layers and levels of security to keep you and your work protected and safe. Security starts with restricted access to the building and the office (perimeter security) and continues with password-protected access to networks and files (logical security).

This is not the place to argue the pros and cons of password management, but it should be mentioned the length of a password correlates directly with the difficulty of hacking it-the longer it is, the harder to crack.

Office computers most likely are networked, which facilitates storing and sharing data and records. It also means your data are being backed up without your even noticing. Anti-virus protection and other software safeguarding the company's digital property is continually running in the background, keeping unwanted visitors out and tracking all activity.

In addition to creating long passwords, good computer practice behavior includes locking your computer when you leave your desk, never revealing your password (senior management are known to give heir passwords to temporary administrators) and not allowing "shoulder surfing" (someone looking over your shoulder).

The Traveling Regulatory Professional

How many laptops were stolen from your company this year? Of course, this is not a widely published statistic, but it is not unreasonable to assume in a company of a few hundred employees, several portable devices, such as laptops, mobile phones and tablets, are lost or stolen each year.

Very few companies centralize applications and data on servers instead of running them locally on portable devices, so we need to address how the vast majority can be protected.

For laptops, the simple answer is encryption, which has to be installed by the IT department and will run in the background but permits normal laptop use. Most thieves are not the slightest bit interested in your data, and solely want the equipment itself.

In the case of mobile applications that permit access to corporate data, there should be protocols in place allowing remote deletion by IT of any information on the device, regardless of who is in possession of it. This is one reason for Apple's continued success. Other safeguards include tracking devices in the mobile phone or laptop that allow pinpointing its location anywhere in the world.

Other simple precautions against loss are lightweight locks that secure your laptop to a desk or other difficult-to-move item, vigilance (do not leave your laptop unattended) and the use of hotel safes. Covers over the screen that make viewing from a wider angle awkward or impossible also help, and working on planes or trains should be done with utmost care as too many spying eyes may see your work.

As much as it irks anyone to lose a device, it is the loss of data and maybe days of work that really make the blood boil. There is no reason for massive data loss if one performs a daily backup routine.

Portable hard drives with 500 MB capacity or more are available for less than $100. Of course, it is eminently sensible not to store the backup drive with your laptop in case it is stolen.

Data and information also can be lost or intercepted during electronic transmission. Some devices are safer than others, and where possible, secure virtual private network (VPN) connections should be used.

Transmission of confidential files can be achieved via secure file transfer protocols (FTPs). Email should never, ever be used for the transmission of sensitive or confidential data-you might as well publish it on a social networking site.

This brings us to the topic of sharing non-confidential data, such as vacation plans, choir practice dates or conference attendance. Social engineering is the tactic used to make unsuspecting victims disclose their whereabouts, preferences and habits. It makes the life of a would-be thief so much easier. Therefore, such information should only be shared with utmost caution or not at all.

Regulatory Requirements

You may have been looking for the magic terms "Part 11" or "Annex 11," which refer to the US regulations on electronic records and electronic signatures coded in 21 CFR Part 11 and the EU's EudraLex Vol. 4, Annex 11, Computerised Systems, respectively. These seem to strike fear in the most hardened validation expert, when in reality they have a lot to do with common sense.

Are these regulations even applicable to regulatory, one may ask? After all, who has heard of an inspection of a regulatory department where computerized systems have been scrutinized?

The author has, and others certainly have had similar experiences. The records held in electronic format need to be inspectable, i.e., relevant to US or EU submissions, to fall under these regulations. Part 11 and Annex 11 typically apply to systems for the transmission and management of marketing authorization or application submissions.

It is not relevant whether the system is hosted and/or managed by the company or by a third party-the onus of ensuring full compliance with the system remains with the "owner," i.e., the company.

Computerized pharmacovigilance systems are often the focus of agency inspections under Part 11 and Annex 11. Though this system typically falls under the ownership of the pharmacovigilance department, regulatory staff also may be users and, thus, may become party to an inspection.

The actual requirements for compliance with Part 11 and Annex 11 are complex and computer systems validation experts are far and few between. IT departments often lack competence in this field and it may be prudent to seek external help, support and expertise.

Is It Safe?

Most IT departments will do their best to provide technical and logical safeguards and train staff to ensure appropriate behavior. Chances for loss and theft are higher for people who travel or who are not part of a larger organization with a sophisticated support structure.

Being cognizant and alert, and heeding simple but effective IT security advice will alleviate the vast majority of these risks. We live in a digital world, but we must not manage and use sensitive, proprietary and confidential data or records unless we can be reasonably certain that the risks are under control.

As the saying goes: "Better safe than sorry."

Return to listing
×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.