GxP Data Integrity in Pharmaceuticals: Cyber Security Questions

With updated guidance on GxP Data Integrity having been published by the MHRA earlier this year, in this blog I wanted to talk about the ramifications of a cyber security incident in relation to GxP Data Integrity.

In their new guidance document, the MHRA state “The way regulatory data is generated has continued to evolve in line with the ongoing development of supporting technologies such as the increasing use of electronic data capture, automation of systems and use of remote technologies; and the increased complexity of supply chains and ways of working, for example, via third party service providers. Systems to support these ways of working can range from manual processes with paper records to the use of fully computerised systems. The main purpose of the regulatory requirements remains the same, i.e. having confidence in the quality and the integrity of the data generated (to ensure patient safety and quality of products) and being able to reconstruct activities.”

So how does this link with cyber security?

Well, cybercrime is now a widespread issue, with the government Cyber Security Breaches Survey 2018 showing that 42% of micro/small businesses have identified cyber security breaches or attacks in the last year.  The types of attacks experienced are diverse, ranging from “phishing” attacks where criminals attempt to obtain access to confidential information or passwords, through to “ransomware” attacks where criminals hold your data to ransom by encrypting it and demanding money for its decryption.

Pharmaceuticals and healthcare, unfortunately, are a natural target of these criminals, as they are dealing with so much confidential material, ranging from patient healthcare information, to critical competitive IP.  In addition, with healthcare devices now becoming increasingly connected to the Internet, there have already been instances of hacking into such devices, with potentially devastating consequences if the dosage or other vital data is changed.

Data integrity is important throughout the pharmaceutical life-cycle, and GxP regulatory requirements have a focus on requiring confidence in the quality and integrity of the data used for decision-making.  Cyber-attacks have the potential to change data, delete data or in the case of ransomware, render it inaccessible.  As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Board level involvement with reviewing the risks and control measures that are in place.

Sadly, the days when a password and some antivirus software were good enough to defend your business from cyber security threats have long gone. Nowadays security policies have to involve a multifaceted approach, incorporating:

• Documented business security policies that are regularly reviewed and updated to reflect the ever-changing security threat landscape.
• Regular user training and procedures to ensure people at all levels in the business understand how to reduce the likelihood of attack.
• A suite of integrated technological solutions to help guard against the wide array of threats now present.
• Effective and tested contingency plans to fall back on should the worst happen.

It is important to remember that your security is only ever as good as your weakest link on any given day. That could be the one laptop that didn’t receive the latest Windows security update for whatever reason, or the one employee who unwittingly opens a rogue email attachment or link – potentially allowing cyber criminals to penetrate your network and intercept, hijack, change or delete your data.

To be successful in combating these threats, directors and owners within pharmaceutical businesses need to engage with IT specialists who can speak in their language, so that a shared understanding of the risks both from a GxP perspective and a technological perspective can be obtained, and a suite of effective control measures can be put in place.

I hope this blog has proved useful in demonstrating the role of an effective cyber security policy in relation to GxP data integrity.  If you need any assistance with assessing or documenting your GxP compliance around cyber security, or with implementing or updating your cyber security policies in light of new threats, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

This blog forms part of our series of informational resources for senior pharmaceutical professionals. To read more articles, please visit my blog, IT in Pharmaceuticals.

Epoq IT work with small and medium size pharmaceutical businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals.