Preparing for an MHRA Inspection – Key IT Considerations

Preparing for an MHRA inspection is always a stressful time, and one where I frequently get asked by our pharmaceuticals clients for advice on best practice in relation to IT systems.

Computerised systems are an area where MHRA inspectors often find deficiencies, indeed the “MHRA GMP Inspection Deficiency Data Trend 2016” revealed that in 324 GMP inspections conducted, a total of 173 Computerised Systems deficiencies were cited.

So today I thought it would be useful to highlight some of the key areas to think about when you are preparing your information systems for an MHRA inspection.

1. IT Security

Who has access to your systems and data, both within and outside the company? What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers? How is your network secured from threats like malware, ransomware and hackers? What are your procedures for applying security updates to your systems? What safeguards and procedures do you have in place around mobile working? What are your procedures around physical security of your servers and IT equipment? How do you manage secure disposal of old PC and server equipment? How is all of this documented? How are your procedures updated in the light of a constantly changing cyber security landscape?

2. Data Integrity

How do you ensure that your data does not get changed or erased?  Do you transfer data manually between different systems? If so how do you ensure the data is the same in both systems? How do you stop outsiders accessing your system to change, delete or steal data? (a subject I discussed in more depth in this blog). Does any of your data go outside your organisation and if so how is this controlled and secured? How is all of this documented?

3. Document Control, Data Archiving and Retention

How are documents controlled to ensure everyone is accessing the correct version? How long is data kept for?  How is archived data kept safe? Do you have automated archiving/deletion processes?  If so, do the archiving/retention policies in place tie-in with your written documentation around data retention times? Is it held in a format/on media that is still readable?

4. Data Backup

How is your data backed up? Where are the backups held?  Would a disaster potentially destroy your backups as well as your live systems? How often are backups taken? Who is responsible? How much data would you lose if you had to recover your backups? How long would it take to restore your backups? Are you able to restore back to a specific point-in-time? How are your backup procedures documented?

5. Disaster Recovery

Who is responsible? Do you have a written disaster recovery plan? Where is it stored? How often is it reviewed? When was it last tested? What was the outcome? How long would a total disaster recovery of your systems take? Would it be successful? How would you operate in the interim? How much data would be lost? How would it be communicated? How is all of this documented?

This blog forms part of our series of informational resources for senior pharmaceutical professionals. To read more articles, please visit my blog, IT in Pharmaceuticals.

Epoq IT work with small and medium size pharmaceutical businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals.