Preparing for an MHRA Inspection – Part 4

Preparing your Pharmaceuticals business for an MHRA inspection is always a worrying time, and as many of the small and medium sized pharmaceuticals businesses we work with have no in-house CIO, I often get asked to examine their processes, procedures and technology around IT security and access control in order to help them prepare for an MHRA inspection.

In my previous blog, I talked about the need to understand where your data is. Once you have this understanding, the next step is to understand how you secure it.

Having good access control systems lies at the heart of successfully protecting your data, and forms an important part of preparing your information systems for an MHRA inspection.

For each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system to do their job. Allowing staff wider access to systems puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Nowadays, it is also likely that external organisations and third parties will have access to some of your IT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to company security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just the security of your main company-wide IT systems that will come under scrutiny at an MHRA inspection. In fact one of the common findings from previous inspections has been that locally developed systems are not sufficiently secure. So do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which now form an important part of your business processes.

I hope this has given you a useful insight into some of the key areas to consider around access control when preparing for an MHRA inspection. If you need help preparing for an MHRA inspection, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk, when I will be pleased to help.