Preparing for an MHRA Inspection – Part 6

Those of you following my blogs will have seen the previous articles I have penned around preparing for an MHRA inspection including Understanding your Data , System Backups , Information Access Control and Cyber Security Considerations

All of these are key considerations which are designed to ensure your IT systems run effectively day in, day out, and form some of the ways to help minimise the risk of any “computerised systems” deficiencies being cited in your MHRA inspection.

However, with the best planning in the world, sometimes the unexpected does happen. We only have to look at the recent BA IT outage to see the financial and reputational damage that can be caused by such an eventuality. It is therefore important from both the regulatory and commercial perspective to have the appropriate incident response and recovery plans in place to handle such a situation.

Whilst having a technical disaster recovery plan is vital to recovering systems, it is equally important for the business continuity plan to cover how you would communicate details of an IT failure or data breach to customers, staff, suppliers, the relevant regulator(s) and the public at large to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many pharmaceuticals I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable, with the EMC global data protection index 2016 study showing that the average length of unplanned downtime was 22 hours. Indeed the situation seems to be worsening this year, with IT downtime caused by ransomware attacks in particular often running into a week or more.

It is also critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. Many businesses I work with had put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as our use of technology in pharmaceuticals has moved on at pace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that the board of pharma companies we work with continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:

• How long could you afford for each of your various IT systems to be down for?
• How much data, if any, could you afford to lose?
• Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your current business requirements and compliance obligations?
• Where are your backups held? Would an incident like a fire or a ransomware attack wipe out your backups as well as your live systems?
• In the event of a major disaster what hardware would you restore your backups onto?
• If your offices were incapacitated (or the emergency services wouldn’t allow you access to your premises) where would you work from and how would you connect to your recovered systems?

Tests of disaster recovery plans also need to be documented, so there is clear evidence that testing has been conducted, the plan has been reviewed and any necessary remedial actions highlighted by the test have been actioned.

I hope this has given you a useful insight into some of the key areas to consider around business continuity planning when preparing for an MHRA inspection. If you need help preparing for an MHRA inspection, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk, when I will be pleased to help.