It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
21 CFR Part 11 compliance has been somewhat of an ongoing debate than a set of rules. What isn’t debatable, however, is the reasoning behind 21 CFR Part 11 compliance. These rules are there to insure the integrity of electronic records in medical research and development. Production of medication and medical devices need to be based on sound science and manufactured reliably, and that means scientific data has to be carefully checked and guarded. Here’s where 21 CFR 11 stands today — and what it has to do with your data center.
An Introduction to 21 CFR Part 11
Title 21 of the Code of Federal Regulations (CFR) is the set of federal rules governing food and drugs in the United States. Part 11 is the section that regulates how companies need to use, protect, and audit electronic signatures and records.
The FDA published 21 CFR in 1997, as electronic records were rapidly replacing paper. Lives can depend on good record-keeping and authentication in research, drug, and medical organizations. Signatures on paper records provided a way to confirm their authenticity, but electronic records are easy to alter, posing a security challenge. 21 CFR 11 spelled out the rules under which the FDA would treat electronic records and signatures as authentic. It created guidelines for auditing, authenticating, retaining, copying and signing records. Electronic records are defined as any digital file format that is created, modified, maintained, archived, retrieved and transmitted. An electronic signature is defined as any computer data compilation equivalent to a handwritten signature, i.e. access log, activity log, approval logs, timestamp, or any other logo validating authenticity.
Current guidelines have considerably narrowed the scope of enforcement, using the FDA’s discretion. Legacy electronic systems — those that were already in operation when 21 CFR Part 11 was released in 1997 — aren’t subject to the rule.
More importantly, the FDA has said it will not enforce certain parts of the rule for now, as it reevaluates them. In particular, they will not “take enforcement action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of part 11.” The FDA will still hold your company accountable for the accuracy of your records, and is likely to enforce these security best practices in the future. Full 21 CFR Part 11 compliance is essential to safeguard your customers and reputation, reduce legal liability and ensure you’re ready for future FDA enforcement.
The way companies use electronic records can also limit their compliance requirements. Companies that depend on a paper hard copy for reporting and other regulated activities will not have to maintain electronic compliance. But if your company runs labs or makes decisions based on electronic copies, you’re still on the hook.
The FDA enforces predicate rules. These rules require organizations to retain and submit records, generally with the date, time and other relevant information. Companies are still subject to authentication as it applies to predicate rules; its complex and confusing, but essentially it boils down to this: the FDA won’t (currently) inspect your computer for audit trails and other measures, but it still will hold your company responsible for the maintaining of accurate, reliable records. In practice, that doesn’t mean much: your company needs to follow most 21 CFR Part 11 compliance rules (even the ones not currently subject to enforcement) to ensure your records are reliable.
What Vendors Aren’t Telling You
Given the complexity of 21 CFR Part 11 compliance requirements and the FDA’s ever-changing position on implementation and enforcement, it’s natural for organizations to look for easy solutions. Some software vendors and cloud service providers take advantage of this by selling “21 CFR compliant” systems.
Unfortunately, it doesn’t work that way; there’s no such thing as turnkey 21 CFR 11 software or hardware, because compliance rules apply to the entire organization, not just their equipment. Good software can make it easier to authenticate research, but your lab still has to have internal procedures for correctly recording and submitting your research.
Symmetry offers security and compliance solutions than can help you meet 21 CFR Part 11 rules. We can work with you to develop procedural and technical controls to ensure your data is properly recorded, authenticated, and submitted. Our managed cloud can keep your data available and accessible, without the risks of compromised records that come with an unsecured system.
Protecting Your Hardware
21 CFR Part 11 compliance requires a high standard of workplace security. FDA guidelines call for workstation controls to prevent unauthorized logins and data access. Workstations should automatically log off after a few minutes of idle time, and have sign-on requirements that prevent unauthorized users from gaining access. Employees should remain close to workstations while they’re signed in, preventing others from altering the data.
Additionally, the FDA requires systems to be run, used and maintained by “persons who … have the education, training, and experience to perform their assigned tasks.” Computer systems need to be well-maintained and documented, and ready for FDA inspection. Operational system checks should be built-in, and the system should be regularly tested to make sure everything from the lab equipment to the server is working as expected, with no data corruption, performance issues, or other problems.
Symmetry’s cloud and IT infrastructure expertise makes us the perfect partner for designing and running your 21 CFR Part 11 compliance solution. We’ll work closely with you to assess your hardware, software and authentication needs, and design a system that meets them securely and affordably. Offering a full range of IT consulting services, we can handle everything from resolving connectivity issues to planning, building and migrating a complete SAP® implementation or other enterprise cloud solution.
Dealing with Complex Documentation
21 CFR Part 11 compliance rules have rigorous document authentication requirements. It’s not enough to have passwords for each user. You need audit trails logging user access and documenting changes, and controls to spot and stop unauthorized access, and restore the uncorrupted data. Your system has to be carefully designed, and well-defended.
At Symmetry, we believe security starts with good engineering and maintenance. Our managed servicesteam will keep your software optimized and up-to-date, eliminating the unpatched vulnerabilities that are responsible for many data breaches. We’ll implement strong encryption, and other security best practices. And we’ll back it up with 24-hour support from an SAP-certified team.
But it’s our security and compliance program that really separates us from the pack. Our dedicated team can audit your system and implement procedural and technical controls to keep your data safe, both in the lab and in the cloud. We’ll continually monitor access to your servers and networks, with 24-hour incident response teams — a service none of our competitors offer. Whether it’s a hacker scanning your network for vulnerabilities or a malware-compromised computer hijacking an employee’s login credentials, we’ll spot it and neutralize it before it can break 21 CFR Part 11 compliance or expose trade secrets.
Ensuring Signature Controls Are Met
Many regulatory regimes require auditing and data protection, but 21 CFR Part 11 compliance rules are unusual in their focus on authenticating signatures. There’s a very good reason: signature controls protect consumers, staff, and companies from a range of risks. Electronic signature protections hold staff accountable for their work, and make it easier for organizations (and the FDA) to verify quality and catch forgeries or data corruption.
21 CFR Part 11 compliant organizations need to give each worker a unique signature using two authentication measures, such as a password and ID number, or a biometric fingerprint scan and voice recognition. The signature should generate metadata, including:
- Date and time
- The purpose of the signature (updating records, verifying work, etc.)
Metadata can also include keywords, information about location, the structure of the data, and other things to make it easier to track, audit, and access information.
Your system should be designed to make it as difficult as possible for others to fraudulently gain access to the system — particularly if there is a high risk associated with compromised data. You’ll need mechanisms in place to monitor systems for unauthorized access. Additionally, you’ll need to be able to deactivate lost passwords or ID badges, and issue new signatures. You need procedures that will alert you to fraud or irregularities that occur outside business, along with encryption and other standard cybersecurity safeguards.
It’s a complex system, and you have to get everything right. You need a system capable of controlling access and editing rights, and correcting security flaws before they can be exploited. Symmetry’s managed security services are up to the task. Our access control and role-based systems will make sure data can only be seen or changed by the right people. Whether you’re looking for a partner to help you engineer unbreakable authentication, or just a secure data center with a team to monitor your system, we can exceed your 21 CFR Part 11 compliance needs.
Ensuring Workplace-Specific Measures are Followed
Nearly everyone governed by 21 CFR Part 11 compliance rules are also on the hook for Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP) or Good Clinical Practices (GCP), if not all three. And, while security best practices can help you meet 21 CFR 11 rules, good practices really have no standard solution; your product, employees, facilities, risks and other factors completely determine what measures your organization needs to put in place.
Under GLP, for example, each piece of lab equipment must have its own equipment notebook, along with documented procedures for usage, calibration, and maintenance. You need meticulous documentation for the entire lab, as well as a file meticulously dating and documenting changes in SOP. Your archive can be audited by the FDA, so a single mistake or an incorrectly filed or certified record can be potentially catastrophic. And that doesn’t even touch on the administrative roles or facility requirements.
And keep in mind, you’re probably not just on the hook for 21 CFR Part 11 compliance and good practices. You may be responsible for HIPAA, international manufacturing and confidentiality requirements, Business Associate Agreements and other rules. Just figuring out all the rules you need to be in compliance for could be a full-time job.
The complexity of compliance tasks makes Symmetry an ideal partner. While other managed services providers only provide basic support for system maintenance, Symmetry has the compliance and audit expertise to help you plan and run your entire 21 CFR Part 11 compliant infrastructure. We’ll work with you to develop a training program that supports that infrastructure, so your employees know and follow all the rules. And with our extensive range of consulting partnerships, we can work with whatever software your business depends on.
Preventing Disaster And Ensuring a Quick Recovery
As we’ve mentioned before, 21 CFR Part 11 compliance rules are pretty stringent on archiving. If you’re protecting your data right, however, your business should already go way beyond them. We’ll build bulletproof archiving and disaster recovery solutions that minimize your liability, and protect your investment.
Symmetry’s cloud disaster recovery services give you excellent RPO and RTO at a lower price-point than traditional cold DR. Our Disaster Recovery as a Service backs up your data in our secure storage centers, protecting you against fires, floods, and other events that could damage your facility. You’ll pay a low monthly rate for the resources that you use, and have the ability to scale up quickly in an emergency. Instead of rushing tapes over to a cold DR site and scrambling to lease and install new hardware, you’ll have our infrastructure and support team already waiting for you. We’ll be able to get you running in 72 hours or less.
Need something faster? We’re on it. We offer hot DR sites with continuous mirroring for organizations that need ultra-high availability. And whatever cloud disaster recovery you choose, our rigorous testing and maintenance program means you’ll be able to count on it working as planned.
Symmetry is a Complete 21 CFR Part 11 Compliance Solution
Compliance programs have a lot of moving parts. Your hardware, software, documentation, procedures, training and security all need to work together without disrupting your ability to do business. Faced with a mountain of requirements, most organizations either to do the minimum necessary or hire an army of security and compliance experts at a huge cost.
Symmetry offers a better solution. Our complete range of IT solutions give you an affordable way to get out of the 21 CFR Part 11 compliance business entirely. With robust infrastructure, industry-leading security and compliance, comprehensive IT consulting services and dependable cloud disaster recovery, we free our partners to focus on their core competencies instead of worrying about the rules. Contact Symmetry to learn more about how we can help.