Like every other industry, digitization and cloud have touched the healthcare and life sciences sectors. However, unlike most other industries jumping onto the cloud bandwagon, these sectors have been cautious and even somewhat skeptical about embracing the cloud. Many decision makers and shareholders believed that the cloud did not satisfactorily meet their security concerns, as well as the requirement for stringent privacy, authentication, and regulatory issues around drug research and clinical trials.
It is important for us as Quality Assurance (QA) and Testing professionals to understand and mitigate specific security challenges that the cloud poses to this industry. There are several types of risks identified by the CSA (Cloud Security Alliance) OWASP (Open Web Application Security Project), COBIT, ISO 27001, FedRAMP, SOC1 (Service Organization Control), and NIST to name a few. These risks and top issues need to be addressed from a business perspective. In my whitepaper, I have also discussed in great detail the implication of the US Food and Drug Administration's (FDA's) Code of Federal Regulations Title 21 (21 CFR) Part 11 and the European Union's (EU's) Annex 11. The work needed to meet the requirements of Sarbanes-Oxley too has been captured within Information Technology General Controls (ITGC).
Resource pooling, public networks, and an on-demand self-service platform are important characteristics of cloud based IT infrastructure. While these offer flexibility, scalability, and cost optimization, they also result in compromised control and security vulnerabilities. A robust cloud testing strategy would therefore demand extra vigilance for data security, and would address essentials such as strict regulatory compliance, un-matched data accuracy, quality, and integrity, continuous data availability, monitored access control, regular audit controls, and strong encryption.
These checks and balances can be ensured through regular internal audits, which also help in risk identification and mitigation. Security frameworks and certifications are also useful, and help life sciences companies stay informed of the latest developments, vulnerabilities, and threats in the security space.
Finally, internal and external controls such as the risk control matrix, standard operational procedures, well-documented software development lifecycle, data encryption mechanisms, external quality audits, vendor evaluations, and product purchase reviews, help fortify security mechanisms around the digitization process in the life sciences sector.
One approach can be to risk-classify systems supporting the life sciences development processes according to their security vulnerabilities. Additionally, clearly defined policies and procedures for data classification can help not just in data management, but also in identifying data sets that can be moved to the cloud. Data protection and control mechanisms can help prevent data leaks and privacy breaches.
Assurance for Life Sciences Applications on the Cloud
When managed and secured well, the cloud, can cover a complete spectrum of not just development and data management, but also the entire testing repertoire for life sciences – ranging from application testing, comprising functional, performance, security, compatibility and performance tests, to usability and mobile platform testing. Cloud capabilities can also be leveraged for ongoing security surveillance.
With the rigorous implementation of internal and external controls, risk-driven approach, regulatory compliance, continuous monitoring and process compliance, life sciences companies can be assured of the best returns from cloud computing. Cloud computing will then come to be seen as a business enabler and asset, a source of innovation, and appreciated for its promised benefits – a step closer to improving healthcare and the overall well-being of individuals.
Once concerns have been addressed, cloud computing brings commendable benefits to life sciences. The convenience of accessing an on-demand configurable shared pool of networks, servers, applications and services that can be obtained or released with minimal management effort, works well for compute-intensive clinical trial processes. Couple this with the significant cost savings from vendor-supplied, pre-configured, scalable and elastic IT infrastructure that can be ramped up or down, depending on business requirements, accessible anywhere, when required, and cloud computing proves to be the best bet. Finally, there's the added benefit of reduction in capital investment, which enables life sciences companies to divert precious capital to other, capital intensive, strategic business investments.
A cloud strategy that is clearly articulated and understood, one that is pragmatic and has a risk-driven approach to validation is imperative in the Life Sciences domain. Starting off by acknowledging the risks involved and then ensuring compliance with regulatory requirements, while taking a risk-based approach to validating computer systems, will result in deploying the right cloud services for strategic business and operational needs.
The cloud needs to be perceived as a source of innovation, understood and appreciated. As is often discussed, for cloud computing to mature and for companies to receive the promised benefits, cloud needs to be seen less as a technology issue and more as a business asset and enabler.