Cloud Control: Maintaining Compliance as Regulated Apps Move Off Premise

As pharmaceutical companies become more confident and ambitious in their use of the cloud to host, run, and source applications, more recently extending the model to regulated applications, important considerations arise — particularly around associated systems validation and data governance.

At Amplexor Life Sciences’ BE THE EXPERT 2022 conference, Dr. Thierry Dietrich, Ph.D., of pharm@dviser discussed the different levels of cloud use and the best approaches to ensuring compliance in each case as regulators pay closer attention to cloud-based data management.

The general trend toward cloud-based IT and cloud-hosted applications use shows no signs of abating, and the life sciences industry — albeit behind the curve — has been making its own steady progress in moving its systems off premise.

Now that they have tested the water with unregulated applications, many of these companies are exploring the potential to move more sensitive systems off site, in the expectation that this will enable greater flexibility, collaborative potential, productivity, and efficiency and improved dynamism in an environment that is evolving continuously.

Balancing Risks and Rewards

As team leaders and/or IT departments become more persuasive about the benefits of running more activities via the cloud, it’s important that companies are not exposed to increased risk. New measures may need to include additional levels of protection as data travels across the Internet and more “open” systems (for example, harnessing end-to-end data encryption).

While sharing much of the enthusiasm about the potential for cloud-based process transformation, regulators too are well aware of the associated scope for data breaches, data losses/corruption, and other new vulnerabilities — and the changing emphasis of their inspections reflects this.

Neither the regulators nor quality managers at companies want to risk data quality, process continuity, or patient safety in the rush to make more comprehensive use of the cloud. There is a balance to be struck, they realize, between greater agility, system security, and data integrity. After all, even if ownership of the IT systems is transferring to a cloud-based system provider, legal accountability for the data and what happens to it remains squarely with the regulated company.

Not All Cloud Deployments Are Equal

It’s this delicate balancing act that I’ll be speaking about in my session at BE THE EXPERT 2022, with consideration for the different levels of cloud use.

That’s because internal system and data controls will vary depending on whether the company is merely taking advantage of a cloud-based infrastructure (via infrastructure as a service, or IaaS); whether they are harnessing a cloud-based platform (platform as a service, or PaaS) as the means to develop or integrate applications; or whether they are subscribing to an application under the ownership and control of a third party (software as a service, or SaaS).

Given this granularity, it follows that validation and data integrity/governance strategies will need to be developed or adapted according to the specific cloud approach, to ensure that companies retain — and can demonstrate — appropriate levels of control.

More often than not, pharma companies will lack the nuanced knowledge and resources to cope with all of this, but there is help available and it’s important that they draw on this as needed to fulfil their obligations.

This article is based on a talk that was presented at the Amplexor Life Sciences Be The Expert conference in June 2022.

Thierry Dietrich, Ph.D.

Dr. Thierry Dietrich is the founder and owner of the life sciences quality and IT consultancy pharm@dviser, based in the Rhein-Main region of Germany. He is an experienced management consultant who has worked in risk and quality for more than two decades.