The Cloud Does Not Bite!

How to enhance the pharma, biotech and life science industry by implementing modern IT solutions with a compliant regulatory control framework.

Agata Mizera, Capgemini, GRC Lead

Even without the pandemic in place, we were in a challenging time for most traditional pharmaceutical companies. The high competitiveness of the market, increasing international regulatory requirements and pressure to minimalize health care costs are just a few of the factors that are driving pharmaceutical companies to adopt strategies of cutting of resources and costs and optimizing their internal processes that have been present in other manufacturing sectors for some time. New technologies, a massive amount of data to process and manage, new tools, easy network access all lead to the digital revolution and increased search for optimization, savings, excellence and best practices. The standard approach to pharma, life science and biotech services and products with insourced IT organization, marketing, customer services, etc. is no longer meeting its intended goal – growth of the company, development of effective new medicines and addressing the demands of customers increasingly better equipped to measure what they are getting for their money, all in the economic landscape of rapidly increasing healthcare costs. Keeping all functions of the company in house was not cost-effective and productive even in the 1990s and this trend only grew through time.

But not only the reality of pharma companies changed. Speedy digitalization is leading to massive business transformations in all areas and as organizations begin to shift from the recovery phase of COVID-19 to the renewal, many are focused on what comes next and capitalizing on the changes made to the business during COVID-19. The Gartner CIO Agenda 2021 highlighted that 69% of boards report accelerating digital business initiatives in response to COVID-19.

“The adoption and interest in public cloud continues unabated as organizations pursue a “cloud first” policy for onboarding new workloads. Cloud has enabled new digital experiences such as mobile payment systems where banks have invested in start-ups, energy companies using cloud to improve their customers’ retail experiences or car companies launching new personalization services for customer’s safety and infotainment.”

In 2022, global cloud revenue is estimated to total $474 billion, up from $408 billion in 2021. Over the next few years, Gartner analysts estimate cloud revenue will surpass noncloud revenue for relevant enterprise IT markets.

Gartner analysts said that more than 85% of organizations will embrace a cloud-first principle by 2025 and will not be able to fully execute on their digital strategies without the use of cloud-native architectures and technologies.

All of those changes are happening with increased interest of the regulators and organizations with legal impact on the pharma, life-science and biotech companies like FDA in USA (Food and Drug Administration), EMEA (European Medicines Agency), MRHA (Medicines and Healthcare products Regulatory Agency) in the UK or ICH (The International Council of Harmonization of Technical Requirements for Pharmaceuticals for Human Use) for USA, Europe and Japan just to name a few. As the amount of patient’s and product data increases and new technologies are emerging the inspection and audit scopes are extending.

Current IT organization (whether insourced or outsourced) needs to support the challenges the businesses are facing and is consequently being asked to deliver effective solutions while cutting costs without compromising quality, compliance, agility and flexibility. Cloud computing has all those innovative possibilities that excel in scalability, reliability and security. 

Until recently, the cloud was divided into two types, Public and Private. The public cloud is defined as computing services offered by third-party providers over the public internet, making them available to anyone who wants to use or purchase them. While the alternative private cloud is designed for more concise needs, such as when sensitive data needs to be stored and shared. Private clouds are essentially data centers within a controlled secure system.

Lately a third model, Hybrid cloud, appeared and it is a combination of public and private cloud services, maintained by both internal and external providers and with orchestration between the two. This model enables organizations to use the benefits of the public cloud for certain workloads, such as to accommodate demand spikes, but also maintain their own private cloud for sensitive, critical or highly regulated data and applications. There are several hybrid cloud benefits - such as flexible deployment options, greater cost control and the ability to move between environments.

A related option is a multi-cloud architecture, in which an enterprise uses more than one cloud. Most often it refers to the use of multiple public clouds. Depending on its needs, a business might choose to use both the hybrid and multi-cloud models.

The cloud architecture can be categorized by service model. These are the three most common service models:

• Infrastructure as a service (IaaS), in which a third-party provider hosts infrastructure components, such as servers and storage, as well as a virtualization layer. The IaaS provider offers virtualized computing resources, such as VMs, over the internet or through dedicated connections.
• Platform as a service (PaaS), in which a third-party provider delivers hardware and software tools - usually those needed for application development, including operating systems - to its users as a service.
• Software as a service (SaaS), in which a third-party provider hosts applications and makes them available to customers over the internet

The promises of cloud computing are certainly considerable: extremely fast and flexible solution delivery, on-demand scalability, high-demand business continuity services with easy solutions for backup and archiving. All this, and at a cost that is considerably lower than the traditional internal setup. But while providing the capabilities and adoption levels, can the cloud services simultaneously meet the regulatory compliance needs that are core to the pharmaceutical sector?

Despite the promises of efficiencies and flexibility, the adoption of cloud solutions at an enterprise level in the regulated environment is very slow. Our understanding of how to operate today has been shaped based on regulations, such as FDA Part 11, Eudra Lex - EU Annex 11, chapter 7 of the EU GMP Guide and industry guidances like ISPE GAMP®. We are all aware that our current regulations are a bit behind the technology and that may also impact the reception of new tools and services. We are waiting for specific guidance around a technology that is still evolving. The absence of those specific regulatory guidelines for the cloud, in combination with a very conservative mindset and a historically risk-averse culture, is slowing down the pharmaceutical industry in the adoption of new technologies. The never-ending dilemma of innovation versus compliance.

However, if we are to operate smoothly in this new environment, we must look beyond the current practices of the pharmaceutical industry. We have to present a pragmatic and risk-based approach that satisfies the need of the regulator, regulated company and the cloud service provider.

Although the QA and Compliance units in pharma/life-science industries are strict and accurate, thus very often considered blockers for innovation, the truth lies somewhere in between. The IT function is less focused on the proper documentation and recording of the actions that must take place when working within a highly regulated environment. The constant growth and evolution of the IT services and platforms is taking into consideration the needs from stricter areas, often guarded not only by standards and regulations but international law per se.

The question in front of us now is about how we can start to better understand and manage and not simply avoid the risks which come with this technology.

What do we need to do to allow us to:

• Identify and analyze the risks across and within an enterprise (business, compliance, security, etc.)
• Create a framework to manage these risks both in house as well as part of our supplier management processes 
• Obtain the cost optimization without compromising the integrity of the data that impacts product quality and patient safety
• Realize the responsiveness the end-user demands

Basing on the well-established industry guidance GAMP®5 we were able to adapt the requirements to ensure the compliance of our own infrastructure and systems/applications. Those activities were embedded in the qualification and Computer System Validation processes that have a long history in the industry. We now have to create parallel processes for an IAAS, PAAS or SAAS provider. The execution of the IT controls will be slightly different than the “traditional” one (like paper-based documentation, traceability and accountability achieved by signatures, etc.), but better reflect the current environment. 

As there is no such thing as “GxP certification” we have to rely on the regulations and controls that are currently in place but interpret them to suffice the new landscape and service setup. In many organizations that are creating and updating the industry guidance such as ISPE (International Society for Pharmaceutical Engineering), Special Interest Groups (SIGs) are created to facilitate interactions among those with interests in specialized areas within new technologies. ISPE membership is not required to subscribe and participate in a SIG.

When considering the control framework and choosing the cloud provider the Business and Quality units need to partner with the IT departments and providers to understand the fundamentals judging the quality of the processes. Quality units need to assess why, where and by whom controls are established and then examine what those controls are. Quality professionals must be willing to view controls in a way that they are meaningful, not to move the same controls directly to the provider. They will need to understand the difference between formal elements of control and controls that may impact the data and processes being operated at a cloud provider (the difference between what and how). These traditional controls will have to be accounted for within a company’s quality framework, and then they must be reviewed in order to understand if this new model will require different or additional controls to meet the rigor of the regulated industry. This will likely result in a shift from quality processes contained within a regulated company to a model where quality is achieved as a result of a partnership (or partnerships) and between the regulated company, service providers and regulators. Above all, compliance, security and data integrity are to be maintained. 

As a starting point, we can verify leading industry guidances:

• GAMP® 5 guidance, along with the GAMP® Good Practice Guide on IT Infrastructure Control and Compliance
• The National Institute of Standards and Technology (NIST) Definition of Cloud Computing (Special Publication 800-145)
• The Cloud Security Alliance documents, including the “Cloud Controls Matrix” and “Security Guidance for Critical Areas of Focus in Cloud Computing v3.0”
• The whole family of ISO/IEC 27000 with a special interest in ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018 for Information Security Management System and Data Privacy in Cloud
• State of the art defined by BSI, ENISA (European Union Agency for Cybersecurity), NIST, COBIT, CSA STAR, etc.

 When considering the particular cloud strategy, a risk assessment is advised to understand and address the risks involved with cloud computing. We have to understand the services that will be provided, their delivery processes, technology, resource pools and the challenges that the organization has. We should then consider the regulatory requirements, qualification and potential validation of the cloud. Within qualification we should take into consideration the infrastructure part, processes, tools and resources that will be used within the cloud service provision. Also, internal controls and requirements have to be taken into consideration. Very often the Business will have different requirements than the Quality unit. It is advised to find a partner who can support the organization with experience, awareness and maturity. The partner should understand the GxP applicability based on intended use, support in the assessment of the risks that include GxP, (but also broader - e.g., Data Integrity, Privacy, Security), apply intended use to applicable GxPs, regulatory guidance, etc. expectations, effectively leverage an FRA and so on.

The partnership that a regulated company and a service provider must prepare.

Best case scenario is to identify the level of data protection and privacy basing on legal requirements and leverage the responsibilities of the cloud service provider and the cloud customer. Also, it is beneficial if the organization has a mature supplier assessment process and supplier management controls. Additionally, we could further examine which IT controls are best performed by the service provider (and potentially shift the controls from our regulated company to the provider), as well as the current certification programs commonly attained by providers. It is also beneficial if our partner has a strong presence of the regulated companies as a cohesive block in the cloud and there is a degree of flexibility and scaling possible. Only then with this analysis and dialogue between cloud providers, regulated companies and regulators can a framework be created that will satisfy the regulated industry.

The bigger cloud service providers have an excellent track record of uptime and business continuity, very few security incidents operating with practices designed for a pure IT industry. There already is a wide range of industries using these services, including highly regulated industries such as the banking sector. In most cases the processes sufficient for finance and good enough for large, regulated companies.

In the end, it is about trust and partnership but within a standardized compliance framework. Partner with your IT department, enhance your Supplier Assurance function, demand the certifications and evidence of compliance but also contribute to the growth of Cloud related companies and to those partnerships. Spread the regulatory awareness within the IT industry, the need for quality, document and record management, providing evidence related to each step of the creation of the service or validated system/application support. This layered approach can only work when cooperation is on the highest level, and we all need this, not only because we have to present a coherent story to the FDA inspectors and external auditors. 

References 

1. Available at: https://www.gartner.com/en/publications/2021-cio-agenda-seize-thisopportunity-for-digital-business-acceleration 
2. Available at: https://www.gartner.com/en/newsroom/press-releases/2021-11-10- gartner-says-cloud-will-be-the-centerpiece-of-new-digital-experiences 
3. Available at: https://www.gartner.com/en/newsroom/press-releases/2020-11-17- gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percentin-2021 
4. Available at: https://ispe.org/pharmaceutical-engineering/january-february-2014/cloudcomputing-gxp-environment-promise-reality#

About the Author

Creator of the Governance, Risk and Compliance solutions for complex IT environments within highly regulated, pharma environment. Experienced Quality and Security Consultant and auditor with strong ISO 9001, ISO/IEC 20001, ISO/IEC 27001 and ISO 31000, risk management, regulatory and Computer System Validation background. Addressing the GRC challenges within a “cloud first” solution with a heavy automation approach and a truly transformational journey and outcome to meet the Client’s objectives. 14 years of IT experience working within regulatory-driven environment for multiple Clients across the world.