Data integrity is an ever-increasing concern in life sciences, with medical device manufacturers feeling much of the conformity backlash. There continues to be heightened regulatory focus on diverse cybersecurity topics, including data integrity.
Public and private sector organizations face a litany of consensus standards. Unfortunately, most regulatory agencies can’t offer direct advisement on effective governance methodologies. Information Security consulting may be a valuable source of clarification for quality assurance, security and legal personnel who work in the regulated industries.
What Is Data Integrity?
Any computer data created, modified, shared or otherwise accessed by medical devices, their users or their manufacturers must satisfy at least the following criteria:
- The information must be accurate.
- The information’s accuracy must be verifiable.
- The data concerning the information must conform to 21 CFR Part 11 in all respects.
Data and devices that fall short of these benchmarks may also fail to satisfy acceptable integrity standards when confronted with direct regulatory oversight.
Manufacturers should ensure their products employ patient, sample, device-status and other data in a secure fashion. Those that can’t, often pursue quality management system (QMS) improvements to close compliance gaps.
Medical devices are typically multifunctional and as such, their potential data vulnerabilities could lie in any of their hardware or software aspects. Effective quality-management strategies based on accepted practices may make validation and other common cloud computing compliance practices easier to execute successfully in today’s regulated environments.
How Can Companies Respond to Regulation?
Users access medical data and devices via multiple channels and interfaces, and data entry, networking and monitoring practices change with time. As such, the practical definitions of data integrity methodologies and standards have traditionally been derived from established customs.
Guidance publications issued by the U.S. Food and Drug Administration as recently as October 2014, for instance, cite the agency’s reliance on prior consensus standards published by a variety of technical and professional bodies. While some of these earlier guidelines reflected life sciences practices, others focused on principles that originated in the IT domain and various other fields.
Modern corporations are tasked with making sense of the history behind GxP regulations. Next, they have to identify the guidelines and definitions that apply to their specific business activities. Finally, device makers must create quality systems that let them conform to current cybersecurity regulations in their unique GxP environments as well as respond to relevant changes.
Formulating and Executing an Effective Plan
Data integrity compliance deviations can be difficult to predict. Suppose you and a competitor both build analogous devices around similar CPUs or other hardware. You’d both still have vastly different compliance requirements based on your choice of programming methodologies, and if each of you followed a unique coding strategy, you could fare quite disparately under similar scrutiny.
Incorporating existing hardware into a design is an industry standard nowadays. The advent of various cost-effective CPUs, SOICs (system-on-a-chip) and software components may result in combinations that leave data exposed.
The fact that hardware systems can be operated in many ways only increases potential risk. To apply regulatory guidelines effectively, companies need to come up with data verification and protection strategies that address as many weaknesses and realistic product usage situations as possible.
GxP-CC’s global experience with diverse QMS implementations, medical devices and software standards helps GxP organizations realize improved understanding of what it takes to maintain compliance.