Who's Afraid of the Dark? The Importance of Effective Audits

by | Jan 31, 2019 | Adamas News, Industry Focus

Is your organisation in the dark when it comes to the quality and compliance status of your computer systems and computer system vendors?
At ADAMAS, we’re in the privileged position of working alongside a wide range of sponsor organisations, CROs and computer system suppliers.
In the 12 months leading up to January 2019, we identified Major observations relating to computer compliance in all these organisations, ranging from lack of compliance with 21CFR11 to significant issues with data integrity, validation testing and change control.
We also noticed a trend towards the use of lesser-known, niche  providers of electronic Case Report Form (eCRF), Clinical Trial Management Systems (CTMS) and Interactive Response Technology (IRT) systems, many of whom started developing their software and systems when validation requirements were less prescriptive, and who have relatively unsophisticated system development life cycle (SDLC) quality management.
Worryingly, only one organisation that we audited had implemented any steps to evaluate whether the data they were hosting was safe from access by unauthorised third parties.
With huge organisations such as the UK National Health Service (NHS)1 and Uber2 in the news recently for major IT security issues, my view is that it’s only a matter of time before our industry begins to be similarly affected. This view is shared by Ciaran Martin, CEO of the UK National Cyber Security Centre3.
In fact, it may be that such breaches have already taken place. As the recent cases with Uber and Facebook4 show, companies that have suffered IT security breaches are not always transparent for fear of reputational damage – and there is evidence to suggest that up to 75% of data breaches may go unreported5.
Vendor Qualification Audits are common practice in our industry, but are rarely focused sufficiently on computer system compliance (CSC) and IT security. They’re often performed by generalist auditors, and there is only limited time to evaluate a significant number of frequently complex aspects of the service provider’s activities.
Although well-intentioned, many such audits focus only on outdated aspects of physical security and basic logical security. Procedures and standards for these have been well-established in most cases for many years, and may overlook deficiencies in newer areas of concern. This includes penetration testing, encryption practices and network and application security weakness that malicious third parties are likely to be able to exploit.
As such, these kinds of audits cannot be relied upon to provide a sufficient level of assurance for all aspects of CSC.
Where IT activities are key to successful quality operations (as they usually are nowadays), a more focused investigation of these is warranted.
It’s unquestionably time to ask ourselves whether our systems are sufficiently validated, the extent to which our data is robust and secure, and if our organisations could stand the adverse publicity (and possibly regulatory censure) of a data-security breach should one occur – then, of course, what we can do to address any shortcomings.
For further advice on this or any other concerns relating to CSC, or for details of how ADAMAS’s CSC experts can help, please contact Matt Barthel at matt.barthel@adamasconsulting.com or on +44 (0)1344 751 210.

Matt Barthel

Head, Computer Systems Compliance & Data Protection Officer
ADAMAS Consulting Ltd