Depending on the industry they work in, CIOs often must pay close attention to regulatory updates in helping their organizations to meet compliance requirements. For instance, a recent study conducted by RSA and Forrester Consulting reveals that the CIO is the final decision maker behind GDPR (the General Data Protection Regulation) initiatives in 53% of organizations.
One area where pharmaceutical industry CIOs may want to increase their focus is Data Integrity and compliance with Current Good Manufacturing Practices (CGMPs) as outlined by the U.S. Food and Drug Administration (FDA). A recent analysis by PwC's Health Research Institute finds that a growing number of companies have been warned by the FDA for data integrity violations since 2010.
Part of the problem is that most CIOs in pharma or life sciences aren't tuned into the FDA's Data Integrity requirements - although they should be. That's because IT organizations in these companies play a significant role in supporting quality, manufacturing, clinical and R&D activities that are central toward meeting these requirements.
"The FDA expects that you have controls in place to ensure that data has not been changed and is the original data," said Mark Sander, who has held executive IT leadership roles in Pharma and BioTech with multiple companies, most recently leading IT for Global Quality Operations at Teva Pharmaceuticals. "Most lab, manufacturing and R&D systems that are not large enterprise-level applications are not designed to meet this significant requirement," Sander adds.
Sander will be one of the speakers at the 2018 New Jersey CIO Executive Leadership Summit on May 2 in Whippany, N.J.
Part of the disconnect, explains Sander, is that in many pharmaceutical companies, there are thousands of standalone instruments and pieces of manufacturing equipment that utilize PCs and networks to operate. Yet all of the security and controls that are in place are local to that machine.
"Worse still, this equipment is generally installed by a vendor independently and not integrated with the IT organization's authentication or hardening," explains Sander. "If you test these machines, you all too often find the user who ran the test/production run can delete the file with the current configuration."
A good starting point for ensuring data integrity is the use of the ALCOA (Attributable, Legible, Contemporaneous, Original/True Copy, and Accurate) framework, said Sander.
"As you look through each of these principles, there are all sorts of things we can do in IT. For instance, in order for the data to be attributable to the user, is there security around the user? Are there differences in the security provisions between users? Is there an audit trail?" asks Sander.
A silver lining from these data integrity initiatives are the side benefits that are generated for a company's cyber security practices by ensuring that adequate controls are in place, added Sander.
It's also important to remember that data integrity isn't about a single area of focus. "Without the right processes in place and people being trained properly, it doesn't mean anything," said Sander.
To learn more about other thought leaders like Mark Sander who will be speaking at the 2018 New Jersey CIO Executive Leadership Summit, click here.