Myths Around Pharma Downtime: "We Have A Disaster Recovery Plan So We're Fine"

As I discussed in my previous blog, the majority of businesses have been affected by IT downtime in the last year, and in the highly regulated pharmaceutical and life sciences industry, it is critical that the Board have a thorough business understanding of their plans for coping with such an eventuality.

Aside from the lost productivity, lost revenue and potential reputational damage an outage can cause, having a disaster recovery plan is vital to meet pharmaceuticals GxP / HIPAA compliance obligations, in order to confirm that suitable technical policies are in place to ensure that sensitive data is not altered or destroyed.

Many of the pharmaceuticals and life sciences businesses that I work with have no in-house CIO, and as such sometimes I find that the Board are incorrectly reassured by the presence of an IT disaster recovery plan that was perhaps put together some years ago and has sat in the fireproof safe ever since.

This is a myth that I wanted to expel, as unfortunately, my experience is that this document needs to be constantly evolving, as our use of technology in the industry has moved on apace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend to the Board of pharmaceuticals businesses that we work with to continually re-assess and test their plans around resilience, backup and disaster recovery, against their operational business needs and regulatory compliance requirements. Some points to consider would include:-

• How long could you afford for each of your various IT systems to be down for?

• How much data, if any, could you afford to lose?

• When did you last try a test restore of your data or email? Did it work?

• Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results show that recovery times and data loss met your business and compliance requirements above?

• Where are your backups held, and could you access them in the event of a disaster that say incapacitated your premises (or in a situation where the emergency services would not allow you access to your site?)

• In the event of a major disaster, what hardware would you restore your backups on to?

• If your offices were incapacitated where would you work from and how would you connect to your recovered system?

With ever increasing regulatory and market-driven pressures, the increase of globalisation, the advancement of technology and the changing expectations of stakeholders, my experience is that the disaster recovery plan needs to be a living, breathing document that is constantly reviewed and re-assessed to reflect the changing demands on the business.

If you would like help with reviewing or testing your disaster recovery plans to make sure that they meet your current regulatory and business requirements, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

IT Downtime - Can Pharmaceuticals Afford To Bury Their Head in the Sand?

In my last blog I touched on the cost of IT downtime to pharmaceuticals and life sciences businesses. This week I wanted to expel one of the many myths around IT downtime that I often hear, which is "it will never happen to us!"

The inconvenient truth is that no pharmaceutical business can afford to bury their head in the sand when it comes to IT downtime. The EMC Global Data Protection Index 2016 study showed that  57% of UK businesses surveyed had suffered unplanned downtime in the prior 12 months. Across all organisations surveyed, the average length of unplanned downtime was 22 hours, whilst the average cost was a whopping $555,000.

The impact of IT downtime is dramatic, with a previous more in-depth study by the same organisation showing that of those businesses who experienced downtime:-

• 52% experienced a loss of employee productivity
• 34% lost revenue as a direct result of the outage
• 23% experienced a loss of customer confidence or loyalty
• 10% lost a new business opportunity

All sorts of things can cause a system failure, and although when I talk to clients in pharmaceuticals and life sciences most people's first thought is normally of fires, floods or terrorist attacks, my experience is that in reality a lot of downtime is caused by much more mundane things.

For example, the great British weather has much to answer for when it comes to IT downtime… How often has an outage been caused because the server room got too hot, or high winds blew down overhead cables, or rain flooded the basement or the local BT exchange? Then there was the site I went to recently where one part of the building had been disconnected from the rest of the network thanks to a local rodent chewing through an outdoor fibre optic cable!

Power issues and UPS problems are also a common source of downtime in my experience, as are software updates that are not carefully managed. And of course human error can play a part too.

In recent times we have all become hugely dependent on the Internet for much of our business operations, and this brings with it another potential source of costly downtime, with a recent survey by Beaming showing that:-

81% of businesses rely on email to function
51% use their Internet connectivity to also carry their voice calls
36% of businesses now rely on Internet connectivity to access mission critical cloud applications
34% use online sales tools
33% use the Internet to communicate with their mobile workforce

The same study shows that two thirds of UK businesses experienced Internet connection failures in the last year that prevented them from trading or accessing these vital online services. Of these:

• 13% started losing money immediately
• 28% suffered a financial impact after an hour of downtime
• 46% were losing money after four hours

Hopefully this goes some way to illustrate that these types of downtime issues can and do occur regularly, and as such no Pharmaceuticals Board can afford to bury their head in the sand. But the good news is that there is much that can be done to mitigate the risks and avoid the vast majority of costly downtime with a little judicious planning and investment.

In my experience, the combination of implementing the right technologies, policies, plans and user awareness/education are the key to building a resilient and reliable IT infrastructure which suffers minimal downtime.

If you have any questions or need some assistance with making your IT systems resilient, implementing systems monitoring or reviewing your disaster recovery arrangements, then please do not hesitate to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk

How much would one hour of IT downtime cost your pharmaceuticals business?

That's one of the questions I find myself frequently discussing with the pharmaceutical businesses that I work with.

With technology now embedded intrinsically in almost every element of a pharmaceuticals business operations, network resilience, backups and disaster recovery plans have never been more important. And as anyone who has experienced network downtime will know, it is amazing how crippling an IT system failure is to the business.

From lost revenue, to lost employee productivity, the costs rapidly mount up while your system is down, your employees are idle and your customers potentially cannot contact you. It’s therefore worth spending a little time considering what would happen if your system does go down:-

• How much money will you lose?

• What’s the reputational damage?

• What are the Compliance implications?

• How long will it take to get your system up and running again?

• How much data or email will be lost?

• How will you operate your business in the meantime?

If you are unclear to the answers of any of these questions, then I would strongly advise that you take stock of your processes and procedures around network resilience, systems monitoring and disaster recovery, as my experience is that a little time and wise investment spent before something goes wrong can save your company a fortune – in fact it can sometimes just save your company!

Not only does IT system downtime lead to lost productivity and lost revenue, but the reputational damage it can cause can be immeasurable. And in the heavily regulated pharmaceuticals industry, the compliance implications can be catastrophic.

Over coming blogs, and because I wanted to expel some myths around system availability, I will be exploring some issues around downtime in pharmaceuticals. In these future blogs I will explore, discuss and advise on many of these myths, the likes of which include:-

1. “Well that won't happen to us”!

2. “We have a disaster recovery plan so we're fine!”

3. “Our systems are in the cloud so we don't need to worry about resilience or disaster recovery”

4. “Sophisticated network resilience and disaster recovery solutions cost a fortune”

However if in the meantime you have any questions or need some assistance with making your IT systems resilient, implementing systems monitoring or reviewing your disaster recovery arrangements, then please do not hesitate to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk