Tuesday 27 September 2016

Myths Around Pharma Downtime: "We Have A Disaster Recovery Plan So We're Fine"

As I discussed in my previous blog, the majority of businesses have been affected by IT downtime in the last year, and in the highly regulated pharmaceutical and life sciences industry, it is critical that the Board have a thorough business understanding of their plans for coping with such an eventuality.

Aside from the lost productivity, lost revenue and potential reputational damage an outage can cause, having a disaster recovery plan is vital to meet pharmaceuticals GxP / HIPAA compliance obligations, in order to confirm that suitable technical policies are in place to ensure that sensitive data is not altered or destroyed.

Many of the pharmaceuticals and life sciences businesses that I work with have no in-house CIO, and as such sometimes I find that the Board are incorrectly reassured by the presence of an IT disaster recovery plan that was perhaps put together some years ago and has sat in the fireproof safe ever since.

This is a myth that I wanted to expel, as unfortunately, my experience is that this document needs to be constantly evolving, as our use of technology in the industry has moved on apace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend to the Board of pharmaceuticals businesses that we work with to continually re-assess and test their plans around resilience, backup and disaster recovery, against their operational business needs and regulatory compliance requirements. Some points to consider would include:-

• How long could you afford for each of your various IT systems to be down for?

• How much data, if any, could you afford to lose?

• When did you last try a test restore of your data or email? Did it work?

• Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results show that recovery times and data loss met your business and compliance requirements above?

• Where are your backups held, and could you access them in the event of a disaster that say incapacitated your premises (or in a situation where the emergency services would not allow you access to your site?)

• In the event of a major disaster, what hardware would you restore your backups on to?

• If your offices were incapacitated where would you work from and how would you connect to your recovered system?

With ever increasing regulatory and market-driven pressures, the increase of globalisation, the advancement of technology and the changing expectations of stakeholders, my experience is that the disaster recovery plan needs to be a living, breathing document that is constantly reviewed and re-assessed to reflect the changing demands on the business.

If you would like help with reviewing or testing your disaster recovery plans to make sure that they meet your current regulatory and business requirements, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

No comments:

Post a Comment