
Welcome to my blog, which has been designed to keep senior pharmaceuticals industry professionals up to date with IT in the pharmaceuticals industry. As someone who is passionate about the effective use of IT in pharmaceuticals, I wanted to use this forum to share best practice, discuss common challenges and highlight some of the ways that technology can be used to deliver both commercial benefits and compliance solutions in our highly regulated industry.
Tuesday, 24 January 2017
Preparing for an MHRA Inspection
Many of the small and medium size pharmaceutical companies I work with have no in-house CIO, and as such don't always have a full understanding of what IT systems they've got or how to ensure their computer systems are fully prepared for an MHRA inspection.
So today I thought it would be useful to highlight some of the key areas to think about when you are preparing your information systems for an MHRA inspection.
Understanding your data
What data do you hold? Where is it stored? Who has access to it? Does it go outside your organisation and if so how is this controlled and secured? How is this data validated? How is all of this documented?
Backup
How is your data backed up? Where are the backups held? How often are they taken? Who is responsible? How much data would you lose if you had to recover your backups? How long would it take to restore your backups? Are you able to restore back to a specific point-in-time?. How are your backup procedures documented?
Disaster Recovery
Who is responsible? Do you have a written disaster recovery plan? Where is it stored? How often is it reviewed? When was it last tested? What was the outcome? How long would a total disaster recovery of your systems take? Would it be successful? How would you operate in the interim? How much data would be lost? How would it be communicated? How is all of this documented?
IT Security
Who has access to your systems, both within and outside the company? What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers? How is your network secured from threats like malware, ransomware and hackers? What are your procedures for applying security updates to your systems? What safeguards and procedures do you have in place around mobile working? What are your procedures around physical security of your servers and IT equipment? How do you manage secure disposal of old PC and server equipment? How is all of this documented? How are your procedures updated in the light of a constantly changing cyber security landscape?
Fit for Purpose
Are your IT systems fit for purpose? What level of resilience do you have built in? How much downtime do you have? Do they run at a sensible speed? How do you operate if a piece of equipment or software application fails? How is all of this documented?
If you are unclear about the answers to any of these questions, or you need help putting together suitable documentation, then please feel free to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk for more information on ways Epoq IT can help you prepare your IT systems for an MHRA inspection.
Wednesday, 4 January 2017
GDPR - 6 Top Tips for Compliance
Following on from my last
blog, outlining the background to and impact of GDPR on businesses, I've had lots of calls and emails requesting more
information, so I thought it would be useful to share some information on the
key actions that businesses need to be taking to ensure compliance.
To recap, the new EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Failure to comply will have potentially catastrophic implications for companies, with the ICO able to levy fines for as much as 4% of annual turnover or €20 million, whichever is greater. In addition, the legislation requires disclosure of any breach, leaving companies highly exposed to reputational damage and potential customer pay outs.
So what do businesses need to be doing NOW to mitigate the risks of GDPR?
Well, at the moment myself and my company are engaged with our clients to carry out the following types of work:-
To recap, the new EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Failure to comply will have potentially catastrophic implications for companies, with the ICO able to levy fines for as much as 4% of annual turnover or €20 million, whichever is greater. In addition, the legislation requires disclosure of any breach, leaving companies highly exposed to reputational damage and potential customer pay outs.
So what do businesses need to be doing NOW to mitigate the risks of GDPR?
Well, at the moment myself and my company are engaged with our clients to carry out the following types of work:-
1. Identifying what
personal data is held (which can be as simple as an individual's name or email
address), who has access to it and where it is stored. This could include
in-house servers, cloud services, portable devices such as laptops, tablets and
smartphones or removable media such as USB sticks.
2. Identifying
threats to this data, which could include things like cyber crime, accidental
loss by employees, deliberate theft by employees, industrial espionage, lost
devices and unauthorised access to data. Whilst most businesses have some
policies and technologies in place to protect them against these sorts of
threats, we often find that these were implemented several years ago, and with
the fast moving nature of security threats, they are no longer fully effective.
In addition many companies have a piecemeal approach of different technology
solutions each designed to cover a specific security threat, but no "joined
up" solution to make sure nothing falls between the cracks.
3. Investing in and
implementing the right technology to deal with insider and external threats to
data. These days such a solution needs to include:-
·
Virus protection
·
Malware
protection
·
Ransomware
protection
·
A system for
applying operating system and application security updates to servers, PCs and
laptops promptly.
·
Email filtering
·
Constantly
updated firewall protection
·
Encryption of
data in transit
·
Data loss/leakage
prevention technology
·
The ability to
remotely wipe data from any user device that is lost or stolen
·
A certified
system for securely wiping old servers and PCs prior to disposal
·
Strong passwords
or two factor authentication
·
Regular
penetration testing
·
24/7 monitoring
against threats
5.
Putting in place
processes for ongoing user education for all members of staff around cyber
security and data protection.
6.
And finally, for
the worst case scenario, creating a breach notification plan, which will
typically involve the Board, IT, PR, sales, marketing and HR to ensure that any
breach could be communicated smoothly, accurately and with as little damage to
the business as possible.
Subscribe to:
Posts (Atom)