IT in Pharmaceuticals: January 2017

Tuesday 24 January 2017

Preparing for an MHRA Inspection

Many of the small and medium size pharmaceutical companies I work with have no in-house CIO, and as such don't always have a full understanding of what IT systems they've got or how to ensure their computer systems are fully prepared for an MHRA inspection.

So today I thought it would be useful to highlight some of the key areas to think about when you are preparing your information systems for an MHRA inspection.

Understanding your data

What data do you hold? Where is it stored? Who has access to it? Does it go outside your organisation and if so how is this controlled and secured? How is this data validated? How is all of this documented?

Backup

How is your data backed up? Where are the backups held? How often are they taken? Who is responsible? How much data would you lose if you had to recover your backups? How long would it take to restore your backups? Are you able to restore back to a specific point-in-time?. How are your backup procedures documented?

Disaster Recovery

Who is responsible? Do you have a written disaster recovery plan? Where is it stored? How often is it reviewed? When was it last tested? What was the outcome? How long would a total disaster recovery of your systems take? Would it be successful? How would you operate in the interim? How much data would be lost? How would it be communicated? How is all of this documented?

IT Security

Who has access to your systems, both within and outside the company? What level of access does each system user have? How is this reviewed? What SOPs do you have for starters and leavers? How is your network secured from threats like malware, ransomware and hackers? What are your procedures for applying security updates to your systems? What safeguards and procedures do you have in place around mobile working? What are your procedures around physical security of your servers and IT equipment? How do you manage secure disposal of old PC and server equipment? How is all of this documented? How are your procedures updated in the light of a constantly changing cyber security landscape?

Fit for Purpose

Are your IT systems fit for purpose? What level of resilience do you have built in? How much downtime do you have? Do they run at a sensible speed? How do you operate if a piece of equipment or software application fails? How is all of this documented?

If you are unclear about the answers to any of these questions, or you need help putting together suitable documentation, then please feel free to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk for more information on ways Epoq IT can help you prepare your IT systems for an MHRA inspection.

Wednesday 4 January 2017

GDPR - 6 Top Tips for Compliance

Following on from my last blog, outlining the background to and impact of GDPR on businesses, I've had lots of calls and emails requesting more information, so I thought it would be useful to share some information on the key actions that businesses need to be taking to ensure compliance.

To recap, the new EU General Data Protection Regulation (GDPR) comes into effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Failure to comply will have potentially catastrophic implications for companies, with the ICO able to levy fines for as much as 4% of annual turnover or €20 million, whichever is greater. In addition, the legislation requires disclosure of any breach, leaving companies highly exposed to reputational damage and potential customer pay outs.

So what do businesses need to be doing NOW to mitigate the risks of GDPR?

Well, at the moment myself and my company are engaged with our clients to carry out the following types of work:-

1. Identifying what personal data is held (which can be as simple as an individual's name or email address), who has access to it and where it is stored. This could include in-house servers, cloud services, portable devices such as laptops, tablets and smartphones or removable media such as USB sticks.

2. Identifying threats to this data, which could include things like cyber crime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. Whilst most businesses have some policies and technologies in place to protect them against these sorts of threats, we often find that these were implemented several years ago, and with the fast moving nature of security threats, they are no longer fully effective. In addition many companies have a piecemeal approach of different technology solutions each designed to cover a specific security threat, but no "joined up" solution to make sure nothing falls between the cracks.

3. Investing in and implementing the right technology to deal with insider and external threats to data. These days such a solution needs to include:-

· Virus protection

· Malware protection

· Ransomware protection

· A system for applying operating system and application security updates to servers, PCs and laptops promptly.

· Email filtering

· Constantly updated firewall protection

· Encryption of data in transit

· Data loss/leakage prevention technology

· The ability to remotely wipe data from any user device that is lost or stolen

· A certified system for securely wiping old servers and PCs prior to disposal

· Strong passwords or two factor authentication

· Regular penetration testing

· 24/7 monitoring against threats

4. Putting together a new or updated data protection policy and training employees on it.

5. Putting in place processes for ongoing user education for all members of staff around cyber security and data protection.

6. And finally, for the worst case scenario, creating a breach notification plan, which will typically involve the Board, IT, PR, sales, marketing and HR to ensure that any breach could be communicated smoothly, accurately and with as little damage to the business as possible.

Should you need help on assessing your readiness for GDPR or advice on technology solutions that will provide GDPR compliance, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk

About Me

Welcome to my blog, IT in pharmaceuticals. I'm Gary Swanwick, the CEO of Epoq IT and Head of our Pharmaceuticals Services Division.

As a pharmaceuticals specialist IT Services company, with offices in High Wycombe, Bucks and London, we have spent over a decade working with a wide range of pharmaceutical companies, life sciences businesses, clinical research organisations, wound care companies and medical devices companies.

With most pharmaceuticals I work with sharing key concerns around maximising salesforce productivity and effective use of technologies such as e-Detailing solutions and CRM systems, as well as a myriad of issues surrounding IT security, GxP / HIPPA / MHRA compliance, audit preparation and remedial work, disaster recovery and data storage, I wanted to create this blog where I could share best practice, discuss IT strategy in the pharmaceutical industry and give real life examples of the successful implementation of technology in pharmaceuticals.

If you would like to discuss any element of IT in pharmaceuticals with me, or you need some assistance with your IT strategy, an IT implementation or your IT support, then please do not hesitate to contact me.

I look forward to hearing from you.

Gary Swanwick
Epoq IT Ltd
http://www.epoq-it.co.uk
gary.swanwick@epoq-it.co.uk
Tel: 01494 444065