Paragon Solutions shares insights on Computer System Validation (CSV). This article is the third in a series of pieces diving into the trends and directions of CSV right now.
In the previous two entries, we have defined what exactly Computer System Validation is and then looked at a few samples of test activities that would go along with validating a fictional bank ATM. In today’s post, we are going to continue on the path of what makes a system and the data inside it secure.
Specifically we will talk about Data Integrity: what defines it, how breaches can be avoided, and how to make data compliant through the use of electronic signatures.
According to a recent white paper from the FDA, data integrity is defined as “the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate.”
In a similar spirit, the Department of Health and Human Services released this statement on its own privacy laws: “A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.”
Data can include documents, records, metadata (data about data), audit trails, and any other information that is stored electronically. As of 2016, many large pharmaceutical companies either have dedicated electronic document management systems (eDMS) or are on their way to implementing them. Some companies use a hybrid approach, where certain legacy documents remain on paper while documents authored digitally after certain dates are stored in a system. In either case, companies rightly seek to safeguard proprietary and sensitive data, which is what makes good data integrity practices so important.
There are many examples of ways that data integrity can be breached. Several notable ones are:
- Unauthorized changes: - Modifications made to a document without following an official change and/or approval process.
- Backdating / forgery: This is easier on paper documents but possible electronically if a system doesn’t prevent it. Data backdating is the practice of giving the impression that a document was signed or executed before it actually was. If a system is not secure, then there is the possibility of users imitating others to change or forge data.
- Theft / hacking: One of the more disturbing trend to come out of 2016 has been data breaches by theft. A system should be hardened to prevent theft from ex-employees (or current ones!), scammers, or even foreign governments or corporations.
- Data loss due to migration / obsolescence: Prior to legacy systems being retired, a thorough analysis should be performed on essential data and migration activities should be planned. A shiny new system is nice but one that contains all of the legacy information needed to run your organization is even better!
- Downtime due to environmental & hardware conditions: A system is only as good as the hardware that hosts it and through drive and power failures, data which hasn’t been backed up can be unpredictably corrupted or destroyed.
- Duplicate or redundant data: Though not as bad as lost data, if a system is cluttered with unorganized redundant and/or duplicate documents, an organization can see reduced efficiency on a day to day basis and unnecessary costs rise to remediate this.
One way to maintain control over data integrity is the implementation of a system that utilizes electronic and digital signatures.
The main difference between the two is that electronic signatures are a legal concept where a properly-certified electronic process can act in the same capacity as a wet-signed signature. A digital signature refers to encryption underneath the electronic signatures which can make them stronger and expose tampering.
A truly FDA CFR Part 11 compliant system for electronic documents can alleviate at least some of the above risks to data integrity. Unauthorized and anonymous changes cannot be entered by a system that employs a strong audit trail. Backdating an approval is not possible with electronic signatures. And a log that tracks which users view and export documents can give a warning towards data theft. Additional data integrity risks can be mitigated through the implementation of industry standardized document management systems with smart planning for future outages, environment hazards, and even retirement when the system has served its purpose.
Data Integrity is a combination of two things - a system which is robust and has built-in controls to provide security cover for your data, and also procedural controls and checks in place with the aim to comply with Part 11, thus ensuring data is safe, unaltered, and retains its integrity.
2016’s business world is a far cry from 1996’s. Don’t let bad planning or outdated paper-based processes put your data at risk!
FDA white paper on data integrity:
Summary of HIPAA Privacy Rule