Tag: data integrity

Password Manager Applications and Data Integrity

I recently ran into a scenario where password manager apps are used as solutions (?) in generating complex passwords and to keep login information private and secure. I am wondering what your thoughts on the use of apps to store and auto fill passwords to GxP system, especially with respect to access restriction requirements and data integrity. Any validation requirements, etc?

Asked by a colleague

Passwords are horrible, with numerous problems, both from a security and a usability standpoint. Companies often talk about vulnerabilities, external (like phishing) and internal (like fraud), but there are a host of issues from the user’s end. Often, users have to create dozens of passwords for different accounts, leading to frustration and lost productivity around authentication.

So either the user keeps the same password for multiple sites and applications, which is a major security issue, or they diligently create new passwords for each and every account and promptly forget them.

We should be looking to create organizational policies based on facts with a good reason as to why. Don’t make employees stick to outdated security policies. They are less likely to buy into the program, which in itself can have adverse results on governance aspects. In this case, users expect to be able to use password managers so make it possible.

People are using password managers in your organization, probably through the very browser you are reading this. There are two major categories of password managers:

  • Browser-based password manager. These are the systems that come automatically attached to browsers or software that’s downloaded to your computer or network. Chrome, Edge, etc.
  • Password management app is a type of downloadable software that uses encryption to store your credentials safely and securely (most of the time).

There is a lot written on this from the cybersecurity position by people a whole lot more knowledgable than me, so I will focus on the data integrity side of things.

There are three primary requirements here that can be distilled from the key guidances:

  • Establish and maintain organizational, procedural, and technical controls to minimize the risk of unauthorized or inadvertent access to computer systems data and records.
  • Manage role-based system access for users and system administrators, including segregation of duties.
  • Establish manual and automated monitoring of computer systems and environments to identify and respond to potential vulnerabilities and intrusions.

Like everything, the amount of effort here is a risk-based approach depending on the regulated processes, records, and data in the system, and whether the system is externally facing – and remember all your cloud applications are externally facing!

Start by evaluating the Information Security Management System (ISMS) as defined by ISO 27001. Many of the requirements in ISO 27001 overlap with the expectations of a GxP system, so it is important that there be one cohesive approach in the organization (and yes that means your ISMS is fully GxP).

Set Organization Controls for the following:

  1. What password managers are allowed. Make it easy and everyone will use it. Also makes it easier to maintain. Restrict a bring-your-own-app approach.
  2. Strengthen your password requirements. 13+ characters, no repeats (also a possible technical control once you’ve taken this route), etc.
  3. Ensure compliance with the NIST SP800-63b password guidance and the latest version of the German IT-Grundschutz Kompendium of the Bundesamt für Sicherheit in der Informationstechnik (BSI)
  4. Educate, educate, educate

It is important to recognize the difference between dedicated laptops and shared machines. Especially if there is a station that does not have the capability to recognize different users. In these cases, password managers require additional controls, up to being shut off and prevented from use. I cannot stress this enough, a password manager on a shared machine is asking for trouble so treat it with the attention it deserves.

Test your selected password manager(s). Most of your testing will be acceptance of the provider-provided package, but you will want to conduct a nice compact qualification. Test it with GxP systems. This will look a lot like whatever testing you do for a SSO application.

Ensure that the right periodic vulnerability testing exists.

In this day and age, password managers are going to be used. Be aware of the risks and ensure the appropriate processes are in place to manage them.

European Guideline on Data Integrity in GCP Studies

The EMA has published “Guideline on computerised systems and electronic data in clinical trials.”

Anyone familiar with Annex 11 of Eudralex Annex 4 won’t be surprised by the content, but frankly I expect a lot of folks who have primarily experience on the clinical side will be scratching their heads. The fact that the authors felt the need to have an entire paragraph dedicated to unique user names is telling.

This is a great resource for sponsors who need to figure out just what to evaluate at investigators sites, a requirement this guideline repeats multiple times.

I’ll be very curious how effective sponsors are in ensuring this requirement is met “The investigator should receive an introduction on how to navigate the audit trail of their own data in order to be able to review changes.”

EMA Publishes 2021 GCP Compliance Report

The EMA has published the Annual Report of the Good Clinical Practice (GCP) Inspectors Working Group (IWG) 2021.

Beyond wishing for an 11 month cycle of writing and approval on my annual reports, there is some valuable information there.

In 2021, three CHMP GCP inspections were conducted entirely remotely, and three inspections were conducted in a hybrid setting. A total of 286 deficiencies, comprising 24 critical, 152 major and 110 minor findings were recorded for the 27 CHMP requested inspections conducted in 2021. This represents an average of 10-11 findings per site inspected. The three top categories were: “General”, “Trial Management” and “Computer System”. An increase in findings related to computer systems (e. g. Audit Trail and Authorized Access, Computer Validation, Physical Security System and Backup) is noted compared to the last reports.

More information is available at EMA´s Good Clinical Practice Inspectors Working Group website.

Under organisation and personel we see “Delegation of tasks to inappropriate team members.” This reinforces the needs for strong cv and job descriptions, and linking to both hiring and personnel qualification.

The computer systems observations are the greatest hits of data integrity, and should be a wakeup call to any company that treats GCP and GMP computer systems differently.

Let the 2022 annual GCP training development begin. And make sure you get that training done on time!

Data Integrity Warning Letter

In July 2022, the U.S. FDA issued a Warning Letter to the U.S. American company “Jost Chemical Co.” after having inspected its site in January 2022. The warning letter listedfour significant areas:

  • Failure of your quality unit to ensure that quality-related complaints are investigated and resolved, and failure to extend investigations to other batches that may have been associated with a specific failure or deviation.”
  • “Failure to establish adequate written procedures for cleaning equipment and its release for use in manufacture of API.”
  • “Failure to ensure that all test procedures are scientifically sound and appropriate to ensure that your API conform to established standards of quality and purity, and failure to ensure laboratory data is complete and attributable.”
  • “Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and failure to establish and follow written procedures for the operation and maintenance of your computerized systems.”

I offer them the above clip as a good mini-training. I recently watched the show, and my wife thought I was going to have several heart attacks.

In a serious nature, please do not short your efforts in data integrity.

Being Small and Speciality Does not Exempt from the GMPs

Specialty Process Labs LLC is a specialty API manufacturer of natural desiccated thyroid. Which is, yes, what you might think it is. And as far I can tell, mostly ships direct to compounding pharmacies and patients. This month they got a warning letter.

The warning letter highlights:

  1. Failure to validate the process
  2. Failure to test to specification
  3. Failure to exercise sufficient controls over computerized systems

All three of these observations make me rather glad my loved-ones take levothyroxine and I am deeply aware of all the difficulties in that drug supply.

Focusing more on the computer system, it is an unsurprising list of bad access controls, change controls not controlled, and failure to validate excel spreadsheets.

The last observation really stood out to me:

Manufacturing master batch records held in electronic form on your company’s shared drive do not have restrictions on user access. Your quality unit personnel stated that there are no restrictions for any personnel with login credentials to access new and obsolete master records. Our investigator observed during the inspection multiple versions of batch records were utilized for API lot production.”

This is truly a failure in document access and record management. And it is one I see a lot of places. The core requirement here is really well stated in the PIC/S Data Integrity Guidance requirement 8.4 “Expectations for the generation, distribution and control of records.” Please read the whole section, but pay close attention to the following:

  • Documents should be stored in a manner which ensures appropriate version control.
  • Master documents should contain distinctive marking so to distinguish the master from a copy, e.g. use of coloured papers or inks so as to prevent inadvertent use.
  • Master documents (in electronic form) should be prevented from unauthorised or inadvertent changes.
  • Document issuance should be controlled by written procedures that include the following controls:
    • details of who issued the copies and when they were issued; clear means of differentiating approved copies of documents, e.g. by use of a secure stamp, or paper colour code not available in the working areas or another appropriate system;
    • ensuring that only the current approved version is available for use;
    • allocating a unique identifier to each blank document issued and recording the issue of each document in a register; – numbering every distributed copy (e.g.: copy 2 of 2) and sequential numbering of issued pages in bound books;
    • where the re-issue of additional copies of the blank template is necessary, a controlled process regarding re-issue should be followed with all distributed copies maintained and a justification and approval for the need of an extra copy recorded, e.g.: “the original template record was damaged”;
    • critical GMP/GDP blank forms (e.g.: worksheets, laboratory notebooks, batch records, control records) should be reconciled following use to ensure the accuracy and completeness of records; and
    • where copies of documents other than records, (e.g. procedures), are printed for reference only, reconciliation may not be required, providing the documents are time-stamped on generation, and their short-term validity marked on the document

There are incredibly clear guidelines for these activities that the agencies have provided. Just need to use them.