Document integrity and security are critical to ensure compliance and approval for life science companies. Amazingly, the industry has chosen systems that put their documents at risk of loss, tampering, and regulatory penalties.
It might surprise many both inside and outside the industry to discover that critical documents, even those containing sensitive information such as patient data and test results, are routinely transferred from sponsor to CRO to consultant and back via unsecured e-mail. E-mail can be misdirected to the wrong people inside the company, sent to competitors, and can easily be read by any hacker.
Additionally, the same organizations often use loosely guarded systems such as network file shares to store and manage documents. A network file share does not provide version control, document locking, and minimal access control. With so many people working on a document, one is never sure who has the latest version leading to wasted time and resources tracking down the correct version.
Organizations who believe that they are using best practices may be unwittingly at risk. Some document management systems, including the largest and most expensive, have significant security flaws that are rooted deep within their aging architectures.
THE UBIQUITOUS NETWORK FILE SHARE
It seems like a great place to start. The collaboration tool of choice. The network file share. A single place where everyone stores their documents — and gives everyone access to those documents. Yet again, it is a risky decision. Imagine a disgruntled employee who has access to that share who decides to alter it, steal it, or wipe it out. Even with routine backups, the user still has broad access to other peoples work. The loss in productivity and resources adds up quickly. For example, if ten peoples’ work is stored on theshare and a days worth of data is lost, that is ten man days of work lost.
Network file shares also allow for corruption. A user could manipulate others work with little or no evidence of tampering. What prevents a manager, who has a project at stake, from opening completed documents and changing data to meet their needs? If this is discovered by a regulatory body, all data would be considered suspect and cost a life science company significant delays andfines, as well as lost revenue and corporate reputation.
THE E-MAIL ATTACHMENT
E-mail has become the communications platform of choice for today’s business, including the life sciences space. The vast number of participants collaborating in the development of life science products makes e-mail even more important.Is there any other way to comu-nicate with such speed and ease?
E-mail is a critical business tool that clearly is not going to be replaced any time soon. However, the use of e-mail and the security policies chosenwill have a major influence on business processes. The role of an attachment and how it is handled is extremly important and impacts security and regulatorycompliance.
E-mail is bounced from server to server across multiple Internet Service Providers before it arrives in the inbox. During its travels outside of your corporate firewall, it is unsecured. Using this mechanism to transfer critical documents puts those documents and the company at risk. Proprietary information may begiven up and patient data exposed.
An additional issue with e-mail, primarily if it is used for collaboration, is the inability to identify who is in poss-esion of a document and whether any alterations to the data have been made. Muddying the water further, several people may be making changes or updates to multiple versions of a document simultaneiously. Imagine being put in charge of producing a single, updated master document.
Life science companies of all sizes feel that their IT staff has a handle on this e-mail situation. E-mail may be secure for intra-office transfer but inevitably documents need to be accessed by others outside of the corporate firewall. There is only one way to deal with the problem; do not allow sensitive or mission critical documents to be e-mailed.
So what system should replace e-mail for the transfer of documents? A Web-based document management system that is made selectively available to the users who need access to documents. A port is opened, a user is created on the system. The document management system allows the user to access the document and tracks when the user has it checked out, creates a version when he checks it back in, and ensures that no one else is updating the same document while it is checked out. A full audit trail is maintained all the while.
This provides a richly managed collaboration in a regulatory compliant framework that shows who has what document and version, what changes were made, and digital signatures for approvals. Also, providing check-in and check-out functionality to eliminate simultaneous changes.
DOCUMENT MANAGEMENT DOES NOT A SECURE DOCUMENT MAKE
It is generally believed in the life science world that all regulatory and compliance issues go away when a document management system is implemented, preferably the most expensive system with untold rewards. And why should this misconception not be believed? The regulatory bodies almost promotethis idea.
Most of these systems do not do all of the things required for the life science industry out of the box. Rather they require a significant amount of configuration during implementation to meet those needs. This implementation will eithersucceed or fail to make a company more impervious to compliance issues.
The truth is that a document management system, if implemented correctly, can significantly improve the regulatory landscape of a company and at the same time yield significantadditional business benefits.
There are several issues with either the document management system or the implementation that can put a company at regulatory risk. Those include misunderstood requirements, poor or delayed execution, or a system that cannot be validated.
A significant architectural flaw is that some legacy document management systems still store managed documents on the file system. Making the documents as susceptibleto tampering, corruption, and malice as a network file share.
This flaw can be traced back to a time when there was no other way to solve the problem. Today’s modern database systems make this problem surmountable but legacy systems whose code base is dated are unable to change.
While it is true that this specific file system can be significantly secured from user access, those files could still be manipulated by an IT staffer either under coercion or self-directed contempt. The end result is that not only all of the company’s data is suspect, but their expensive document management system is suspect as well.
A robust document management system stores documents inside a database, where they are absolutely secured against download or change without an audit trail. In fact, they are no longer documents — just binary data. In some cases, this data is even encrypted. In the eyes of a regulator, imagine which system will emerge as a better choice.
INDUSTRY IS NOT AN ACADEMIC ENVIRONMENT
The development of life science products is often so closely tied to research that even workers inside a sponsor perceive the environment as academic. Most employees come out of an academic world and may not be accustomed to a regulated environment.
Leaders in the life science space should educate employees on the critical differences of working in industry versus academia. Systems are put in place not to complicate the process of science but to yield the eventual benefits of that research.
The data the researchers and others in life science companies create is critical to the process and to the eventual success of the company. It is imperative that the integrity and security of that data is maintained. Without vigil a company faces many perils:
Document integrity is critical to many regulated industries; however, the life sciences do not have the issue as well in hand as its counterparts. Not only is it a requirement for the industry to ensure document and data integrity as well as security, but it makes good business sense. It requires peoplewithin the organization to be vigilant but can return heavily for that investment.
Dirk Karsten Beth is President of Mission3, Inc., a software company that provides solutions to the life science industry. He can be reached at Mission3; 5060 N. 40th St., Suite 209; Phoenix, AZ 85018; 602-957-2150 ext. 503; dbeth@mission3.com; www.mission3.com.
It might surprise many both inside and outside the industry to discover that critical documents, even those containing sensitive information such as patient data and test results, are routinely transferred from sponsor to CRO to consultant and back via unsecured e-mail. E-mail can be misdirected to the wrong people inside the company, sent to competitors, and can easily be read by any hacker.
Additionally, the same organizations often use loosely guarded systems such as network file shares to store and manage documents. A network file share does not provide version control, document locking, and minimal access control. With so many people working on a document, one is never sure who has the latest version leading to wasted time and resources tracking down the correct version.
Organizations who believe that they are using best practices may be unwittingly at risk. Some document management systems, including the largest and most expensive, have significant security flaws that are rooted deep within their aging architectures.
THE UBIQUITOUS NETWORK FILE SHARE
It seems like a great place to start. The collaboration tool of choice. The network file share. A single place where everyone stores their documents — and gives everyone access to those documents. Yet again, it is a risky decision. Imagine a disgruntled employee who has access to that share who decides to alter it, steal it, or wipe it out. Even with routine backups, the user still has broad access to other peoples work. The loss in productivity and resources adds up quickly. For example, if ten peoples’ work is stored on theshare and a days worth of data is lost, that is ten man days of work lost.
Network file shares also allow for corruption. A user could manipulate others work with little or no evidence of tampering. What prevents a manager, who has a project at stake, from opening completed documents and changing data to meet their needs? If this is discovered by a regulatory body, all data would be considered suspect and cost a life science company significant delays andfines, as well as lost revenue and corporate reputation.
THE E-MAIL ATTACHMENT
E-mail has become the communications platform of choice for today’s business, including the life sciences space. The vast number of participants collaborating in the development of life science products makes e-mail even more important.Is there any other way to comu-nicate with such speed and ease?
E-mail is a critical business tool that clearly is not going to be replaced any time soon. However, the use of e-mail and the security policies chosenwill have a major influence on business processes. The role of an attachment and how it is handled is extremly important and impacts security and regulatorycompliance.
E-mail is bounced from server to server across multiple Internet Service Providers before it arrives in the inbox. During its travels outside of your corporate firewall, it is unsecured. Using this mechanism to transfer critical documents puts those documents and the company at risk. Proprietary information may begiven up and patient data exposed.
An additional issue with e-mail, primarily if it is used for collaboration, is the inability to identify who is in poss-esion of a document and whether any alterations to the data have been made. Muddying the water further, several people may be making changes or updates to multiple versions of a document simultaneiously. Imagine being put in charge of producing a single, updated master document.
Life science companies of all sizes feel that their IT staff has a handle on this e-mail situation. E-mail may be secure for intra-office transfer but inevitably documents need to be accessed by others outside of the corporate firewall. There is only one way to deal with the problem; do not allow sensitive or mission critical documents to be e-mailed.
So what system should replace e-mail for the transfer of documents? A Web-based document management system that is made selectively available to the users who need access to documents. A port is opened, a user is created on the system. The document management system allows the user to access the document and tracks when the user has it checked out, creates a version when he checks it back in, and ensures that no one else is updating the same document while it is checked out. A full audit trail is maintained all the while.
This provides a richly managed collaboration in a regulatory compliant framework that shows who has what document and version, what changes were made, and digital signatures for approvals. Also, providing check-in and check-out functionality to eliminate simultaneous changes.
It is generally believed in the life science world that all regulatory and compliance issues go away when a document management system is implemented, preferably the most expensive system with untold rewards. And why should this misconception not be believed? The regulatory bodies almost promotethis idea.
Most of these systems do not do all of the things required for the life science industry out of the box. Rather they require a significant amount of configuration during implementation to meet those needs. This implementation will eithersucceed or fail to make a company more impervious to compliance issues.
The truth is that a document management system, if implemented correctly, can significantly improve the regulatory landscape of a company and at the same time yield significantadditional business benefits.
There are several issues with either the document management system or the implementation that can put a company at regulatory risk. Those include misunderstood requirements, poor or delayed execution, or a system that cannot be validated.
A significant architectural flaw is that some legacy document management systems still store managed documents on the file system. Making the documents as susceptibleto tampering, corruption, and malice as a network file share.
This flaw can be traced back to a time when there was no other way to solve the problem. Today’s modern database systems make this problem surmountable but legacy systems whose code base is dated are unable to change.
While it is true that this specific file system can be significantly secured from user access, those files could still be manipulated by an IT staffer either under coercion or self-directed contempt. The end result is that not only all of the company’s data is suspect, but their expensive document management system is suspect as well.
A robust document management system stores documents inside a database, where they are absolutely secured against download or change without an audit trail. In fact, they are no longer documents — just binary data. In some cases, this data is even encrypted. In the eyes of a regulator, imagine which system will emerge as a better choice.
INDUSTRY IS NOT AN ACADEMIC ENVIRONMENT
The development of life science products is often so closely tied to research that even workers inside a sponsor perceive the environment as academic. Most employees come out of an academic world and may not be accustomed to a regulated environment.
Leaders in the life science space should educate employees on the critical differences of working in industry versus academia. Systems are put in place not to complicate the process of science but to yield the eventual benefits of that research.
The data the researchers and others in life science companies create is critical to the process and to the eventual success of the company. It is imperative that the integrity and security of that data is maintained. Without vigil a company faces many perils:
- Regulatory risks, fines, and delays
- Extended or failed due diligence from investors, purchasers, and out-licensing partners
- Patentability and patent defense issues
- Situations have led to firings and criminal prosecution of C-level individuals
Document integrity is critical to many regulated industries; however, the life sciences do not have the issue as well in hand as its counterparts. Not only is it a requirement for the industry to ensure document and data integrity as well as security, but it makes good business sense. It requires peoplewithin the organization to be vigilant but can return heavily for that investment.
Dirk Karsten Beth is President of Mission3, Inc., a software company that provides solutions to the life science industry. He can be reached at Mission3; 5060 N. 40th St., Suite 209; Phoenix, AZ 85018; 602-957-2150 ext. 503; dbeth@mission3.com; www.mission3.com.
