The Questions Life Sciences Firms Ask About Cloud
As life sciences companies come under pressure to cut costs and simplify how data is shared, they are seeing the cloud as an opportunity to manage enterprise-wide information. The industry, however, has been reluctant to move to the cloud, for both IT and business reasons.
by Dawn Waite
There are benefits to both sides of the enterprise in moving to the cloud. The business case is well understood: having clear, consistent information available in a way that simplifies data exchange. For IT, it means removing day-to-day management of solution tool sets, allowing IT to focus on other valuable tasks, such as delivering desktop consistency to the users.
That’s not to say companies should rush blindly into the cloud; there are some important issues to address first. Here are two common questions companies have when considering a cloud solution.
How will validation and compliance be handled?
Compliance is almost always one of the top concerns for life sciences companies. Invariably, life sciences business and IT leaders want to know how, given the regulated nature of the industry, they can move to the cloud comfortably and ensure they are compliant. This is a valid question. While there are no formal FDA guidelines on cloud, companies should adhere to 21 Code of Federal Regulations (CFR) Part 11 requirements and ensure that both qualification and validation are of the highest standards, such as with a GAMP 5 approach.
You need to qualify your infrastructure to ensure it’s doing what it says it is. So the question is: Does your vendor have a process in place to be able to handle that compliance? Are there clear documented processes and deliverables for system validation and infrastructure qualification? While most people are aware of this necessity, companies are often nervous about handing off responsibility for the infrastructure piece to a cloud vendor. And it’s fair to say that not all cloud vendors understand it.
You might be attracted to what appear to be quick and easy cloud solutions. However, if there aren’t the necessary processes and documentation to support the whole qualification and validation process, this puts you at risk, since your regulatory solutions will be sitting on infrastructure that could potentially fail an audit.
Other considerations include processes concerning change management. While the system might be set up in a compliant solution to begin with, if you’re in the cloud, you need that compliance to be maintained throughout the system’s life, and if anything changes, you need to ensure those changes meet compliance requirements. My advice to clients is that whenever there is a formal change control, a process should be followed with an assessment of whether that change needs to go through any sort of validation. That way, if an audit takes place, you’re assured of being completely compliant.
When entering a cloud contract, it is the client that needs to ensure that the vendor can demonstrate they have an effective process; hence, regular audits will be required. It will also need to be established whether this will require additional costs or whether an audit process is included in the service. What I recommend to clients is to determine what your vendor offers in terms of handling annual audits, as well as whether they engage independent auditors to assess their data centers.
What happens if I want to move my system?
One issue I consider to be crucial, but that people don’t always think about, is disentanglement. Let’s face it: In today’s businesses, things change, and you should be prepared for all eventualities. The problem is, if this isn’t part of an agreement with your vendor, you could end up unable to extricate yourself, or you might be unable to get your data out. In that case, you might be forced to undertake a manual process to get your data out, which is extremely costly.
When you are looking to move to the cloud or an IT managed service environment, it’s important to understand that things can change. To use a specific example, recently a client went through an acquisition, and the decision was made to go to an on-premises solution. As it happened, both the companies were CSC clients, but one had an on-premises solution and the other had a cloud solution. Because we have agile systems and processes in place, the job of moving data to an on-premises solution was quick and straightforward. But that wouldn’t necessarily be the case with every cloud vendor.
The approach we recommend is inclusion of a Provision of Disentanglement. That’s a framework of “what happens if,” and it defines where the responsibilities lie, what the vendor would need to do to extract a client’s data, who needs to be involved, and what the timescale is. While this can’t be definitively stated, simply because you don’t have that information in advance, you should find out what the options are, the types of personnel that would be needed, and the likely daily rate involved. It’s really about having an understanding of what needs to happen to get your data out, and most importantly, that you can get your data out.
DAWN WAITE is manager, Life Sciences in the Cloud, CSC.