When we still flew around the world on airplanes, I sat next to a cybersecurity expert making his way from San Francisco to Paris in an emergency response to a global 500 company that had been hacked. The hackers had been inside this company’s critical networks for an entire year, stealing secrets and sending data out. The intruders at that moment were unaware they’d been detected, and his specialization was to make sure they could not completely cover their tracks once they caught on.
If he was successful, they would likely be apprehended. Moreover, he convinced me these attacks were happening everywhere: “It is an invisible war, and those most affected do not want publicity, so you just don’t know about it,” he admitted. Now, board rooms know, and biotech and pharma companies’ executives have it in their lap to solve.
Large cloud providers such as Microsoft have entire divisions dedicated to intrusion, threat detection, and prevention to protect the data and applications running in their clouds. They have network operating centers (NOCs) worldwide with 80 screens on the wall and 60 people glued to keyboards doing nothing but defense and offense against those trying to get to your data and trade secrets and do you harm.
Wise business leaders in biotech see protecting their intellectual property and data as a top priority. They know that no matter how much capital and people they throw at it; they can never be as good as that.
Cybersecurity is always one of the top three reasons our biotech and pharma clients move their data and applications to the cloud.
MHRA and FDA-defensible operating environments
The MHRA and FDA requires that validated business applications run in what they ironically call a “closed” system. Should a therapy cause harm or death to humans, regulated companies must support and prove that their related data, captured in audit trails according to MHRA or FDA prescription, was not altered. They also want to make sure that these systems cannot be tampered with such that the manufacturer would not be able to rely on the MHRA/FDA results and controls to ensure it meets its quality standards, thereby avoiding said adverse events.
Before the cloud age, that meant running data and critical apps on internal servers with massive digital and physical lockdowns, and once validated, trying not to change them. Ever.
However, with more specific MHRA/FDA guidance and market incentives as they are, capable providers have created cloud computing environments with more robust levels of control and data protection than the old in-house server approach. They have stepped up the operating controls and processes that allow them to pass third-party audits, giving these manufacturers greater confidence that they can defend their compliance programs to the MHRA/FDA. It is now much safer and more reliable to run validated, critical business applications and data in the right cloud environment. And yes, the regulation bodies not only know this but prefer it.
Cloud push updates can work
In the old days, biotech and pharma companies put their critical business systems in place, got them validated, and then tried very hard not to change them for as long as they could. Change meant revalidation of the entire system.
As a result, it was not uncommon to come across a biotech that implemented a system several years ago, customized it (industry-specific apps for biotech and pharma really didn’t exist or were incomplete back then), validated it, and hadn’t changed it since. They were on an island from the standpoint of support and adopting new technologies. Newer workloads to support new required processes were running in multiple different systems and spreadsheets, and their life was generally a painful mess.
Meanwhile, prevailing cloud business apps of the time were pushing monthly updates to their customers’ production operating environments in some cases with little or no change control and communication. Their technology and processes were immature. This created a nightmare for life science organizations to maintain validated (or even non-validated but mission-critical) systems.
Today, mature cloud apps designed for mission-critical business processing enable high levels of change control and forward testing periods for push changes before the customer has to accept the updates to their system. This includes test environments, and in some cases, such as HSO, the ability to select the software changes the company wants to accept. That way, they only need to incrementally revalidate (and go through a complete test, IQ, OQ, PQ, production) for just the changes they are bringing into the production environment. The updates can be spaced to happen just twice per year, not every month. Biotech and pharma companies can now stay current with their validated business apps and leverage new technologies and improvements without spending an arm and a leg to maintain validation.