Quality Guidance for All
ZenQMS Quality Leaders Forums (QLF) bring together thought-leaders in Life Sciences to share information about emerging trends, innovations, and best practices. These interactive discussions are open to all in the Quality community.
For our May QLF, ZenQMS Head of Quality Karin Ashkenazi and CEO & Chief Privacy Officer Panos Boudouvas led an informative discussion on a topic of concern to everyone: How to keep your company’s data private and secure. You can watch the entire session here, but we’ve also compiled some of the most important points to help you strengthen your company’s own data safeguards.
Start with Common Sense
There is good news for those at small Life Sciences companies who are looking to improve their data privacy and security, even without a large IT team. Yes, there are consultants and SaaS providers available to help, but keeping data safe doesn’t have to be complicated. In CEO Panos Boudouvas’ words, “You can do much of this yourself using common sense. You’re already doing similar work in terms of GxP compliance, so data security is just an extension of that. Don’t let anybody tell you this is a year-long process and you need to hire a really expensive consultant.”
Build a Robust Training Program
Doing this work in-house means focusing on administrative policies like assigning proper permissions and access, putting risk mitigation strategies in place, and making sure these safeguards are reviewed annually. ZenQMS Head of Quality Karin Ashkenazi also stresses the importance of building a solid training program to remind employees about the consequences of security- and privacy-related violations. She doesn’t mince words: “Make sure your employees understand the stakes. They are really, really high.” In many cases, the fines are so large, they can shut down a young company. Additionally, privacy violators can be brought up on criminal charges that fall outside the protection of their employers.
Don’t Rely on Ignorance
If you do hire outside help, the most important thing to understand is that data privacy and security is a shared responsibility. Consultants and vendors can alleviate many frustrations and complications, but ultimately, the responsibility for keeping data safe and secure lies with you. Review your providers’ policies on privacy and security and make sure they’re up-to-date. If they’re hesitant about sharing, look elsewhere. You can’t rely on ignorance because there’s too much at stake. SaaS providers should be transparent and willing to be fully audited, make contractual guarantees, comply with current laws and regulations, and adhere to industry standards.
But again, their liability is limited and it’s still your responsibility to look out for your company’s best interests. This means assessing the risk posed by a product or service and configuring your system to match. It also means complying with 21 CFR Part 11/ Annex 11 and relevant GxP standards, and performing internal audits. And, it also means taking a walk around your office to make sure no one has their private passwords written on sticky-notes for everyone to see!
Stay Alert as Your Company Scales
In Karin and Panos’ experience, a common factor leading to privacy and security failures is high growth. Nothing tests your ability to onboard, train, and enforce policies like doubling or tripling your workflow CS in a short period of time. In the current environment, where a remote workforce is normal, what was originally a manageable security plan can quickly get out of hand. As your company grows and its risk profile evolves, update your policies and your approach to security to match this new complexity to avoid anything falling through the cracks. And make sure your C-suite and compliance personnel understand your newly increased risk.
Mitigating a Data Breach
If you do suspect your data has been compromised, speed is key. Open an investigation and apply immediate preventive actions. Take a look at what data was accessed and by whom, and to what extent the data is protected. If data was indeed compromised, this will inform which notifications need to be sent to patients, employees, vendors, and/or regulatory bodies. Continue your investigation to identify the root cause and apply permanent corrective and preventive actions. If the breach occurred through an outside vendor, review their privacy policy to determine your contractual rights.
This point can’t be stressed enough: Whether you use SaaS vendors or not, your company is ultimately responsible for its own data privacy and security. That means you should have safeguards in place like a strong training policy, risk mitigation strategies, a business continuity and disaster recovery plan, proper settings on administrative permissions and access, and procedures in place to annually review these steps to make sure they’re not stagnant. It takes effort and it’s not always convenient, but in the end, meeting the challenge head-on is the best way to keep your company’s data safe.
Data privacy and security is critical to those in Life Sciences. To that end, ZenQMS adheres and is certified against ISO 27001 and ISO 9001, complies with 21 CFR Part 11/ Annex 11, all relevant GxPs for quality management systems (QMS), and follows all GAMP 5 guidelines and applicable privacy laws. If you’re looking for a QMS that takes your company’s security as seriously as we take ours, book a demo and learn how we can help.