Vulnerability is considered a weakness in system security procedures, design, implementation, internal controls, and so on, that could be accidentally triggered or intentionally exploited and results in a violation of the systems' security policy1.
When the vulnerability is exploited, it results in a negative impact on the integrity of the e-records or availability of the electronic systems. Mitigation of the vulnerabilities in this context typically involves coding changes but could also include specification changes or even removal of affected functionality in their entirety.
There are six elements to evaluate the vulnerability of the electronic records (e-records)2: discovery, governance, cleansing, integration, security, and mastery. The assessment to each of these areas provides the required e-records integrity3 controls to keep reliable the e-records after recreated.
The required e-records integrity controls to successfully manage the vulnerabilities can be categorized based on the event the erecords are performing in the e-records processing environment. These events are categorized as e-record creation, and during any operation such as processing, storing, while in transit, or retrieving. These events are contained in the data integrity (DI) definitions the in NIST4.
The Data as a service (DaaS)5 will be used as the computer environment model to briefly discuss the vulnerabilities of the e-records. Any other model may be used as an example. The vulnerabilities to the e-records saved to electronic media are the same without considering the model.
DaaS builds on the concept that its e-records product can be provided to the regulated user6 by a cloud service provider7 on-demand, regardless of geographic or organizational separation between provider and consumer. In a DaaS service, the repository for e-records8 and the e-records handling9 are provided as a cloud service. E-records handling is a broader issue addressing potential erecords vulnerabilities. This distinction is important when evaluating technologies and the shifting roles of enterprise information technology (IT) when managing e-records in the DaaS cloud environments.
The objective of this article is to briefly discuss the areas to look at during the assessment of the e-records integrity vulnerabilities in a DaaS environment.
Out of the scope of this article is the electronic system's e-records integrity controls to effectively manage the vulnerabilities. Description of the e-records integrity controls can be found elsewhere10.
Fig. 1: Data and E-records Integrity in Process Automation
DI in DaaS Environment
In the current good manufacturing practices (CGMP), e-records may be managed11 in the DaaS environment. Also, the e-records managing process must be validated and the associated cloud infrastructure needs to be qualified by the DaaS provider based on CGMP current practices. In any case, the CGMP e-records are always owned by the regulated user.
5-7 October 2022
Computerised System Validation: GMP Compliant Documentation - Live Online Training
EU Annex 11 p312 and EU GMP Chapter 713 provide guidelines regarding the expectations by the regulatory entities related to the efficient relationship between the DaaS provider and the regulated user.
Recognizing the vulnerability in a repository for e-records, as in a DaaS, the following summarizes the vulnerabilities and actions that should be utilized to maintain the highest quality e-records level.
In the context of the e-records processing environment, discovery is the process of examining the e-records to determine where erecords (both structured and unstructured) resides (e.g., in a database and file servers that could potentially contain regulated e-records). The outcome of this process, as an example, is the e-record sources to data target mappings. The process points to those same areas associated with DI definitions such as in NIST SP 800-57P15.
A data flow diagram is a superb tool to examine the data processing environment and to map the flow of information of any process or system, including inputs, outputs, storage points, and routes between each destination. Based on this information provided by a data flow diagram, the appropriate DI controls are implemented and documented.
Figure 1 depicts the high-level data flow diagram. This diagram can be followed with detailed information related to each referenced area in Figure 1.
Data mapping and data flow diagrams are useful tools to improve data integrity. By not understanding where critical e-records14 reside and the relevant movements, means that DI controls may not be applied in those areas where the e-records are created, transmitted, stored, or during processing.
The levels defining the organizational DI philosophy can be set up in three levels. The first level is the DI Policy; the second level is the Data Governance, and the thirds level is the DI standard operational procedure (SOP).
The DI Policy does not need to be a broad document. It established the responsibilities and expectations of senior management. It should be covered in the approach to quality risk management. The assessment should be based on e-records risk and e-records criticality.
The DI procedural control(s) can be explained in a procedural control.
Data governance, the subject of this section, contains the arrangements to ensure that e-records, irrespective of the format in which they are generated, are recorded, processed, retained, and used to ensure the record throughout the e-records lifecycle15.
Data Governance must be integrated into the pharmaceutical quality system. If not integrated into the quality system, the e-records controls will not assure e-records quality. The e-records owner16 must ensure that the governance requirements are contractually specified, and the e-records service company audited periodically to assure that the DI standards are met.
The data governance lists and summarizes all the procedural controls and, roles and responsibilities.
The governance document outlines the regulated entities' total approach to assure confidence in e-records quality17. The organization approach includes:
- a quality risk on DI based on e-records risk and e-records criticality. Note that e-record risks are based on vulnerabilities of the e-record. As defined before e-records criticality are e-records with high risk to product quality or patient safety. So, a quality risk on data integrity is managed by these two factors;
- regulated user's roles and responsibilities
- procedural control(s) to good documentation practices;
- training about e-records integrity to all electronic systems regulated users;
- making accountable the senior management to support the controls associated with e-records integrity;
- addressing e-records ownership and the responsibilities associated with such a role. A robust data governance approach will ensure that e-records are complete, consistent, and accurate, irrespective of the format in which e-records are generated, used or retained18.
Data governance measures by a contract giver19 may be significantly weakened by unreliable, falsified data or materials provided by outsourced activities. Initial and periodic audits outsourced activities should include consideration of DI risks and appropriate control measures20.
Before an integration, transformation, or migration project, the quality of records set must be known. More frequently during the e-records lifecycle, it must be ensured as well as the e-records quality.
Cleansing is a method to detect and correct corrupt or inaccurate/ inexact records from a recordset, table, or database and refers to identifying incomplete, incorrect, inaccurate, or irrelevant parts of the e-records and then replacing, modifying, or deleting the dirty or coarse data. The execution of data cleansing ensures that e-records are both correct and useful.
Damaged e-records may be considered an incident and investigated to prevent it from happening again.
When an e-record is discovered to be unreadable, the record can be restored from a true copy of the record. If a true copy is not available, look for a trustworthy backup copy of the record and restore it from the backup set.
If the e-records set being cleansed consists of CGMP-relevant erecords, then any changes and deletions must generate an audit trail. The reason for the modification must be documented as part of the e-record. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed20.
12-14 October 2022
Computerised System Validation: Maintaining Control of Operation - Live Online Training
In data engineering, the process of ensuring that data must go through cleansing is called data profiling. Profiling a record consists of describing the e-record content, consistency, and structure. Besides, it provides the effort needed for cleansing. Integration.
After the DaaS is deployed, the main and dangerous step is getting the extraction of the data out of a sensor or from another electronic system and loading it into the DaaS, the target system repository of e-records. Without standards and business processes the e-records across all source systems may not line up, but to resolve the situation the data elements of the e-records can be cleansed, transformed and, as applicable, integrated.
A key element in the integration of data is the confidence of the reliability of the e-records in the source systems.
When e-records must be shared by more than one functional activity, the standardization of e-records values is essential. Standardization of e-records value can be achieved during the e-records design. Two elements that can mitigate the integration-related vulnerability are:
- E-records profiling.
- Standardizing the format and attributes of the e-records for consistency across the regulated site/corporate. When e-records must be shared by more than one functional activity, the standardization of e-records values is essential.
As a function related to security, e-records integrity service maintains information exactly as it was inputted and is auditable to affirm its reliability.
The regulated user stores its e-records in the DaaS cloud and accesses that e-records through program interfaces. Data governance measures by a regulated user may be compromised by untrustworthy security service provided by the service provider.
A service level agreement (SLA) shall be in place between the regulated user with the service provider capturing the responsibilities of the service provider, including the e-records integrity service and the associated security.
The initial and the periodic audits to the service provider and the DaaS environment must comprise DI risks and appropriate control measures.
Mastery is the leveraging of e-records of all types to gain business insight, and then using this insight to increase revenue, decrease expenses or improve ease of doing business. It involves the use of data analytics, and big data environments to find business-relevant insights that inform better decisions for senior managers and throughout the enterprise.
Like the Capability Maturity Model in software engineering, mastery has maturity levels. Those regulated companies that have a state-of-the-art e-records management platform that leverages optimized workflows for all types of e-records are at the highest maturity level. These companies use e-records for a strategic advantage looking at hidden relationships of e-records, predictive analytics, knowledge management, and self-services.
The regulated user can start with a humble DaaS. Later, with great planning, and analytics and business intelligence DaaS may be implemented. The element of e-records quality and e-records mastery to be implemented in a humble DaaS are the same as an analytics and business intelligence DaaS, but with a complexity resulting in the incrementing the scope of the system.
To set up the processes and infrastructure to manage regulated erecords, a set of technical and procedural controls must be established to maintain the reliability of each e-records after the e-record is created. It is necessary to know where the e-record resides and understand the vulnerability of the e-record to implement the correct DI-related controls.
There are six areas to evaluate the vulnerability of the e-record: discovery, governance, cleansing, integration, security, and mastery. The assessment to each of these areas provides the required DI controls to keep reliable each e-record after recording.
Any mention of products or references to organizations is intended only to convey information; it does not imply recommendation or endorsement by Orlando López or the publisher, nor does it imply that the products mentioned are necessarily the best available for the purpose.
The opinions expressed in this article are strictly those of the author.
... is a seasoned professional with global experience in pharmaceutical and medical device e-compliance.
1 NIST, “Common Vulnerabilities and Exposures (CVE), What is a Vulnerability,” CVE Numbering Authority (CNA) Rules 7.1, February 2020
2 Electronic records - A collection of related data treated as a unit. (ISPE/PDA, “Good Practice and Compliance for Electronic Records and Signatures. Part 1 Good Electronic Records
Management (GERM)”. July 2002.)
3 E-records integrity – A property whereby data has not been altered in an unauthorized manner since it was created, during processing, transmitted, or stored. (NISP SP 800-57P1 Rev 5,
“Recommendation for Key Management, Part 1: General,” January 2016)
4 NISP SP 800-57P1 Rev 5, “Recommendation for Key Management, Part 1: General,” January 2016
5 In computing, data as a service, or DaaS, is enabled by software as a service. Like all "as a service" technology, DaaS builds on the concept that its data product can be provided to the
user on-demand, regardless of geographic or organizational separation between provider and consumer
6 Regulated user - The regulated Good Practice company, that is responsible for the operation of an electronic system and the applications, files and data held thereon. The company or
group responsible for the operation of a system. The GxP customer, or user organization, contracting a supplier to provide a product. In the context of this document it is, therefore, not
intended to apply only to individuals who use the system and is synonymous with ‘Customer’. (PIC/S PI 011-3)
7 A cloud service provider is a company that offers some components of cloud computing to other businesses or individuals.
8 Repository for e-records - A direct access device on which the electronic records and metadata are stored.
9 Data handling is the process of ensuring that data is created, stored, archived, or disposed of securely during the data lifecycle. (https://ori.hhs.gov/education/products/n_illinois_u/
10 López, O., “Best Practices Guide to Electronic Records Compliance,” CRC Press, Boca Raton, FL., 2017.
11 E-records management - The process of ensuring that data is stored, archived, or disposed of safely and securely during and after the decommissioning of the electronic system.
12 Computerised systems. In: The rules governing medicinal products in the European Union. Volume 4: Good manufacturing practice (GMP) guidelines: Annex 11 p3, June 2011.
13 EudraLex - Volume 4 - Good Manufacturing Practice (GMP) guidelines, Part I - Basic Requirements for Medicinal Products, Chapter 7 – Outsourced Activities, January 2013.
14 Critical e-records are e-records with high risk to product quality or patient safety. (ISPE GAMP COP Annex 11 – Interpretation, July/August 2011)
15 The arrangements to ensure that data, irrespective of the format in which they are generated, are recorded, processed, retained, and used to ensure the record throughout the data
lifecycle. (MHRA. (March 2018). ‘GxP’ Data Integrity Guidance and Definitions')
16 MHRA, “GxP Data Integrity Guidance and Definitions,” March 2018.
17 Data quality is considered the accurate, auditable, in conformance to requirement, complete, consistent, with integrity, provenance, and valid making data both correct and useful.
(FIPS, Publication 11-3, “American National Dictionary for Information Systems,” Windrowed, July 1979.)
18 Churchward, D., “Good Manufacturing Practice (GMP) data integrity a new look at an old topic,” Part 2 of 3 - MHRA Inspectorate, July 2015.
19 Contract giver is the regulated entity owner of the data being stored by the DaaS contractor.
20 Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments – PIC/S; PI041-1(draft 3); November 2018.