A key challenge life sciences companies face today is how to adopt cloud while ensuring security and compliance for U.S. Food and Drug Administration (FDA)-regulated workloads.
In this expert roundtable you will hear best-practice approaches from alliance partners USDM Life Sciences and Data Intensity.
Learn how you can simplify processes, reduce risk, and accelerate outcomes with FDA-compliant data-driven workloads on the public cloud.
This discussion included:
- Regulatory and Economic Considerations
- Workload Analysis and Designing for Public Cloud
- Change Management and Speed-of-Business
- Global Regulatory Compliance
- Availability, Scalability, and Security
- Q&A (see below) with:
- Biju Thomas, Oracle ACE Director and Global Oracle Practice Lead, Data Intensity
- Paul Buckley, Vice President of Software License Solutions, Data Intensity
- John Petrakis, Vice President of Cloud Assurance Solutions, USDM Life Sciences
- Rich Froble (moderator), Vice President of Product Management, Data Intensity
Based on the status of the industry, should we evaluate GxP applications based on cloud options? In other words, should we even consider applications that cannot migrate to the cloud? We have some that may need to be upgraded, others that may need to be replaced, based on business needs. Whether or not they can operate safely and effectively in any cloud, including public cloud, seems to be an undeniable factor now. Is that fair to say?
(John Petrakis) Yes, if you’re evaluating an application, it’s an opportunity to assess it from a compliance and security perspective and a cost perspective so there’s a balanced view. There are tremendous efficiencies that come with a Software-as-a-Service (SaaS) application that operates efficiently within the cloud and has a vendor that supports that set of technology.
Do the type of roadmaps and infrastructure assessments that you’re discussing allow me to better understand integration failure points, bandwidth errors, patching needs, and licensing lapses?
(Biju Thomas) This question may have a three-part answer: workload analysis, license analysis, and cloud assurance. For workload analysis, the [Data Intensity] TCOT cloud readiness assessment will identify application/platform compatibility, upgrade opportunities for application business functionality, and technical upgrades for vendor support. It will identify the patching needs and will help to document the integration and dependencies.
The license analysis portion of the assessment gives you a complete picture of your effective license position (ELP). It shows you what you own and what you use. Are you using products that you are not entitled to, or maybe not using a product that you licensed? It will give you a detailed picture of the quantities you need and are entitled to.
The cloud assurance aspect is addressed by both Data Intensity and USDM Life Sciences. Data Intensity helps you identify the right cloud choices for your workload. We are leading partners of Oracle, Azure, and AWS, yet cloud-agnostic. USDM also assesses any regulated-workload components.
What about ongoing compliance management? Once an Oracle workload is migrated to the cloud, do you train or help customers there, too?
(Paul Buckley) This is part of our License Management as a Service offering. We help customers understand how to obtain and maintain compliance regardless of where their footprint lands and is used. We train customers in the basics of licensing in any environment and advise them of the compliance position, how to remediate and fix issues, and also how to remain compliant with our assistance and service help.
Is there a prudent balance between meeting U.S. Food and Drug Administration (FDA) security requirements and our own needs for improved data security? Is there a better balance in the cloud?
(John Petrakis) Security is a little different than some of the other regulations because patient safety is usually not one of the main things at risk. The risk is mostly financial and reputational. An obvious exception would be security on a medical device itself. That may shift a risk analysis once that differentiation is realized. I would ask what the difference is between FDA and the company’s internal requirements, just to understand what issues are under consideration.
Overall, the answer to this question is almost always going to be yes, the cloud is better. The “cloud” just means your computers and data are being managed by someone else who is almost certainly better at data security than you. You do clinical trials, research, manufacturing, etc., and they do data security. You provide the data and we provide the data integrity; we make sure the data you put in is correct and stays correct. The cloud vendor keeps it safe.
In practical terms, the cloud vendor most likely has already implemented whatever features your life sciences company is considering, so it’s the cost of designing, testing, implementing, and maintaining it yourself versus never having to think about any of that (and being up and running much sooner).