MasterControl: A QMS to answer 21 CFR

MasterControl: A QMS to answer 21 CFR Samuel Warren IS472: IT Compliance Professor Steve O’Brien November 20, 2012 MasterControl: A QMS to answer 21 CFR Executive Summary Regulating and maintaining compliance in the biotechnology, pharmaceutical, and genetic engineering fields is quite a task. In order to maintain compliance with FDA required 21 CFR, many companies are choosing to turn to quality management systems as answers to deal with compliance. The beauty of this is they do not have to figure out how to comply with the regulations; they simply have to learn the proper way to interact with the software. Master Control makes one such software; with its features and integration, the MasterControl suite of products is one of the most robust QMS platforms that have been created. If utilized correctly, it will enable companies to do more research and spend less time trying to maintain compliance. Introduction What is quality? Is it an end state? Is it a process? Quality is all of the above. It is an end state, a process, and even a descriptor. When discussing quality with individuals, there is a somewhat vague, generalized answer floating to the forefront most often. That answer oftentimes describes the characteristics of a product or service as “reliable” or “stable.” While both definitions are generally acceptable, defining quality can be much larger and involve a fair amount of compliance to regulatory demands. The Quality Management System (QMS) described herein will have its benefits fully explained and enumerate the way it will contribute to the compliance requirements. What is MasterControl? MasterControl is a product suite created by Master Control Incorporated with the purpose of aiding in quality management services with specific regards to FDA and other regulatory compliance issues. With a host of offerings, ranging from Quality Management to Training Management, it is meant to provide a managed answer to how to achieve and keep an organization in compliance within 21 CFR, and other FDA required compliance fields. According to Master Control’s “Software Control Solutions Overview”: While market globalization has vastly increased the profit potential for manufacturers and other businesses, it has also intensified competition and the pressure to produce faster and at a lower cost. The situation is doubly challenging in a regulated environment (FDA, EMEA, etc.), where companies must contend not only with cutthroat competition, but also stringent regulatory requirements. (2010, p. 1) With such a highly competitive field and risky potential failures, it is imperative that organizations do everything they can to grease the skids and provide easier access to auditors and regulators in order to prevent being either considered noncompliant or non-cooperative. The MasterControl suite provides governed and trusted software and systems to help ensure the organization can focus on the fewest possible technology problems, it also frees up the companies to engage in more research and discovery. How to Optimize MasterControl It is essential for all systems to be optimized. QMS’ are not exempt from that necessity. Without optimization, the users are unable to best utilize the system to its fullest potential. When approaching the optimization of MasterControl, there are several significant areas to contemplate. One recommendation is to eliminate the muddled mix of digital and analog. This is too costly for the company to invest in the computer systems, not to mention the costliness of paper, ink to print and copy, and maintenance on the devices, depending on the size of the company. Another hidden cost is the time investment for audits or inspections. A routine GMP inspection typically lasts a week, but sometimes they can last up to five weeks. The investigator noted that within this context, an electronic record-keeping system could make all the difference in speeding up the inspection process. (“Six,” 2010, p. 2) While a week is not a long time for the auditor, they may spend time consuming internal resources and, in some cases, may stop work altogether. The end cost could be much higher than anticipated if the inspection or audit lasts longer. Another major way to optimize the QMS is to use different software and processes that connect together well. MasterControl provides such a large suite of software, all of which are interconnected, and all of which are fully digital. It has the ability to integrate with electronic repositories that are good for storing SOPs, engineering drawings, and other documents, but are incapable of controlling quality processes like training and CAPA. MasterControl allows companies to leverage their existing repositories by integrating them with robust MasterControl applications without expensive custom coding. (“Six,” 2010, p. 3) By having and maintaining connections to the electronic repositories, the MasterControl suite is able to have a wider reach digitally and reduce the potential disconnection points where the people and outdated processes connect to the system, thereby limiting the risk of system failure. How Does MasterControl Enhance Compliance Efforts? A major area MasterControl excels in is aiding in compliance efforts. With such tightly controlled fields, manually verifying compliance would be time consuming and potentially very expensive. By using a system like MasterControl’s suite, there are five areas accounted for: “system standard operating procedures, user authentication, access security, audit trails, and record retention” (“5 Ways,” 2010, pp. 1-4). All the areas are vital to maintaining a compliant lab, or business overall. The whitepaper written by Master Control Inc. provides quite a bit of detail for each item. For example, in user authentication, they describe the following MasterControl software features: MasterControl has numerous levels of security to ensure authenticity of each user in the system. The software tracks every signature combination and does not allow duplication or reassignment of the user ID and signature combination. Each user establishes a signature password upon first log in. He or she first logs into MasterControl with a user ID and a password just to gain access. To sign off on any document, the user must use a different “approval” password. All user IDs and passwords are encrypted and are not available to anyone in the system. (“5 Ways,” 2010, p. 3). The aforementioned security levels help to define and regulate how users interact with the QMS. However, they also provide a robust system control scheme enabling direct fulfillment of 21 CFR regulations for said area. While there are many more features of MasterControl’s products, this particular area serves as a poignant reminder of just how much detail was actually placed into MasterControl software. References 5 Ways MasterControl helps ensure system compliance with 21 CFR Part 11. (2010). MasterControl Inc. Retrieved November 19, 2012 from the World Wide Web: http://www.mastercontrol.com/resource/index.html#wp Six ways to optimize your quality management system and ensure FDA and ISO compliance. MasterControl Inc. (2010). Retrieved November 19, 2012 from the World Wide Web: http://www.mastercontrol.com/resource/index.html#wp Software control solutions overview. MasterControl Inc. (2010). Retrieved November 19, 2012 from the World Wide Web: http://www.mastercontrol.com/resource/index.html#wp

Failure to Communicate Case Study Review

Failure to Communicate Case Study Review Samuel Warren IS472: IT Compliance Professor Steve O’Brien November 26, 2012 Failure to Communicate Case Study Review Executive Summary Almost every Information Security analyst is thought to be slightly paranoid in part due to their willingness to see potential problems everywhere. While not all of them are actually paranoid, there is a clear need to understand and train staff on potential threats when it comes to information. Flayton Electronics, a fictional mid-sized company with small web-presence discovered a major problem, wherein a large number of their customers had compromised payment accounts. There is no easy or fool-proof way to completely prevent data loss; however, communication and business continuity steps provide a way to keep any breach from getting too far out of hand. Introduction As long as data has existed, there has been communication, information transfer, and data fraud. How each is approached is vastly different, yet all share details requiring care and knowledge to navigate. Within the realm of data fraud, there are numerous required responses needing to be considered, not including the organizational response and reputation effects. The following review shall discuss the fictional company, “Flayton’s Electronics,” the major data loss they faced and their response to the situation. Problem Overview—Flayton’s Electronics Flayton’s CEO was informed of an alarming discovery by their principle banking institution. The bank reported a large number of Flayton’s customers had their cards compromised. Originally, they reported that 15% of a randomly sampled 10,000 accounts that were compromised had purchased at Flayton’s at one point or another. As they investigated further, they discovered there were two possible culprits and a disabled firewall. How the firewall stayed disabled was not a mystery; their Chief Information Officer (CIO) was constantly juggling new technology projects and seemed too busy with those to notice a downed firewall. That kind of innovation, while it yields results, also brings a level of risk of any oversight. Another major problem the Flayton team had was if and when to communicate the breach to their customers. At the time of discussion, they were unsure how the breach occurred, if it was a deliberate breach by former employees or a breach by hackers sitting in their car with a laptop near the headquarters. With such minimal information, there was a certain amount of time necessary, but instead of being proactive and researching the breach themselves, the Flayton team seemed to be avoiding the issue and trying to find a way out without having to communicate and deal directly with the affected customers. How to Handle the Situation Innovation is a great tool to have in any organization. However, innovation with improper execution does far more damage than not innovating at all. There is a level of research necessary prior to launching any technology project dealing with customer data, internal employee data, supply chain data, or any other confidential data. Conducting thorough investigations into all possible changes affecting the data, providing business continuity exercises, and keeping consistent communication between the CIO and different department heads will help to ensure this type of a problem is discovered and dealt with sooner rather than later. One common fallacy is that silver bullet technology can save the day. I've seen organizations spend hundreds of millions of dollars on security safeguards that were penetrated by a knowledgeable person with a handheld device. For example, Motorola proved to one of its customers, who had invested heavily in some of the best protection technology available, that we could access their core business systems using just a smartphone and the Internet. (McNulty, 2007) This fallacy was evident in the mind of the CEO and the CIO, as they believed being PCI compliant would protect and prevent problems from happening. However, being PCI compliant is just one first step in a number of proper security practices needing to happen within any organization. Another major point to consider that would help prevent this problem in the future is to have the Information Security team do regular security audits on the technology and the processes in the organization to determine if there are any potential threat vectors in the organization. While hacking by external attackers is still the number one threat, an article in CSO describes a close second to that is internal attackers. Keeping that in mind, there are many ways attackers could gain access to confidential information without actually being physically inside the internal network. Above all possible hardware and software solutions, the key to this, and other organization’s problems, is to hire, educate, and train staff to be knowledgeable of all the potential ways data can be acquired. Then, keeping staff and leadership validated by doing security and background checks can provide additional defense against disgruntled employees. Simple steps like changing passwords to the systems or removing access to separated employees can go a long way to ensure no separated employee can intrude and steal information. References Carr, K. (2003, August 3). Numbers: Internal Threats vs. External Threats. Retrieved November 27, 2012, from CSO Security and Risk website: http://www.csoonline.com/article/218405/numbers-internal-threats-vs.-external-threats McNulty, E., Lee, J. E., Boni, B., Coghlan, J., & Foley, J. (2007). Boss, I Think Someone Stole Our Customer Data Harvard Business Review, 85(9), 37-50.

Comparing Nations: A look at health information privacy

Comparing Nations: A look at health information privacy Samuel Warren IS472: IT Compliance Professor Steve O’Brien 09-November-2012 Comparing Nations: A look at health information privacy Executive Summary There are many factors to consider when discussing the parallels and variations associated with Canada and the United States of America with respect to healthcare. Electronic protected health information (ePHI) is the driving force behind HITECH expansion of the US’ Health Insurance Portability and Accountability Act (HIPAA). While both discuss the standards, the penalties, and both intervene in the ecosystem of the Healthcare industries they serve. The differences highlighted are mostly related to costs and the context for which each health care system operates. Introduction With the recent trending towards making more and more information available to the owners of said information. Due to this fact, serious strides towards protecting the information from falling into the wrong hands are occurring. The United States Government Department of Health and Human Services (HHS) passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 with the goals of “making health care delivery more efficient and increasing the number of Americans with health insurance coverage” (National Academy of Sciences, 2009). After being passed into law, the creators of the bill allowed it to be put to public scrutiny in 1999. Because of the volume of comments in response to the bill, it went through several revisions (National Academy of Sciences, 2009). By way of comparison, the nation of Canada will be compared to discern the similarities and the differences. Similarities At its heart, the two countries share many similarities from a privacy standpoint. They both desire to protect the personal health information they store and transmit. They are also built with forethought towards electronic access. The “HITECH” portion of HIPAA provides incentives to move more in the realm of electronic records and expands the scope of HIPAA beyond the original legislation. The HITECH Act is transformational legislation that anticipates a massive expansion in the exchange of electronic protected health information (ePHI). The HITECH Act widens the scope of privacy and security protections available under HIPAA; increases potential legal liability for non-compliance; and provides more enforcement of HIPAA rules. (Leyva & Leyva) While the exchange of electronic information is already taking place in many health care providers’ offices, there is an additional need to be more forward thinking and aware of potential trends in data management within the scope of protected health information. Canada’s Health Information Protection Act (HIPA) has built in some terminology to assist in this change. In the event that a comprehensive electronic health record is created, The Health Information Protection Amendment Act ensures that patients will have the power to block access to their personal health information once that system is in place. (Gooliaff Beaupre, 2009) The idea of making a data warehouse of ePHI controlled and secured by HIPA experts may be appealing, but the Ministry of Health also has its eye on keeping their customers happy. Another similarity in the two laws is the great pains each act goes through to detail punishment for not meeting compliance. HIPAA violations, depending on the situation, can cause a punishment of up to 10 years imprisonment and a $250,000 USD fine. These acts are very similar across many areas, where they differ is what brings a certain amount of clarity around these two prominent health care systems. Differences One of the biggest differences noted is the cost. While the US has some of the highest cost of any country, Canada’s problems with cost are equally problematic. All care is “free” for insured services —those provided by physicians and hospitals. No premiums, deductibles or co-payments are imposed. (Other services such as dental care and prescription drugs must be paid for either through private insurance or out-of-pocket.) When no one is faced with any charge for services, demand is unrestrained and costs surge. (O’Neill & O’Neill, 2007, p. 2) The costs themselves are not directly related specifically to HIPA’s equivalent of HITECH, but when one considers the staggering costs of Information Technology (IT). Whether it is software that is HIPA/HIPAA compliant, hardware that stores the ePHI, networking equipment that transfers it, the costs go up for each of the companies in direct proportion to how compliant the healthcare provider has to be to prevent inadvertent data loss. Another major point to consider is the artificial demand created due to the decrease of cost health insurance. In 1966, Canada implemented a single-payer health care system, which is also known as Medicare. Since then, as a country, Canadians have made a conscious decision to hold down costs. One of the ways they do that is by limiting supply, mostly for elective things, which can create wait times. Their outcomes are otherwise comparable to ours. (Carroll, 2012) This is significant in and of itself, because of how frequently the system, especially IT-related portions, is utilized. As a result, both US and Canada’s systems are constantly in need of change. However, Canada’s IT infrastructure is much more difficult to continue expanding, because of the low cost and the driving need to help patients without additional undue wait from updating IT systems. If the costs were comparable, it is reasonable to assume the US would also have an increased service time, lower cost, and similar demand for healthcare as its neighbor to the north. But would the costs allow ePHI to be considered? Will the costs associated with the technology necessary decrease at a reasonable pace? Time will tell, but for Canada, the way they spend their money should primarily focus on the protection of the ePHI and the infrastructure used to transport it. References Carroll, A. (2012, April 16). 5 Myths About Canada’s Health Care System The truth may surprise you about international health care. Retrieved November 9, 2012, from AARP website: http://www.aarp.org/politics-society/government-elections/info-03-2012/myths-canada-health-care.html Gooliaff Beaupre, V. (2003, May 8). CONFIDENTIALITY OF HEALTH INFORMATION BETTER PROTECTED. Retrieved November 9, 2012, from The Government of Saskatchewan website: http://www.gov.sk.ca/news?newsId=79cc2a04-d0f5-4dc1-a145-e1bb5c067e17 Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 1, Introduction. Available from: http://www.ncbi.nlm.nih.gov/books/NBK9576/ Leyva, C., & Leyva, D. (n.d.). HIPAA Survival Guide. Retrieved November 9, 2012, from HIPAA Survival Guide website: http://www.hipaasurvivalguide.com/ O'Neill, D. M., & O'Neill, J. E. (2007, September). HEALTH STATUS, HEALTH CARE AND INEQUALITY: CANADA VS. THE U.S. [PDF]. Retrieved from http://www.nber.org/papers/w13429.pdf Penalties Under HIPAA. (n.d.). Retrieved November 9, 2012, from UC Davis Health System website: http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html