Determining cybersecurity risks as a result of the ongoing pandemic is necessary for pharmaceutical laboratories complying with lab data integrity practices. Pharmaceutical Technology spoke with Bob Voelkner, vice-president of Sales and Marketing at LabVantage Solutions; Matt Grulke, vice president of Research and Development, also at LabVantage Solutions; Dennis Curran, BIOVIA portfolio technical director at Dassault Systèmes; and Paul Smith, strategic compliance specialist, and Humera Khaja, software compliance program manager, both at Agilent Technologies, about the best practices for maintaining lab data integrity during the COVID-19 pandemic while combatting cybersecurity risks.
Precautions for security
PharmTech: What precautions need to be taken to protect lab data integrity and security during the pandemic?
Voelkner (LabVantage): As organizations deploy enterprise lab information management systems (LIMS) in their laboratories to digitize their operations, data integrity features and capabilities are vital in ensuring compliance. Documenting and protecting data maintained in online systems during the pandemic is a key solution to keeping the lab working and its data safe.
Grulke (LabVantage): Organizations also need to continue to elevate the importance and visibility of cybersecurity. Many organizations will deploy a comprehensive cybersecurity program that includes routine training of staff on common techniques, ongoing patching of systems to address known vulnerabilities, and the continued use of tools and frameworks to prevent, detect, and minimize cyber threats.
Curran (Dassault Systèmes): With many employees working remotely during the pandemic, biopharma organizations are under increased pressure to maintain the highest standards of data integrity, security, and quality. On the one hand, they are engaged in often multi-organizational, collaborative R&D initiatives to bring safe and efficacious therapeutics and vaccines to patients faster than ever. On the other hand, working remotely comes with many challenges related to accessing and sharing data securely. Increasingly, mobile teleworkers can inadvertently open the doors to bad actors who can access critical data and disrupt supply chains. As a result, organizations need to beef up their virtual private networks (VPNs) with robust system access logging. Who was in? When were they in and why? Were the activities approved, and by whom? Most importantly, organizations need to take precautions to ensure that project teams are sharing data securely. In this new, remote sharing ecosystem, is critical project data available to more people beyond just the involved project team?
Smith (Agilent): The pandemic resulted in all labs requiring the implementation of social distancing measures, as well as performing risk assessments associated with the potential impact and management of COVID-19 transmission within the lab. This constrained operations considerably, therefore, additional precautions were required to ensure that labs could continue, and to be compliant operationally with fewer lab personnel, and potentially reduced direct supervision.
Travel restrictions also limited external personnel such as service engineers from visiting labs to perform repairs, planned maintenance, and operational qualifications on analytical instruments. As a result, lab personnel may have had to perform these tasks while being remotely supervised, for example, via video link to the instrument manufacturer. With restricted service visits, it may have been necessary to utilize lab instruments outside of their scheduled maintenance or qualification tolerances, potentially impacting instrument performance and possibly data quality. Many non-essential lab staff, not able to enter their labs, were required to access lab systems remotely, which required closer attention to information technology (IT) infrastructure to ensure business continuity as well as data integrity.
Although all above mentioned actions were most likely supported by additional regulatory guidance and instructions related to the pandemic, labs may still have been exposed to unforeseen data integrity risks. To safeguard, it was essential that all deviations from standard working practices, and all controlled non-compliance with company policies, were well documented and subject to rigorous risk assessment to identify additional risks and implement additional safeguards to reduce the impact of these risks.
Areas of non-compliance
PharmTech: Since FDA has reduced inspections, what are you seeing as the top areas of non-compliance regarding lab data integrity during the pandemic?
Curran (Dassault Systèmes): To protect R&D data and avoid non-compliance with regulatory requirements during the pandemic, biopharma organizations need to pay close attention to lab procedures. Having procedures in place and following procedures can both be significant lab challenges in today’s new work environment. Organizations should assess standard operating procedures in the light of current working conditions to ensure that electronic reviews/approvals are properly structured and appropriate. This is especially important whenever paper-based organizations need to implement electronic workflows due to the pandemic. This can create a high-risk situation for regulatory violations by creating uncertainty around data.
Smith (Agilent): In response to the pandemic and travel restrictions, regulators issued communications confirming the halting of on-site inspections. This initially applied only to overseas inspections but was then extended to domestic on-site inspections due to potential risks to inspectors. This triggered a move to remote and office-based inspections using secure video links. One positive to this approach has been closer pre-audit sharing of data and information prior to the virtual audit. One not so positive consequence of remote audits was reduced capacity of the auditor to apply critical thinking skills to what they found during the ‘walk-through’ of the labs. The pandemic also drove regulators to be more reliant on risk-assessments associated with a lab’s historical regulatory footprint to prioritize virtual audits.
Voelkner (LabVantage): FDA has been transparent in documenting cases of data integrity problems. When labs come to us, they either want to avoid compliance-encountering issues or need to remediate known problems. The pandemic has amplified this need as labs accelerate their digital transformation plans.
PharmTech: What have been the greatest vulnerabilities that companies face regarding lab data integrity during the pandemic?
Khaja (Agilent): During the pandemic and ensuing lockdown, virtually all labs were forced to embrace remote working conditions. Vulnerabilities labs have faced during this time have been to the maintenance of data quality and data security, which are the essential subsets of data integrity. Organizations’ data governance programs have had to re-evaluate their IT security, data quality, and data management policies and procedures, to mitigate these vulnerabilities. Though regulatory audits were significantly reduced in 2020 due to the pandemic, regulators still expected that laboratories’ electronic data and computerized systems should remain compliant.
The pandemic also exposed that labs changed the way their employees accessed, viewed, and processed results, and other critical eRecords. Lack of trust in the results, or outputs of data analysis, could be of concern. If the data is to be considered trustworthy and of high-quality, it must adhere to the principles of data quality.
Voelkner (LabVantage): Dealing with fully online and digital processes as compared to paper or spreadsheets requires the lab to adapt to commercial solutions and the rigor that compliance requires. Without a purpose-built LIMS solution that meets the current and future compliance needs of the regulated laboratory, labs face higher risk of non-compliance of data integrity guidelines.
Curran (Dassault Systèmes): Increased electronic workflows and remote access during the pandemic gives malicious actors more opportunities to penetrate networks and compromise critical data, whether it is testing data for a batch of new vaccine or a Raw Material Certificate of Analysis documenting the material make-up of a product. With this in mind, biopharma organizations need to ensure that they are operating with robust VPNs and data backups. Biopharma organizations have already expanded their IT footprint to support home workers and hybrid workflows (e.g., lab staff onsite and supervisors, reviewers, and quality assurance [QA] offsite). They should continue to review their hardware, contingency plans, and any new, extended networks for vulnerabilities, especially if further shutdowns occur. In addition, organizations storing data in the cloud should ensure that their hosting company is following appropriate security protocols and that there is adequate redundancy built into the system. Finally, organizations should monitor their supply chains closely, as well as machines and equipment that generate data to ensure that the data is accurate and trustworthy.
About the author
Lauren Lavelle is the assistant editor for Pharmaceutical Technology.
Vol. 45, No. 3
When referring to this article, please cite it as L. Lavelle, “Pandemic Spurs Cybersecurity Risks in Laboratories,” Pharmaceutical Technology 45 (3) 2021.