Common data Integrity points of failure: Inadequate Access Control
Exercising appropriate controls over computerized systems is crucial to assure the integrity of data in GMP environments.
As technology has become essential in the life science industry it has become equally critical to ensure the integrity of the data generated by it. Ensuring integrity begins with the fundamental step of preventing unauthorized access and protecting data from being compromised by unauthorized parties.
Why are companies still struggling to provide appropriate controls over critical computerized systems?
The FDA has issued warning letters in recent years to several companies alleging data integrity breaches related to access control deficiencies. According to the FDA, the violations showed clear limited data access security, due to inadequate training, lack of oversight and the reliance on legacy systems.[1]
A commonly encountered access control failure
Many of these companies cited by the FDA still used shared accounts to access sensitive systems. While shared accounts might simplify some processes, they pose security and accountability risks. The opportunity for fraudulent activities becomes tempting when it is impossible to track actions to a specific person.[2]
Other companies use a single login to access different systems, have weak password policies, and even neglect to use passwords for critical systems. The FDA has indeed uncovered breaches occurring at this level.[3]
“Our investigator observed… No password was required to sign into the Windows operating system, nor did the analytical software require any additional user log in”. stated the FDA in a warning letter issued in December 2022.[4]
Yet another concerning aspect lies in the failure to establish proper segregation of duties based on user role specifications. When this measure is overlooked, it leads to mismanagement of administrative rights and the unnecessary granting of access privileges to employees, providing unauthorized personnel access to edit/delete data.[5]
How to apply good practices to avoid access control failures: CFR 21 and ALCOA+
Upholding data reliability and cGMP compliance requires the implementation of robust access controls and data security measures, guided by various regulations and guidelines.
Technical access control stands as a pivotal element, entailing the utilization of unique login credentials (Username and password) for each user, both at the operating system and application layers. This measure ensures that only authorized personnel can access the cGMP computer systems and actions performed will be attributable to a specific individual (ALCOA+).[6] However, in cases where, establishing individually assigned accounts proves infeasible, especially with aging legacy systems, a comprehensive risk assessment must be conducted.[7] [8]However, regulatory authorities emphasize technical updates should be implemented to ensure compliance. Within the risk assessment it should be considered to replace the system with a new one that can fulfill current access control measures.[9] [10]
During the system’s design phase, it is essential to define password requirements, such as length, complexity, aging, expiry, and reuse policies[11] and detail them in the account concept for proper implementation. Further, the deployment of an auto logoff feature after a designated period of inactivity serves as a defense against unauthorized access to sensitive data during absences. Connection to a central domain controller should always be the goal. Central password administration is a relief for the users in the daily work process and the administration of the users for the individual devices and systems is much easier and less time-consuming.
Another critical aspect is strict segregation of duties and associating user access privileges based on employees’ responsibilities. The FDA recommends that system administrators be independent from users performing tasks and have no involvement or interest in the outcome of the data generated or available in the electronic system.
We must always follow a written procedure
This means having the process documented in sufficient detail to allow for reproducibility and ensuring that documented procedures are followed every time. This involves:
- Creating Standard Operating Procedures (SOPs) and guidelines that highlight the important points for access control, user management and associated training.
- Establishing and routinely reviewing user lists for each system, including user identification and roles.
- Introducing an account concept for each system to establish a robust framework for secure access control including password requirements.
Conclusion:
Achieving access control excellence involves a comprehensive approach rooted in sound principles. The CFR 21 and ALCOA+ frameworks serve as guiding lights in this journey, guiding organizations toward enhanced data reliability, compliance, and strengthened security measures. By following the best practices outlined above, we can navigate the complexities of access control with confidence, ensuring a secure digital landscape for critical operations.
For further insights into compliance or related topics, feel free to reach out to us. Leveraging decades of industry experience, the consultants at GxP-CC are well equipped to ensure seamless compliance.
[1] https://www.gxp-cc.com/insights/blog/common-di-points-of-failure-legacy-systems/
[2] https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/nortec-quimica-sa-639894-12082022
[3] https://www.fda.gov/media/167493/download
[4] https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/nortec-quimica-sa-639894-12082022
[5] https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/tismor-health-and-wellness-pty-limited-588104-12052019
[6] www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/default.htm. see §§ 211.101(d), 211.122, 211.186, 211.188(b)(11), and 212.50(c)(10) www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/default.htm
[7] https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/stason-pharmaceuticals-inc-604889-07082020
[8] https://picscheme.org/docview/4234
[9]https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/687246/MHRA_GxP_data_integrity_guide_March_edited_Final.pdf
[10] https://www.fda.gov/drugs/pharmaceutical-quality-resources/facts-about-current-good-manufacturing-practices-cgmps
[11] https://www.gxp-cc.com/insights/blog/password-expiration-has-run-its-course-in-the-life-science-industry/