The pharmaceutical industry is one of the main targets for cyber hackers and criminals, often facing cybersecurity issues stemming from breaches in the integrity of electronic systems, resulting in violations of stored code, operational data, or the execution state. Importantly, data integrity is foundational in the pharmaceutical quality system, playing a pivotal role in complying with FDA regulations (21 CFR parts 210, 211, and 212) and EMA regulations for Current Good Manufacturing Practice (cGMP). Consequently, thoroughly understanding the impact of cyber security on electronic and digital systems, including its potential impact on data integrity, is an additional risk to assess, control, mitigate, and review. Therefore, assessing and understanding the risk and implementing the corresponding controls are vital to enhancing data integrity, reinforcing public health safeguards, and ensuring regulatory compliance.
The principles of data integrity, represented by ALCOA+ (attributable, legible, contemporaneously recorded, original or a true copy, accurate, complete, consistent, enduring, and available), serve as guidelines in all aspects of data management. Moreover, both the FDA and EMA stress the vital role of management in fostering a culture focused on data integrity and ensuring compliance. Additionally, data integrity is controlled internally, with measures to safeguard against risks posed by employees, contractors, and other internal stakeholders. Conversely, cybersecurity focuses on external threats from hackers and unauthorized entities. Establishing adequate controls involves bridging the gap between these internal and external factors to ensure comprehensive protection for data integrity. Furthermore, employees play a crucial role by actively identifying, detecting, and promptly reporting potential threats or breaches, creating a cohesive defense mechanism that safeguards data from internal and external risks.
In the context of cybersecurity risks in the pharmaceutical industry, including phishing attacks and ransomware, data integrity emerges as a crucial element. Hence, upholding data integrity involves employee training, encryption, backups, and network segmentation—critical for preventing the loss or misuse of sensitive data and mitigating potential cyber threats.
Additionally, implementing robust network security measures, including firewalls, encryption, and intrusion detection systems, safeguards against unauthorized access to critical data. Regularly, cybersecurity audits ensure that security measures are up-to-date and effective in protecting against evolving cyber threats.
Additionally, QR codes and serialization are vital for enhancing traceability and authentication in the pharmaceutical industry, combating counterfeiting by assigning unique identifiers to each product. This ensures end-to-end tracking, preventing the circulation of counterfeit goods. However, QR codes facilitate efficient traceability, offering real-time information about a product's journey through the supply chain. Yet, cyber-attacks pose significant risks, including counterfeiting, data interception, phishing, malware injection, data breaches, supply chain vulnerabilities, and insufficient encryption. To address these risks, robust cybersecurity measures such as encryption, secure transmission protocols, and authentication mechanisms are crucial throughout the lifecycle of QR codes and serialization. Regular security assessments and updates are essential to counter emerging threats and maintain a secure system.
Collaborating with external manufacturing partners, such as Contract Manufacturing Organizations (CMOs), introduces additional challenges and considerations related to data integrity and cybersecurity. Establishing secure data-sharing protocols when working with these partners is crucial to safeguard sensitive information and uphold data integrity standards. Implementing robust cybersecurity measures and conducting regular audits and risk assessments become essential to mitigate potential threats and vulnerabilities associated with external manufacturing partnerships. These proactive measures ensure the security and integrity of shared data throughout the collaboration process.
The alignment between FDA and EMA requirements is evident in the controlled access to cGMP computer systems, emphasizing the crucial link between data integrity and cybersecurity. Rigorous control over blank forms, systematic reviews, and endorsements of production records are shared mandates, reflecting the systematic approach advocated by regulatory bodies. In cybersecurity, data integrity is pivotal for ensuring accurate and unmodified data throughout its lifecycle. Measures like data integrity checks, cryptographic hash functions, validation processes, and secure communication protocols strengthen overall security. Both regulatory authorities advocate a systematic approach to address data integrity issues, including comprehensive investigations, risk assessments, and management strategies to prevent and address breaches. The FDA and EMA mandate thorough investigations into any instances of data falsification or tampering, surpassing regulatory compliance to preserve patient safety, product quality, and data credibility.
Addressing these challenges relies on adhering to meticulously documented cGMP quality systems.
Regulatory bodies stress the vital role of a well-trained workforce, with personnel requiring comprehensive training to identify and prevent data integrity issues. Education, knowledge management, and experience are prerequisites for employees with critical responsibilities, and nowadays, training must also include understanding potential data risks associated with cyber-attacks. Programs must be intertwined to address them in parallel.
Data integrity is a cornerstone in the pharmaceutical manufacturing industry, underpinning its commitment to unwavering quality, safety, and effectiveness. Furthermore, regulatory bodies such as the FDA and EMA emphasize the management of cybersecurity risks post-market, with collaboration and guidance documents serving as crucial tools. Specifically, EMA underscores electronic data security by incorporating data integrity considerations into Good Distribution Practice and GMP Annex 11. Embedding data integrity and cybersecurity within the Quality Management System (QMS) is imperative for meeting the highest standards, ensuring compliance, and safeguarding public health. Additionally, prioritizing data integrity strengthens defenses against cyber threats and aligns with regulatory guidance, creating an inseparable link between a quality culture and cybersecurity. The program, akin to "Quality by Design," must span from design through execution, ensuring cGMP compliance across the product life cycle. Beyond pharmaceuticals, maintaining data integrity and cybersecurity is paramount across various industries, encompassing supply chain, QR code implementation, serialization processes, and external manufacturing collaborations. A holistic approach, integrating technological solutions, employee training, and periodic reviews and continuous monitoring, is essential to uphold operations' reliability, security, and efficiency.
FDA Guidance, Data Integrity and Compliance with Drug CGMP: Questions and Answers, December 2018
Annex 1 Manufacture of Sterile Medicinal Products, August 2022
About the Authors
Karla González- Bonilla, MS
Microbiologist with Master's in Molecular Biotechnology and extensive QA experience. Expertise in data integrity, change control, CAPA, lab control, equipment validation, deviation investigations, and SOPs. Harmonized standards to Annex-1 requirements. Strong background in DIRA, IQ/OQ/PQ, and QMS. Skilled in document management software.
Elizabeth Plaza, R. Ph
Boasts over 35 years in the bio-pharmaceutical field, starting as a PD Scientist and later leading consulting ventures since 1993, focusing on compliance, project management, technology transfer and validation. Overseen 3000+ resources, completed 10000+ projects, including 1000+ in tech transfer & validation life cycle management. Currently leads a Third Party Consultant firm qualified as set forth in 21 CFR 211.34 to help establishments in meeting cGMP requirements. Co-authored PDA Technical Report #60 on Process Validation.