21 CFR Part 11 is a huge FDA regulation dealing with electronic records and signatures that many people are unaware of. It requires controls be implemented for electronic records to ensure they are as trustworthy as paper records. Part 11 aims to enable electronic drug applications and reduce paper use. It requires procedures for access control, audit trails, and ensuring only authorized users can access systems and data. While originally intended to reduce costs, non-compliance can result in large fines.
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
21 CFR Part 11–The Biggest Security Regulation You Never Heard Of
1. 21 CFR Part 11–The Biggest Security
Regulation You Never Heard Of
By Ben Rothke
brothke@thrupoint.net
W hile everyone has heard about giant companies such as Wal-Mart
and General Motors, Fortune magazine occasionally runs articles
about huge companies that most people don’t know of. Similarly, in the
individuals for their electronic acts, the creation and preservation of electronic
forensic evidence, and the legal enforceability of electronic signatures and
records. Trust is an aggregate characteristic of the system or process that is
information security space, many people have heard of regulations such as only as strong as the weakest link. Electronic trustworthiness is measurable
Common Criteria, ISO-17799 and HIPAA. Yet there is a huge regulation and can be assessed and designed into e-processes.
that many people know nothing of, namely 21 CFR Part 11.
Why was 21 CFR Part 11 Needed?
What is 21 CFR Part 11?
In the days of old, pharmaceutical companies would literally ship truck-
Title 21 Part 11 of the U.S. Code of Federal Regulations (also known as loads of data to the FDA. There clearly had to be a better, faster, cheaper
21 CFR Part 11 or simply Part 11) falls under the authority of the United and easier way to move this data. And indeed there was—via electronic
States Food and Drug Administration (FDA). The networks. The quandary was how to take the
FDA felt that the risks of falsification, misinterpre- paper system and move it to an electronic system
tation and change without leaving evidence are with the same controls and safeguards. With
higher with electronic records than paper records The pharmaceutical that, Part 11 provides criteria under which the
and therefore specific controls are required. FDA will consider electronic records to be equiv-
Part 11 deals with the conditions under which
security community is alent to paper records and electronic signatures
the FDA will accept electronic records and elec- a rather small one, equivalent to traditional handwritten signatures.
tronic signatures as equivalent to paper records The pharmaceutical security community is a
and handwritten signatures and electronic New and that explains why rather small one, and that explains why Part 11
Drug Application (NDA) submissions as equivalent has not gotten the same amount of exposure as
to paper submission. A Gartner report, Truth and
Part 11 has not gotten other regulations. Technically, Part 11 is also vol-
Misconceptions: The Federal Electronic Records the same amount untary in nature in that a company can decide to
Statute 002, says Part 11 is “the most misunder- make the NDA submission on paper. However,
stood regulation across the pharmaceutical of exposure as other for information created and maintained electron-
industry and is the most comprehensive and ically, that information must now comply with the
broad-reaching FDA regulation today.”
regulations. requirements of Part 11. From a practical per-
The FDA wants the bio-pharmaceutical industry spective, no serious pharmaceutical company is
to adopt the electronic medium for NDA submis- doing anything on paper anymore.
sions with the hope of greatly reducing the cost and time involved in compil- In the early 1990s, a number of pharmaceutical companies met with
ing and submitting NDAs. Jacques Francoeur, CEO of TrustEra, notes “the FDA the FDA to determine how they could submit information in an electronic
wanted to set a standard to which electronic submissions would be consid- format. The outcome of this was 21 CFR Part 11, which became effective
ered as demonstrably trustworthy to their paper counterparts. This makes in August, 1997.
Part 11 the first-in-industry trust regulation.” Francoeur notes that the FDA uses Way back in 1997, the FDA put on their thinking caps and tried to
the term trust and its variations (for example trustworthy) over 30 times in the anticipate the effects of network technologies on the entire gamut of the
Part 11 preamble, but unfortunately never defines what exactly trust is. pharmaceutical field from drug discovery to testing and manufacturing.
Part 11 builds on security towards trust in many other ways. For exam- Part 11 then enabled electronic signatures and records to meet the strin-
ple, the clear intent of the regulation is to control the basis of repudiation. gent compliance requirements for the manufacturing and distribution of
Part 11 states, “ensure the authenticity, integrity, and, when appropriate, FDA-regulated products.
the confidentiality of electronic records, and to ensure that the signer can- The intent of Part 11 was to reduce the generation of paper since a
not readily repudiate the signed record as not genuine.” clinical trial or submission of a medical device for approval by the FDA can
The difference between security and trust is that security seeks to control easily generate truckloads of paper. Moving that data paper to bits and
rights and access in order to maintain confidentiality and integrity of informa- bytes is both cost effective and more efficient. But in the move to a digi-
tion and trust seeks to control the basis of denial, ensure the accountability of tal format, the need for security and privacy was created. While Part 11’s
16 THE ISSA JOURNAL x March 2004
2. main requirement is about paper reduction, the
Part 11 resources:
key to making it work is all about security.
Part 11 has many security requirements, of • Official FDA 21 CFR Part 11 Web site www.fda.gov/ora/compliance_ref/part11
which most fall into the requirement to imple-
ment procedures to control system access, • NuGenesis Technologies Corporation www.21cfrpart11.com
prevent unauthorized modifications to electronic • John Boettcher’s Part 11 Web site http://pw1.netcom.com/~jlboet/esiglinks.html
records, audit trails, checks to ensure that only
authorized individuals can access systems and • Yahoo groups 21 CFR Part 11 mailing list http://groups.yahoo.com/group/21cfrpart11/
data, and much more.
• 21 CFR Part 11: Complete Guide to Orlando Lopez
Those charged with Part 11 compliance must International Computer Validation CRC Press
ensure that electronic records have the same Compliance for the Pharmaceutical Industry January 2004
degree of confidence as their paper counterparts. ISBN: 084932243X
If that same degree of confidence can’t be
• Intro to Part 11 http://www.labcompliance.com/e-signatures/
assured, then all of the functionality and security
afforded by digital systems falls by the wayside.
Part 11 applies only to those regulated by But since then, the FDA has become much more standards and regulations, and it is simply a
the FDA. To date, Part 11 has been primarily aggressive in their interpretation and enforce- matter of time until much of cyberspace is reg-
used by the pharmaceutical, biotech and med- ment of Part 11. In November of 1999, Abbott ulated. For those in FDA-regulated companies,
ical device sectors. Laboratories entered into a consent decree with that time is now and 21 CFR Part 11 is one of
Part of the difficulty with Part 11 is that there the FDA and agreed to a $100 million fine relating those regulations. ¡
is not a single way to interpret it. Each organi- to Part 11 compliance. In 2002, Schering-Plough
zation is free to interpret Part 11 in any way they Corporation agreed to a similar consent decree
see fit, albeit in a reasonable manner. The FDA and paid fines in excess of $500 million. Ben Rothke, CISSP, is a New York-based security
has also not helped in this matter as they have consultant with ThruPoint, Inc. McGraw-Hill has
provided little practical guidance on how to Conclusion just published his Computer Security: 20 Things
interpret the regulation. Every Employee Should Know.
When Part 11 was made official in August, 1997, Organizations are facing complex require-
there was a short grace period for compliance. ments to comply with security and privacy
THE ISSA JOURNAL x March 2004 17