SlideShare a Scribd company logo

21 CFR Part 11–The Biggest Security Regulation You Never Heard Of

Ben Rothke
Ben Rothke

21 CFR Part 11 is a huge FDA regulation dealing with electronic records and signatures that many people are unaware of. It requires controls be implemented for electronic records to ensure they are as trustworthy as paper records. Part 11 aims to enable electronic drug applications and reduce paper use. It requires procedures for access control, audit trails, and ensuring only authorized users can access systems and data. While originally intended to reduce costs, non-compliance can result in large fines.

BusinessTechnology
1 of 2
Download to read offline
21 CFR Part 11–The Biggest Security Regulation You Never Heard Of By Ben Rothke brothke@thrupoint.net W hile everyone has heard about giant companies such as Wal-Mart and General Motors, Fortune magazine occasionally runs articles about huge companies that most people don’t know of. Similarly, in the individuals for their electronic acts, the creation and preservation of electronic forensic evidence, and the legal enforceability of electronic signatures and records. Trust is an aggregate characteristic of the system or process that is information security space, many people have heard of regulations such as only as strong as the weakest link. Electronic trustworthiness is measurable Common Criteria, ISO-17799 and HIPAA. Yet there is a huge regulation and can be assessed and designed into e-processes. that many people know nothing of, namely 21 CFR Part 11. Why was 21 CFR Part 11 Needed? What is 21 CFR Part 11? In the days of old, pharmaceutical companies would literally ship truck- Title 21 Part 11 of the U.S. Code of Federal Regulations (also known as loads of data to the FDA. There clearly had to be a better, faster, cheaper 21 CFR Part 11 or simply Part 11) falls under the authority of the United and easier way to move this data. And indeed there was—via electronic States Food and Drug Administration (FDA). The networks. The quandary was how to take the FDA felt that the risks of falsification, misinterpre- paper system and move it to an electronic system tation and change without leaving evidence are with the same controls and safeguards. With higher with electronic records than paper records The pharmaceutical that, Part 11 provides criteria under which the and therefore specific controls are required. FDA will consider electronic records to be equiv- Part 11 deals with the conditions under which security community is alent to paper records and electronic signatures the FDA will accept electronic records and elec- a rather small one, equivalent to traditional handwritten signatures. tronic signatures as equivalent to paper records The pharmaceutical security community is a and handwritten signatures and electronic New and that explains why rather small one, and that explains why Part 11 Drug Application (NDA) submissions as equivalent has not gotten the same amount of exposure as to paper submission. A Gartner report, Truth and Part 11 has not gotten other regulations. Technically, Part 11 is also vol- Misconceptions: The Federal Electronic Records the same amount untary in nature in that a company can decide to Statute 002, says Part 11 is “the most misunder- make the NDA submission on paper. However, stood regulation across the pharmaceutical of exposure as other for information created and maintained electron- industry and is the most comprehensive and ically, that information must now comply with the broad-reaching FDA regulation today.” regulations. requirements of Part 11. From a practical per- The FDA wants the bio-pharmaceutical industry spective, no serious pharmaceutical company is to adopt the electronic medium for NDA submis- doing anything on paper anymore. sions with the hope of greatly reducing the cost and time involved in compil- In the early 1990s, a number of pharmaceutical companies met with ing and submitting NDAs. Jacques Francoeur, CEO of TrustEra, notes “the FDA the FDA to determine how they could submit information in an electronic wanted to set a standard to which electronic submissions would be consid- format. The outcome of this was 21 CFR Part 11, which became effective ered as demonstrably trustworthy to their paper counterparts. This makes in August, 1997. Part 11 the first-in-industry trust regulation.” Francoeur notes that the FDA uses Way back in 1997, the FDA put on their thinking caps and tried to the term trust and its variations (for example trustworthy) over 30 times in the anticipate the effects of network technologies on the entire gamut of the Part 11 preamble, but unfortunately never defines what exactly trust is. pharmaceutical field from drug discovery to testing and manufacturing. Part 11 builds on security towards trust in many other ways. For exam- Part 11 then enabled electronic signatures and records to meet the strin- ple, the clear intent of the regulation is to control the basis of repudiation. gent compliance requirements for the manufacturing and distribution of Part 11 states, “ensure the authenticity, integrity, and, when appropriate, FDA-regulated products. the confidentiality of electronic records, and to ensure that the signer can- The intent of Part 11 was to reduce the generation of paper since a not readily repudiate the signed record as not genuine.” clinical trial or submission of a medical device for approval by the FDA can The difference between security and trust is that security seeks to control easily generate truckloads of paper. Moving that data paper to bits and rights and access in order to maintain confidentiality and integrity of informa- bytes is both cost effective and more efficient. But in the move to a digi- tion and trust seeks to control the basis of denial, ensure the accountability of tal format, the need for security and privacy was created. While Part 11’s 16 THE ISSA JOURNAL x March 2004
main requirement is about paper reduction, the Part 11 resources: key to making it work is all about security. Part 11 has many security requirements, of • Official FDA 21 CFR Part 11 Web site www.fda.gov/ora/compliance_ref/part11 which most fall into the requirement to imple- ment procedures to control system access, • NuGenesis Technologies Corporation www.21cfrpart11.com prevent unauthorized modifications to electronic • John Boettcher’s Part 11 Web site http://pw1.netcom.com/~jlboet/esiglinks.html records, audit trails, checks to ensure that only authorized individuals can access systems and • Yahoo groups 21 CFR Part 11 mailing list http://groups.yahoo.com/group/21cfrpart11/ data, and much more. • 21 CFR Part 11: Complete Guide to Orlando Lopez Those charged with Part 11 compliance must International Computer Validation CRC Press ensure that electronic records have the same Compliance for the Pharmaceutical Industry January 2004 degree of confidence as their paper counterparts. ISBN: 084932243X If that same degree of confidence can’t be • Intro to Part 11 http://www.labcompliance.com/e-signatures/ assured, then all of the functionality and security afforded by digital systems falls by the wayside. Part 11 applies only to those regulated by But since then, the FDA has become much more standards and regulations, and it is simply a the FDA. To date, Part 11 has been primarily aggressive in their interpretation and enforce- matter of time until much of cyberspace is reg- used by the pharmaceutical, biotech and med- ment of Part 11. In November of 1999, Abbott ulated. For those in FDA-regulated companies, ical device sectors. Laboratories entered into a consent decree with that time is now and 21 CFR Part 11 is one of Part of the difficulty with Part 11 is that there the FDA and agreed to a $100 million fine relating those regulations. ¡ is not a single way to interpret it. Each organi- to Part 11 compliance. In 2002, Schering-Plough zation is free to interpret Part 11 in any way they Corporation agreed to a similar consent decree see fit, albeit in a reasonable manner. The FDA and paid fines in excess of $500 million. Ben Rothke, CISSP, is a New York-based security has also not helped in this matter as they have consultant with ThruPoint, Inc. McGraw-Hill has provided little practical guidance on how to Conclusion just published his Computer Security: 20 Things interpret the regulation. Every Employee Should Know. When Part 11 was made official in August, 1997, Organizations are facing complex require- there was a short grace period for compliance. ments to comply with security and privacy THE ISSA JOURNAL x March 2004 17

Recommended

BOFI Whistleblower Complaint
BOFI Whistleblower ComplaintBOFI Whistleblower Complaint
BOFI Whistleblower Complaint
quoththeraven
 
Umg Recordings Inc V Veoh Networks Inc
Umg Recordings Inc V Veoh Networks IncUmg Recordings Inc V Veoh Networks Inc
Umg Recordings Inc V Veoh Networks Inc
Joe Gratz
 
Cle social media_byod_bigdata_ethics_sxsw
Cle social media_byod_bigdata_ethics_sxswCle social media_byod_bigdata_ethics_sxsw
Cle social media_byod_bigdata_ethics_sxsw
Laura Ewing-Pearle
 
Easy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplementEasy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplement
Spinoza77
 
Explore - a closer look at wellbeing
Explore - a closer look at wellbeing Explore - a closer look at wellbeing
Explore - a closer look at wellbeing
Gordon Cotterill
 
Drupal - presentazione formazione sessione I
Drupal - presentazione formazione sessione IDrupal - presentazione formazione sessione I
Drupal - presentazione formazione sessione I
Gian Luca Matteucci
 
Music 2.0 - The Future of Music - Start in Brazil? Feira Musica 2009 Gerd Leo...
Music 2.0 - The Future of Music - Start in Brazil? Feira Musica 2009 Gerd Leo...Music 2.0 - The Future of Music - Start in Brazil? Feira Musica 2009 Gerd Leo...
Music 2.0 - The Future of Music - Start in Brazil? Feira Musica 2009 Gerd Leo...
Gerd Leonhard
 
Composizione dinamica di funzioni di rete virtuali in ambiente cloud
Composizione dinamica di funzioni di rete virtuali in ambiente cloudComposizione dinamica di funzioni di rete virtuali in ambiente cloud
Composizione dinamica di funzioni di rete virtuali in ambiente cloud
Francesco Foresta
 

Recommended

BOFI Whistleblower Complaint
BOFI Whistleblower ComplaintBOFI Whistleblower Complaint
BOFI Whistleblower Complaint
quoththeraven
 
Umg Recordings Inc V Veoh Networks Inc
Umg Recordings Inc V Veoh Networks IncUmg Recordings Inc V Veoh Networks Inc
Umg Recordings Inc V Veoh Networks Inc
Joe Gratz
 
Cle social media_byod_bigdata_ethics_sxsw
Cle social media_byod_bigdata_ethics_sxswCle social media_byod_bigdata_ethics_sxsw
Cle social media_byod_bigdata_ethics_sxsw
Laura Ewing-Pearle
 
Easy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplementEasy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplement
Spinoza77
 
Explore - a closer look at wellbeing
Explore - a closer look at wellbeing Explore - a closer look at wellbeing
Explore - a closer look at wellbeing
Gordon Cotterill
 
Drupal - presentazione formazione sessione I
Drupal - presentazione formazione sessione IDrupal - presentazione formazione sessione I
Drupal - presentazione formazione sessione I
Gian Luca Matteucci
 
Music 2.0 - The Future of Music - Start in Brazil? Feira Musica 2009 Gerd Leo...
Music 2.0 - The Future of Music - Start in Brazil? Feira Musica 2009 Gerd Leo...Music 2.0 - The Future of Music - Start in Brazil? Feira Musica 2009 Gerd Leo...
Music 2.0 - The Future of Music - Start in Brazil? Feira Musica 2009 Gerd Leo...
Gerd Leonhard
 
Composizione dinamica di funzioni di rete virtuali in ambiente cloud
Composizione dinamica di funzioni di rete virtuali in ambiente cloudComposizione dinamica di funzioni di rete virtuali in ambiente cloud
Composizione dinamica di funzioni di rete virtuali in ambiente cloud
Francesco Foresta
 
The Design and Control of Robotic Legs while Pedaling a Bicycle
The Design and Control of Robotic Legs while Pedaling a BicycleThe Design and Control of Robotic Legs while Pedaling a Bicycle
The Design and Control of Robotic Legs while Pedaling a Bicycle
dschwich21
 
iWork recovery
iWork recoveryiWork recovery
iWork recovery
iWork Recovery
 
iWork Theme #1: Photostream
iWork Theme #1: PhotostreamiWork Theme #1: Photostream
iWork Theme #1: Photostream
themes2work
 
Technology in music education
Technology in music educationTechnology in music education
Technology in music education
Gianina
 
Audio engineering timeline
Audio engineering timelineAudio engineering timeline
Audio engineering timeline
www.pinnaclecollege.edu
 
smhcertificate GxP
smhcertificate GxPsmhcertificate GxP
smhcertificate GxP
Addie Bardin
 
Audio engineering alhambra ca pinnacle college
Audio engineering alhambra ca pinnacle collegeAudio engineering alhambra ca pinnacle college
Audio engineering alhambra ca pinnacle college
Bpm_2004150
 
iWork Technologies
iWork TechnologiesiWork Technologies
iWork Technologies
Atul Gunjal
 
(1 of 2) application for approval of the proposed change of control and ...
(1 of 2) application for approval of the proposed change of control and ...(1 of 2) application for approval of the proposed change of control and ...
(1 of 2) application for approval of the proposed change of control and ...
Honolulu Civil Beat
 
Cmmaao change-control-log-pmi-pmp
Cmmaao change-control-log-pmi-pmpCmmaao change-control-log-pmi-pmp
Cmmaao change-control-log-pmi-pmp
pmicmmaao
 
Desempenho da Indústria Automobílistica Brasileira
Desempenho da Indústria Automobílistica Brasileira Desempenho da Indústria Automobílistica Brasileira
Desempenho da Indústria Automobílistica Brasileira
Luiz Paulo dos Santos
 
Bajkowska Method - Music Education Expo
Bajkowska Method - Music Education ExpoBajkowska Method - Music Education Expo
Bajkowska Method - Music Education Expo
bajkowska
 
iwork - CIO Review
iwork - CIO Reviewiwork - CIO Review
iwork - CIO Review
Sanjeev Deo
 
21 CFR Part 11 Challenges and Solutions - White Paper
21 CFR Part 11 Challenges and Solutions - White Paper21 CFR Part 11 Challenges and Solutions - White Paper
21 CFR Part 11 Challenges and Solutions - White Paper
NextDocs
 
Fda Pred Rules
Fda Pred RulesFda Pred Rules
Fda Pred Rules
Victoria V. Lander, MA
 
21 cfr part 11 hplc
21 cfr part 11 hplc21 cfr part 11 hplc
21 cfr part 11 hplc
Pradeep Kumar
 
21 cfr part 11 hplc
21 cfr part 11 hplc21 cfr part 11 hplc
21 cfr part 11 hplc
Pradeep Kumar
 
Achieving 21 Code of Federal Regulations (CFR) Part11
Achieving 21 Code of Federal Regulations (CFR) Part11Achieving 21 Code of Federal Regulations (CFR) Part11
Achieving 21 Code of Federal Regulations (CFR) Part11
SamuelP9
 
Clear cut line by line interpretation on 21 cfr part 11
Clear cut line by line interpretation on 21 cfr part 11Clear cut line by line interpretation on 21 cfr part 11
Clear cut line by line interpretation on 21 cfr part 11
Pari S
 
21 CFR Part 11 Compliance
21 CFR Part 11 Compliance21 CFR Part 11 Compliance
21 CFR Part 11 Compliance
AITalent
 
DI-GCP.pptx
DI-GCP.pptxDI-GCP.pptx
DI-GCP.pptx
surampallichandra
 
WP_UL Compliance wth 21CFR Part_11
WP_UL Compliance wth 21CFR Part_11WP_UL Compliance wth 21CFR Part_11
WP_UL Compliance wth 21CFR Part_11
Jamie Corn, MBA
 

More Related Content

Viewers also liked

The Design and Control of Robotic Legs while Pedaling a Bicycle
The Design and Control of Robotic Legs while Pedaling a BicycleThe Design and Control of Robotic Legs while Pedaling a Bicycle
The Design and Control of Robotic Legs while Pedaling a Bicycle
dschwich21
 
Technology in music education
Technology in music educationTechnology in music education
Technology in music education
Gianina
 
smhcertificate GxP
smhcertificate GxPsmhcertificate GxP
smhcertificate GxP
Addie Bardin
 
Audio engineering alhambra ca pinnacle college
Audio engineering alhambra ca pinnacle collegeAudio engineering alhambra ca pinnacle college
Audio engineering alhambra ca pinnacle college
Bpm_2004150
 
iWork Technologies
iWork TechnologiesiWork Technologies
iWork Technologies
Atul Gunjal
 
(1 of 2) application for approval of the proposed change of control and ...
(1 of 2) application for approval of the proposed change of control and ...(1 of 2) application for approval of the proposed change of control and ...
(1 of 2) application for approval of the proposed change of control and ...
Honolulu Civil Beat
 
Cmmaao change-control-log-pmi-pmp
Cmmaao change-control-log-pmi-pmpCmmaao change-control-log-pmi-pmp
Cmmaao change-control-log-pmi-pmp
pmicmmaao
 
iwork - CIO Review
iwork - CIO Reviewiwork - CIO Review
iwork - CIO Review
Sanjeev Deo
 

Viewers also liked (13)

The Design and Control of Robotic Legs while Pedaling a Bicycle
The Design and Control of Robotic Legs while Pedaling a BicycleThe Design and Control of Robotic Legs while Pedaling a Bicycle
The Design and Control of Robotic Legs while Pedaling a Bicycle
 
iWork recovery
iWork recoveryiWork recovery
iWork recovery
 
iWork Theme #1: Photostream
iWork Theme #1: PhotostreamiWork Theme #1: Photostream
iWork Theme #1: Photostream
 
Technology in music education
Technology in music educationTechnology in music education
Technology in music education
 
Audio engineering timeline
Audio engineering timelineAudio engineering timeline
Audio engineering timeline
 
smhcertificate GxP
smhcertificate GxPsmhcertificate GxP
smhcertificate GxP
 
Audio engineering alhambra ca pinnacle college
Audio engineering alhambra ca pinnacle collegeAudio engineering alhambra ca pinnacle college
Audio engineering alhambra ca pinnacle college
 
iWork Technologies
iWork TechnologiesiWork Technologies
iWork Technologies
 
(1 of 2) application for approval of the proposed change of control and ...
(1 of 2) application for approval of the proposed change of control and ...(1 of 2) application for approval of the proposed change of control and ...
(1 of 2) application for approval of the proposed change of control and ...
 
Cmmaao change-control-log-pmi-pmp
Cmmaao change-control-log-pmi-pmpCmmaao change-control-log-pmi-pmp
Cmmaao change-control-log-pmi-pmp
 
Desempenho da Indústria Automobílistica Brasileira
Desempenho da Indústria Automobílistica Brasileira Desempenho da Indústria Automobílistica Brasileira
Desempenho da Indústria Automobílistica Brasileira
 
Bajkowska Method - Music Education Expo
Bajkowska Method - Music Education ExpoBajkowska Method - Music Education Expo
Bajkowska Method - Music Education Expo
 
iwork - CIO Review
iwork - CIO Reviewiwork - CIO Review
iwork - CIO Review
 

Similar to 21 CFR Part 11–The Biggest Security Regulation You Never Heard Of

21 CFR Part 11 Challenges and Solutions - White Paper
21 CFR Part 11 Challenges and Solutions - White Paper21 CFR Part 11 Challenges and Solutions - White Paper
21 CFR Part 11 Challenges and Solutions - White Paper
NextDocs
 
WP_UL Compliance wth 21CFR Part_11
WP_UL Compliance wth 21CFR Part_11WP_UL Compliance wth 21CFR Part_11
WP_UL Compliance wth 21CFR Part_11
Jamie Corn, MBA
 
Interpretation of Part 11 by the GxP Predicate Rules
Interpretation of Part 11 by the GxP Predicate RulesInterpretation of Part 11 by the GxP Predicate Rules
Interpretation of Part 11 by the GxP Predicate Rules
Tony Steinberg
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
Resilient Systems
 
Understanding 21 cfr part 11
Understanding 21 cfr part 11Understanding 21 cfr part 11
Understanding 21 cfr part 11
complianceonline123
 
Disaster Recovery and Business Continuity for Your Clinical and Safety Systems
Disaster Recovery and Business Continuity for Your Clinical and Safety SystemsDisaster Recovery and Business Continuity for Your Clinical and Safety Systems
Disaster Recovery and Business Continuity for Your Clinical and Safety Systems
Perficient, Inc.
 
Insights Newsletter Fall 2010
Insights Newsletter Fall 2010Insights Newsletter Fall 2010
Insights Newsletter Fall 2010
mcarruthers
 

Similar to 21 CFR Part 11–The Biggest Security Regulation You Never Heard Of (20)

21 CFR Part 11 Challenges and Solutions - White Paper
21 CFR Part 11 Challenges and Solutions - White Paper21 CFR Part 11 Challenges and Solutions - White Paper
21 CFR Part 11 Challenges and Solutions - White Paper
 
Fda Pred Rules
Fda Pred RulesFda Pred Rules
Fda Pred Rules
 
21 cfr part 11 hplc
21 cfr part 11 hplc21 cfr part 11 hplc
21 cfr part 11 hplc
 
21 cfr part 11 hplc
21 cfr part 11 hplc21 cfr part 11 hplc
21 cfr part 11 hplc
 
Achieving 21 Code of Federal Regulations (CFR) Part11
Achieving 21 Code of Federal Regulations (CFR) Part11Achieving 21 Code of Federal Regulations (CFR) Part11
Achieving 21 Code of Federal Regulations (CFR) Part11
 
Clear cut line by line interpretation on 21 cfr part 11
Clear cut line by line interpretation on 21 cfr part 11Clear cut line by line interpretation on 21 cfr part 11
Clear cut line by line interpretation on 21 cfr part 11
 
21 CFR Part 11 Compliance
21 CFR Part 11 Compliance21 CFR Part 11 Compliance
21 CFR Part 11 Compliance
 
DI-GCP.pptx
DI-GCP.pptxDI-GCP.pptx
DI-GCP.pptx
 
WP_UL Compliance wth 21CFR Part_11
WP_UL Compliance wth 21CFR Part_11WP_UL Compliance wth 21CFR Part_11
WP_UL Compliance wth 21CFR Part_11
 
Interpretation of Part 11 by the GxP Predicate Rules
Interpretation of Part 11 by the GxP Predicate RulesInterpretation of Part 11 by the GxP Predicate Rules
Interpretation of Part 11 by the GxP Predicate Rules
 
21 CFR Part11_CSV Training_Katalyst HLS
21 CFR Part11_CSV Training_Katalyst HLS21 CFR Part11_CSV Training_Katalyst HLS
21 CFR Part11_CSV Training_Katalyst HLS
 
Title 21 cfr part 11
Title 21 cfr part 11Title 21 cfr part 11
Title 21 cfr part 11
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
 
Electronic Signatures Under 21CFR§11
Electronic Signatures Under 21CFR§11Electronic Signatures Under 21CFR§11
Electronic Signatures Under 21CFR§11
 
Understanding 21 cfr part 11
Understanding 21 cfr part 11Understanding 21 cfr part 11
Understanding 21 cfr part 11
 
Decoding 21 CFR Part 11
Decoding 21 CFR Part 11Decoding 21 CFR Part 11
Decoding 21 CFR Part 11
 
The Types of 510(k) Submissions
The Types of 510(k) SubmissionsThe Types of 510(k) Submissions
The Types of 510(k) Submissions
 
Disaster Recovery and Business Continuity for Your Clinical and Safety Systems
Disaster Recovery and Business Continuity for Your Clinical and Safety SystemsDisaster Recovery and Business Continuity for Your Clinical and Safety Systems
Disaster Recovery and Business Continuity for Your Clinical and Safety Systems
 
Insights Newsletter Fall 2010
Insights Newsletter Fall 2010Insights Newsletter Fall 2010
Insights Newsletter Fall 2010
 
Shumaker Insights
Shumaker InsightsShumaker Insights
Shumaker Insights
 

More from Ben Rothke

Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
Ben Rothke
 

More from Ben Rothke (20)

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 

Recently uploaded

Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Sheetaleventcompany
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Aggregage
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 

Recently uploaded (20)

Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 

21 CFR Part 11–The Biggest Security Regulation You Never Heard Of

  • 1. 21 CFR Part 11–The Biggest Security Regulation You Never Heard Of By Ben Rothke brothke@thrupoint.net W hile everyone has heard about giant companies such as Wal-Mart and General Motors, Fortune magazine occasionally runs articles about huge companies that most people don’t know of. Similarly, in the individuals for their electronic acts, the creation and preservation of electronic forensic evidence, and the legal enforceability of electronic signatures and records. Trust is an aggregate characteristic of the system or process that is information security space, many people have heard of regulations such as only as strong as the weakest link. Electronic trustworthiness is measurable Common Criteria, ISO-17799 and HIPAA. Yet there is a huge regulation and can be assessed and designed into e-processes. that many people know nothing of, namely 21 CFR Part 11. Why was 21 CFR Part 11 Needed? What is 21 CFR Part 11? In the days of old, pharmaceutical companies would literally ship truck- Title 21 Part 11 of the U.S. Code of Federal Regulations (also known as loads of data to the FDA. There clearly had to be a better, faster, cheaper 21 CFR Part 11 or simply Part 11) falls under the authority of the United and easier way to move this data. And indeed there was—via electronic States Food and Drug Administration (FDA). The networks. The quandary was how to take the FDA felt that the risks of falsification, misinterpre- paper system and move it to an electronic system tation and change without leaving evidence are with the same controls and safeguards. With higher with electronic records than paper records The pharmaceutical that, Part 11 provides criteria under which the and therefore specific controls are required. FDA will consider electronic records to be equiv- Part 11 deals with the conditions under which security community is alent to paper records and electronic signatures the FDA will accept electronic records and elec- a rather small one, equivalent to traditional handwritten signatures. tronic signatures as equivalent to paper records The pharmaceutical security community is a and handwritten signatures and electronic New and that explains why rather small one, and that explains why Part 11 Drug Application (NDA) submissions as equivalent has not gotten the same amount of exposure as to paper submission. A Gartner report, Truth and Part 11 has not gotten other regulations. Technically, Part 11 is also vol- Misconceptions: The Federal Electronic Records the same amount untary in nature in that a company can decide to Statute 002, says Part 11 is “the most misunder- make the NDA submission on paper. However, stood regulation across the pharmaceutical of exposure as other for information created and maintained electron- industry and is the most comprehensive and ically, that information must now comply with the broad-reaching FDA regulation today.” regulations. requirements of Part 11. From a practical per- The FDA wants the bio-pharmaceutical industry spective, no serious pharmaceutical company is to adopt the electronic medium for NDA submis- doing anything on paper anymore. sions with the hope of greatly reducing the cost and time involved in compil- In the early 1990s, a number of pharmaceutical companies met with ing and submitting NDAs. Jacques Francoeur, CEO of TrustEra, notes “the FDA the FDA to determine how they could submit information in an electronic wanted to set a standard to which electronic submissions would be consid- format. The outcome of this was 21 CFR Part 11, which became effective ered as demonstrably trustworthy to their paper counterparts. This makes in August, 1997. Part 11 the first-in-industry trust regulation.” Francoeur notes that the FDA uses Way back in 1997, the FDA put on their thinking caps and tried to the term trust and its variations (for example trustworthy) over 30 times in the anticipate the effects of network technologies on the entire gamut of the Part 11 preamble, but unfortunately never defines what exactly trust is. pharmaceutical field from drug discovery to testing and manufacturing. Part 11 builds on security towards trust in many other ways. For exam- Part 11 then enabled electronic signatures and records to meet the strin- ple, the clear intent of the regulation is to control the basis of repudiation. gent compliance requirements for the manufacturing and distribution of Part 11 states, “ensure the authenticity, integrity, and, when appropriate, FDA-regulated products. the confidentiality of electronic records, and to ensure that the signer can- The intent of Part 11 was to reduce the generation of paper since a not readily repudiate the signed record as not genuine.” clinical trial or submission of a medical device for approval by the FDA can The difference between security and trust is that security seeks to control easily generate truckloads of paper. Moving that data paper to bits and rights and access in order to maintain confidentiality and integrity of informa- bytes is both cost effective and more efficient. But in the move to a digi- tion and trust seeks to control the basis of denial, ensure the accountability of tal format, the need for security and privacy was created. While Part 11’s 16 THE ISSA JOURNAL x March 2004
  • 2. main requirement is about paper reduction, the Part 11 resources: key to making it work is all about security. Part 11 has many security requirements, of • Official FDA 21 CFR Part 11 Web site www.fda.gov/ora/compliance_ref/part11 which most fall into the requirement to imple- ment procedures to control system access, • NuGenesis Technologies Corporation www.21cfrpart11.com prevent unauthorized modifications to electronic • John Boettcher’s Part 11 Web site http://pw1.netcom.com/~jlboet/esiglinks.html records, audit trails, checks to ensure that only authorized individuals can access systems and • Yahoo groups 21 CFR Part 11 mailing list http://groups.yahoo.com/group/21cfrpart11/ data, and much more. • 21 CFR Part 11: Complete Guide to Orlando Lopez Those charged with Part 11 compliance must International Computer Validation CRC Press ensure that electronic records have the same Compliance for the Pharmaceutical Industry January 2004 degree of confidence as their paper counterparts. ISBN: 084932243X If that same degree of confidence can’t be • Intro to Part 11 http://www.labcompliance.com/e-signatures/ assured, then all of the functionality and security afforded by digital systems falls by the wayside. Part 11 applies only to those regulated by But since then, the FDA has become much more standards and regulations, and it is simply a the FDA. To date, Part 11 has been primarily aggressive in their interpretation and enforce- matter of time until much of cyberspace is reg- used by the pharmaceutical, biotech and med- ment of Part 11. In November of 1999, Abbott ulated. For those in FDA-regulated companies, ical device sectors. Laboratories entered into a consent decree with that time is now and 21 CFR Part 11 is one of Part of the difficulty with Part 11 is that there the FDA and agreed to a $100 million fine relating those regulations. ¡ is not a single way to interpret it. Each organi- to Part 11 compliance. In 2002, Schering-Plough zation is free to interpret Part 11 in any way they Corporation agreed to a similar consent decree see fit, albeit in a reasonable manner. The FDA and paid fines in excess of $500 million. Ben Rothke, CISSP, is a New York-based security has also not helped in this matter as they have consultant with ThruPoint, Inc. McGraw-Hill has provided little practical guidance on how to Conclusion just published his Computer Security: 20 Things interpret the regulation. Every Employee Should Know. When Part 11 was made official in August, 1997, Organizations are facing complex require- there was a short grace period for compliance. ments to comply with security and privacy THE ISSA JOURNAL x March 2004 17