This document provides an overview of common considerations for data integrity controls in healthcare and life sciences. It discusses key concepts like data integrity, applicable regulations, and risks to integrity. It also outlines 10 key data integrity controls and how AWS features and customer guidance can help address them, including risk-based design, access restrictions, audit trails, validation, and senior management responsibilities.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Whalley - AWS Medical Security Team Lead
Mitsuhiro YANO - Senior Planner, Information Solution , Sysmex Corporation
November 29, 2016
SAC314
Common Considerations for Data
Integrity Controls in Healthcare

2. What to expect from the session
 Overview of Data Integrity in Healthcare
 Applying Data Integrity in GxP Medical Systems
 Top 10 Data Integrity Controls

3. Protected health
information
HIPAA*
Human subject
research data
IRB
Controlled access
genomic data
dbGaP
Part 11 electronic
records and electronic
signatures
GxP
Personal health
records
FTC
AWS Healthcare Security Assurance Scope
Customer
Content
PRIVACY
IntegrityAvailability

4. RISKS CONTROLS FOCUS
PRIVACY /
CONFIDENTIALITY
Loss of privacy,
unauthorized access,
theft
Encryption,
authentication, access
controls
Information security
INTEGRITY
Data is no longer
reliable or accurate,
fraud
Maker/checker, quality
assurance, audit logs
Operational controls
AVAILABILITY
Work disruption,
inability to make data-
driven decisions, loss of
user confidence,
regulator penalties
BCP plans and tests,
backup storage,
capacity planning
Business continuity
planning

5. Data Integrity in Healthcare and Life Sciences
Human safety decisions
based on data require that
the data be trustworthy.
Attributable
Legible
Contemporaneous
Original
Accurate

6. Scientific Data
Applies to:
 Business Process
 Software Application
Examples:
 pH of chemical solution is 6.6
 Severe reactions from new
drug product was significantly
reduced compared to old drug
product (p<0.001)
Define: Data
Computer Data
Applies to:
 Virtualized Infrastructure
 Infrastructure Software Tools
 Physical Infrastructure
Examples:
 5 (decimal) = 101 (binary)
 1 KB = 1,024 bytes
 File object SHA1 checksum:
B0FADEC093EEC1F0DA5695
A5106B5E845CF8E2E9

7. Regulator View on Data Integrity
Data was not reviewed & evaluated by your
firm when making batch release decisions
 Regulators published
5 new data integrity
guidance documents
in last 12 months
 In 2015, 79% of FDA
warning letters
involving data integrity
were issued to
international firms

8. Data Integrity Bits on a disk>

9. Applying Data Integrity Principles
Controls for Humans:
 Training for System Users &
Developers
 Policies & Procedures for…
o IT Purchasing
o DevSecOps &
Computer Validation
o Data Monitoring & ReviewApp
Virtual Infrastructure
AWS Products
System Users
Healthcare Protocol
Data 

10. Applying Data Integrity Principles
Controls for Machines:
 I/O checks between machines
and services
 Logging data access, use, and
modification
 Access controls
 Top 10 coming after systems
App
Virtual Infrastructure
AWS Products
System Users
Healthcare Protocol
Data 

12. Corporate Philosophy
Shaping the advancement
of healthcare
systematical + medics + x

13. Who are we?

14. Where do we operate?
Diagnosis /
Treatment
Interview/
Palpation
Complete
Recovery
Image Scanning
Respiratory
function testing
Ultrasonography
In-Vivo
Diagnostics
Blood testing
Immunochemistry
testing
Clinical chemistry
testing
etc.
In-Vitro
Diagnostics
etc.
Clinical Testing
Patient
room
Test equipment operable at bedside
minimizes patient discomfort
Operatin
g
room
Compact test equipment ready for
emergency tests during surgery
Examination
room
Examination (interview) and
testing performed simultaneously
Rapid confirmation of doctor’s diagnosis
Laborator
y
High-quality and efficient testing
Comprehensive analysis of patient’s blood
and urine

15. Sysmex at a Glance
20
40
60
0
50
100
150
200
250
'00 '05 '10 '15
Net Sales
Operating Income
Net Income
Net Sales (million $) Profits (million $)
28th
15.7%
23.6%
27.0%
25.7%
7.9%
Japan
Americas
AP
EMEA
China
Sales by Region

16. Missions - Information Solution Dep.
IT Headquarters
IT Strategy
Development
System Operation
On-going Support

17. User Requirements for Infrastructure
Follow-the-sun
Support
SecurityAgility

18. To leverage Cloud
Security Guideline
Understanding
Cloud Service
Check Sheet
Security Policy

19. AWS Assessment
Market Leader Listen to UsersLarge Community

20. Quality Complaint Management Project

21. Considerations for Infrastructure
Global Network Required Availability
Long Term
Data storage

22. Project Schedule
OND 15 JFM 16 AMJ 16 JAS 16 OND 16
Validation
Sandbox DEV VER / PROD
Feasibility Decision
Hardware Era Virtualization Era Cloud Era
Protocol-driven
manual activities
Procedure-driven
manual activities
Code-driven
automated activities

23. White Paper
AWS Reliability Study

24. ISO
27001
7.3 Support your ISMS by making people aware of their responsibilities
8.1 Carry out operational planning and control processes
9.1 Monitoring, measurement, analysis and evaluation
9.3 Management Review
6.3 Performing Maintenance and Checking Management
(1) The Operation Manager should have persons in charge
conduct maintenance, and record and retain its results.
“AWS Reference”
6.5 Backup and Restore
The Operation Manager should have the designated persons
designated conduct the following activities in accordance
with the Operations Management Code, etc
(1) Backup (2) Restore (3) Document and retain records
ISO
9001
4.2 Documentation requirements
4.2.1 General
4.2.2 Quality manual9.3 Management Review
5.3 Quality Policy
SOC1/2 Check upon NDA with AWS

25. “AWS Reference”
Common Rules
Suppli
er
A Lifecycle Model of Computerized Systems - Appendix 1

26. On-going Operation Management
Highly-reliable operations
Game Change

27. System Architecture / Validation Target

28. System Architecture / Validation Target

29. System Architecture / Validation Target

30. Validation Activities - Recap
IQ EffortOperation PlanningProcurement
Automation Support NeededLeverage Third-party Certificate

31. docomo
Cloud Package
AWS
Environment
Set-up
Validation
Activities
Document
Support
Special Thanks to

32. Key Learning and To move forward
Infrastructure
Choice
Listen to UsersLarge Community
With the latest available resources Eco-system Development More GxP friendly functions

33. Shaping the advancement
of healthcare

34. 1. Use risk-based software design and testing
AWS features and controls Customer guidance
 AWS enables customers to retain
control of business process, data,
applications, and virtual
infrastructure
 AWS provides user-configurable
infrastructure software tools with
features to address a wide range of
data risks
 Use your risk assessment to
identify the impact of data integrity
risks to your product or service
 Use AWS documentation, support,
and partners to define the software
design and testing controls needed
to mitigate your risks

35. 2. Restrict data access
AWS features and controls Customer guidance
 AWS implements physical
infrastructure access controls that
are validated by third-party auditors
 Review AWS audit reports
 Implement physical access
controls to your assets & user
environment

36. 2. Restrict data access
AWS features and controls Customer guidance
 AWS provides data access control
features in infrastructure software
tools that are validated by third-
party auditors
 Implement your virtual
infrastructure access controls using
AWS features in IAM, Amazon
VPC, AWS Directory Service, and
other AWS products
 Implement your software access
controls using AWS SDKs
AWS Identity and
Access Management
AWS
SDKs
AWS Directory
Service
Amazon Virtual
Private Cloud (VPC)

37. 3. Restrict audit trail access
AWS features and controls Customer guidance
 AWS implements physical
infrastructure access controls that
are validated by third-party auditors
 Review AWS audit reports
 Implement physical access
controls for your on-premises
infrastructure and mobile devices
 AWS provides audit trail access
control features in infrastructure
software tools like AWS CloudTrail
that are validated by third-party
auditors
 Review AWS audit reports
 Implement your virtual
infrastructure audit trail access
controls using AWS features in
IAM, VPC, Directory Service, and
other AWS products
 Implement your software audit trail
controls using AWS SDKs

38. 4. Record data contemporaneously
AWS features and controls Customer guidance
 AWS provides time-stamped audit trail control
features in infrastructure software tools
 Enable virtual infrastructure audit
trail features in AWS products like
CloudTrail, CloudWatch, and Config
 AWS provides time zone control features in
infrastructure software tools
 Configure virtual infrastructure time
zone control features in AWS
products like RDS, EC2, and others
 AWS provides SDKs
 Implement software time-stamped
audit trails
 Synchronize software time-stamped
audit trails across time zones
 Ensure that software logic commits
data to storage at time of activity

39. 5. Control blank paper forms
AWS features and controls Customer guidance
 AWS provides flexible, low-cost infrastructure
software tools and SDKs that enable rapid
development and testing of highly secure
software
 Replace paper forms with secure
electronic data capture software

40. 6. Periodically review a sample of audit
trails, data, and metadata
AWS features and controls Customer guidance
 AWS provides infrastructure
software tools like AWS Lambda
and Amazon SNS that enable
customers to build continuous
monitoring solutions
 Define validation rules (functions)
and triggers (events) for data
 Define notification groups for failed
validations
 Implement validation functions,
events, and notification rules in
AWS products
 AWS Marketplace partners can
provide out-of-the-box solutions for
continuous monitoring of audit
trails, data, and metadata
 Find and try partner solutions in the
AWS Marketplace

41. 7. Retention of full audit trails
AWS features and controls Customer guidance
 AWS provides infrastructure software tools
like CloudTrail and CloudWatch that produce
virtual infrastructure audit trails in a fully
portable format
 Review and revise record retention
schedule
 Configure CloudWatch and
CloudTrail
 Retain virtual infrastructure audit
trails wherever you want for as
long as you want
 AWS provides infrastructure software tools
like Amazon S3 and Amazon Glacier for
storage and retention of audit trails
 Configure and use storage tools for
virtual infrastructure and software
audit trails

42. 8. Validate regulated software applications
AWS features and controls Customer guidance
 AWS certifies our infrastructure software tools
to commercial-off-the-shelf (COTS) product
standards
 Review AWS audit reports for ISO,
SOC, and NIST
 AWS provides features to create and enforce
“gold standard” virtualized infrastructure
resources
 Configure AWS features like EC2
AMIs and CloudFormation
Templates
 AWS provides features to automate creation
and error reporting of infrastructure resources
 Review and revise your
infrastructure qualification SOPs
 Configure AWS features like
CloudTrail
 AWS enables customers to retain control of
application SDLC
 Follow your existing software
validation process

43. 9. Senior management is responsible for
implementing data governance
AWS features and controls Customer guidance
 AWS Partner Network and AWS Professional
Services provide consultations for data
governance and cloud adoption strategies
 Seek advice for your cloud
adoption plan
 AWS provides industry-specific case studies
and customer workshops
 Review case studies and attend
workshops with others in your
industry
 AWS offers online documentation, self-paced
training labs, in-person classes, and user
certification programs
 Provide your team with
opportunities to develop their cloud
competencies

44. 10. Senior management should encourage
an open culture for reporting errors
AWS features and controls Customer guidance
 AWS provides information and training
resources about DevOps and DevSecOps
methodologies that encourage continuous
improvement
 Review our DevOps and
DevSecOps resources
 AWS operates an open culture for reporting
errors and continuous improvement
 Ask us how AWS teams work
together and use the Amazon
leadership principles to encourage
open culture for reporting errors

45. Thank you!

46. Remember to complete
your evaluations!

47. Related sessions