I was recently talking to a customer about preparing drug submissions for approval by the US Food and Drug Administration (FDA). The process is governed by Title 21 CFR Part 11 of the Code of Federal Regulations that deals with guidelines on electronic records and signatures. Part 11 or 21CFR11, as it is sometimes called, defines criteria to determine if electronic records and signatures are trustworthy and reliable.
The customer’s concern was making sure that all internal information was protected from unauthorized access until it was time to submit the documents to the FDA. Keeping the information away from competitors during drug development and clinical trials is the most pressing issue. Earlier this year, Merck was the victim of an incident where a Chinese scientist stole the formula to some of its drugs. These drugs were already on the market, but the problem is the same.
A lot of the information used for FDA approval is in word processing documents and spreadsheets. Scientists and medical personnel develop information on proposed drugs and their uses. Development processes and formulas are defined and documented. Experiments are defined and conducted to verify the drugs’ efficacy and potential side effects. Clinical trials are conducted to understand how the drugs react in people and help improve the drug’s formula.
At any point in this process, someone could accidentally or deliberately leak information to a competitor or someone paid to steal this type of information. Pharmaceuticals are big business and having a leg up on the competition is a quick way to profits. A company could spend years and billions of dollars in R&D only to have the information stolen before coming to market. The scientist convicted in the Merck incident was stealing the information so his company could cut down on development costs.
Keeping documents secure during the drug development process is critical, since this is where information can leak or be stolen. CFR Part 11.30 defines controls for using open systems to create, modify, maintain, or transmit electronic records. The rules state that people using these systems “shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt.” These measures can include document encryption.
Controlling access to the information in these documents is critical to a drug manufacturer’s business. If sensitive information got into the wrong hands, a competitor could make a generic knock-off and completely undercut the market. By encrypting the documents with a persistent security policy as they are created, a drug company can ensure total control of its information. The policy can limit access to specific people and control if they can view, edit or print the documents. This even extends to tablets and smartphones, since a lot of companies are using mobile devices to collaborate. If an encrypted document got into the hands of a competitor, it would be useless, since the competitor needs explicit permission to read the information inside.
You could also have an unscrupulous researcher who wants to make an extra buck on the side. That person may be in league with an outsider to steal the information and sell it to the highest bidder. If that happens, the company could immediately revoke that person’s access to the document, effectively killing it.
Once a drug company is ready for regulatory submission, someone in charge of that process could decrypt the documents and submit them using the FDA Electronic Submissions Gateway (ESG). This is a secure method of sending electronic documents to the FDA and having them route to the appropriate group.
By using document encryption and showing an audit trail of document access, a drug company can meet the FDA Part 11 requirements to ensure a document’s authenticity and confidentiality. More importantly, the company can ensure its intellectual property is safe from anyone who might want to steal it.
Remember the computer programmer in Jurassic Park who tried to steal the dinosaur embryos? He had a little trouble getting off the island, but you can’t always count on some dinosaurs to save your company from IP theft.
Photo credit Images_of_Money