RIM IN THE CLOUD 10 FACTS YOU SHOULD KNOW

Transcription

1 RIM IN THE CLOUD 10 FACTS YOU SHOULD KNOW NOVEMBER 2015

2 REGULATORY INFORMATION MANAGEMENT (RIM) IN THE CLOUD: 10 FACTS YOU SHOULD KNOW HOW THE CLOUD CAN HELP CONQUER THE NEW REGULATORY LANDSCAPE Worried about meeting stringent security requirements and complying with complex regulations, some life sciences IT leaders have been hesitant to move to the cloud. They wonder whether cloud computing is secure enough to meet the needs of life sciences organizations, or whether it can meet tough regulatory requirements. Yet cloud computing offers the value and flexibility that can help life sciences enterprises speed up product development, simplify data exchange and ultimately produce better patient outcomes. Recent improvements in cloud technologies have led to more sophisticated services that feature enhanced security and a clear path to successful regulatory compliance. When deployed by a trusted, experienced provider, cloud-based solutions can provide the security and compliance that life sciences companies need while delivering enormous benefits, such as increased agility, better configurability and improved cost predictability. LIFE SCIENCES COMPANIES ENTER A NEW ERA Consumerization, the explosion of electronic health records and the rise of personalized medicine are quickly transforming the industry. As partnerships and acquisitions become more commonplace, life sciences companies now need to deal with greater complexities in how data is shared and integrated, both internally and externally. At the same time, the regulatory landscape is becoming more difficult to navigate, due to increased complexity and more stringent enforcement. Companies are expanding into emerging markets and working in a global ecosystem where they must respond to changing compliance requirements from regional health authorities. Life sciences companies need comprehensive compliance programs in place across all of their operations. Increased regulatory oversight means pharmaceuticals businesses must invest in maintaining accurate, detailed product data. They need clear, documented processes to provide regulators with assurances in areas such as computer system validation and infrastructure qualification. Companies should consider an Intelligent Regulatory Information Management (RIM) solution that uses a holistic approach going beyond regulatory systems to integrate disparate systems and processes in an enterprise. CLOUD ENTERS A NEW ERA Meanwhile, cloud computing is radically changing business ecosystems. Once little more than an industry buzzword, cloud computing is maturing into a standard solution used by organizations large and small. Industry researchers have said that in a few years, clouds will stop being called clouds and will simply become the new way IT is provisioned and the new way business is conducted. 2 RIM IN THE CLOUD

3 Leverage Cloud Regulatory Compliance Pricing Pressures Fully Managed IT Outsourcing of functions gives pharmaceutical companies the ability to focus on their core business Business Process Outsource Competition Global Teams Contract Clinical Trials Figure 1. Easing the Pressure Increased business and regulatory pressures compel companies to find new solutions, e.g., via outsourcing of functions. Key benefits of moving to the cloud include: Creates a more agile organization with more dynamic processes Speeds software development cycles Allows organizations to more quickly adapt to regulatory changes Reduces implementation and day-to-day management overhead Provides the ability to ramp up quickly in a controlled time frame Offers a wide array of options in areas such as disaster recovery and system monitoring Transforms the cost structure to a fully managed service chargeable on a monthly basis Improves transparency of costs by letting finance teams better understand cash flows TOP 10 THINGS TO CONSIDER WHEN MOVING REGULATORY SYSTEMS TO THE CLOUD From costs to compliance, a number of important considerations need to be weighed before moving to the cloud. Backed by decades of life sciences industry experience and extensive expertise in cloud deployments, CSC has developed this list of key factors to consider. 1. SECURITY Will my systems be safe in the cloud? Because life sciences organizations deal with health-related data that must be closely protected and kept private, a high premium is placed on security. In any discussion about moving to the cloud, security is typically one of the first concerns to emerge. 3 RIM IN THE CLOUD

4 CSC s Cloud Deployment Models The CSC Life Sciences in the Cloud offering provides a rich variety of options to match client workloads and applications with the appropriate cloud deployment model: CSC CloudCompute (Leveraged Public Cloud): Deploys leveraged resources in a highly secure, resilient environment with virtual segregation of clients and applications using SSL (Secure Sockets Layer) certification. Dedicated VPN and point-to-point connectivity are optional. CSC BizCloud VPE (Virtual Private Edition Cloud): Delivers compute and network and point-to-point connectivity dedicated to a single client and logically segregated storage, with an entire data store dedicated to a single client. CSC BizCloud (Private Cloud): Uses physically segregated resources deployed from the client s environment. All of CSC s cloud deployment models allow flexibility, scalability, global reach and future expansion. Along with these basic deployment models, CSC offers three availability and response-time SLAs: Silver, Gold and Platinum. Figure 2. CSC Global Cybersecurity s Many people mistakenly believe that the cloud is not a secure platform that other customers hosted in the cloud can cause security breaches, and that outside attacks are more common. This is not the case: The cloud has proven to be a highly secure computing environment. Many of the concerns about cloud security are specifically addressed in the CSC white paper, Debunking the Myths of Cloud Security. As detailed in the paper, it is a myth that customers of a multitenant cloud-based infrastructure can affect each other. Two customers sharing the same platform are protected by safeguards, including multiple firewalls, strict control of the management layer, and isolation of the virtual LAN (VLAN). Subscriber segregation in a cloud environment occurs at the virtualization or hypervisor layer. If regulatory requirements demand more resource segregation between subscribers, life sciences organizations can select a cloud provider that offers services using dedicated resources. When selecting a cloud vendor, companies should consider the vendor s ability to complete a security audit covering all aspects of the cloud, including its operation policies and certifications. Some of the security-related questions that should be asked are: How long has the cloud vendor been managing security on an enterprise level? How will the vendor mitigate risk? Does the vendor have third-party audits or security certifications? 2. COMPLIANCE How will validation and compliance be handled? Along with security, regulatory compliance is a primary area of importance to the life sciences industry. Life sciences organizations need a partner with technical know-how in RIM, deep knowledge of standards and regulatory processes on a global scale, and experience in providing end-to-end regulatory services using appropriate standards and processes. 4 RIM IN THE CLOUD

5 Technology decision makers also need to ask: Does the cloud vendor have processes in place to handle all compliance requirements? Because these processes are subject to rigorous audits, they need to be backed up by documentation that details the entire qualification and validation process. Another important consideration: A compliance system needs the flexibility to deal with the quickly changing regulatory landscape. When developing a quality management system (QMS), not only should the initial setup of systems be considered, but ongoing regulated changes also need to be accommodated making it critical to have in place a strong change-management process. Again, these capabilities need to be available on a global scale, due to the wide variances in standards and regulations across geographies. Other key questions for cloud vendors should include: What change management processes and procedures will be in place? Is standard operating procedure documentation provided for qualification and validation? Does the cloud vendor have independent audits conducted? Is an annual audit available to ensure that the processes are followed? With CSC s managed service, whenever a life sciences organization needs to change something, a team assesses whether that change needs to undergo a validation process; if so, it is handled and documented as part of CSC s service. Should an audit take place, the life sciences company would then be completely in compliance. 3. CLOUD MANAGED SERVICE Is it right for me? The central question is whether the solution is the right fit for the business. In many cases, it may be best to move to the cloud, thereby freeing specific functionalities such as an electronic document management system (EDMS) to free the IT team to work on more strategic projects. Enterprises can also benefit by moving from a CAPEX to an OPEX model. In the pay-as-you-go OPEX model, some projects proceed faster because gaining CAPEX sign-off becomes a thing of the past. Life sciences organizations may feel that there is not enough configurability in the cloud, as many cloud vendors offer Software as a products with a shared infrastructure that severely limits configurability. But there are cloud solutions that are configurable to organizations specific needs. Companies should seek a cloud service specifically designed for life sciences, managed end-to-end by a single vendor and providing maximum configurability. This approach allows companies to lease a great variety of life sciences software in conjunction with managing their IT. A provider that manages areas such as validation, security and infrastructure can allow the life sciences company to concentrate on running the business. In addition, companies should get their choice of cloud deployment models, ranging from a leveraged public cloud through a private cloud (see sidebar, CSC s Cloud Deployment Models ). 4. EXPERIENCE Is deep experience with cloud and life sciences important to me? There s no substitute for experience, and this is especially true when it comes to overseeing complex technology deployments. Life sciences enterprises need to select a cloud vendor that has not only broad experience in cloud deployments, but also experience specific to life sciences. 5 RIM IN THE CLOUD

6 For many industries, moving to the cloud is a straightforward decision that involves choosing the right deployment method for their needs. But organizations in the life sciences industry have the added requirement that their systems be fully compliant at all times. Not all cloud vendors understand this requirement or are able to achieve it. And not only does the solution need to be fully validated, but also ongoing changes to the system need to be assessed, to ensure that the initial validation is kept intact. While some of the leading cloud vendors provide end-to-end solutions, only a limited number of vendors are capable of providing every piece of the puzzle needed to successfully deploy a cloud solution, such as advanced security and storage. Thus, life sciences companies need to identify a cloud vendor that offers a combination of industry experience, technical expertise, extended IT infrastructure and a strong network of industry partnerships. 5. DISASTER RECOVERY How flexible are the disaster recovery options? Disaster recovery has drawn increased attention from government regulators that want companies to be as resilient as possible to quickly bounce back from disasters. Some pharmaceutical organizations, for example, could be managing R&D projects that are subject to data recovery provisions of the U.S. Health Insurance Portability and Accountability Act (HIPAA). Cloud-based disaster recovery solutions provide a host of secure options that give life sciences businesses the reliability and flexibility they are looking for while reaping the benefits of a cloud service. When protecting data, there are two primary disaster recovery options: Backup Ensuring that data is backed up regularly should be standard in any system. Data can be stored in secure data centers, or for added security, in secondary locations. Replication Replicating your solution as an ongoing process gives you the option of gaining access to systems faster and provides increased protection if replicated data is housed in a secondary data center located miles away from your production site. By using cloud computing, an IT infrastructure can easily replicate data from site to site. Life sciences companies should choose a cloud vendor that can offer a range of recovery point objective (RPO) and recovery time objective (RTO) options. Deciding on the right cloud disaster recovery solution is just the first step. Next, the IT organization needs to understand how the process will be run. This includes three key phases: replication, failover and failback. Replication and failover are, of course, standard to disaster recovery systems but what happens when you need to return to business as usual? Failback, and how this is managed, is equally important in selecting a cloud disaster recovery system. Organizations should ensure that an annual disaster recovery plan is part of the overall solution and that all three phases are tested regularly. 6. THIRD-PARTY SOFTWARE Can I host systems from other suppliers? It may be a requirement to host third-party solutions in the same environment. Life sciences organizations must make sure that the cloud vendor has the capabilities to deliver this option if it s important now or will be in the future. This ensures that key solutions can be located in the same data center, removing concerns over multiple cloud vendors or latency between solutions that require integration. 7. LICENSING Can I use my existing licenses? Life sciences companies moving to the cloud often have on-premises solutions they want to retain. In some cases, companies decide to transition to cloud computing so they won t have to replace older infrastructure and can gain the ability to offload day-to-day management of the systems. In this situation, businesses might think 6 RIM IN THE CLOUD

7 they have to forgo existing licenses and purchase a service based on a totally new software solution. Decision makers need to make sure that their cloud vendor provides the option of utilizing existing software licenses, thus reducing the overall solution cost. If the same product is being used in the cloud, it also means that the migration of data to the cloud will be much simpler. Again, this saves time and money. 8. INTEGRATION Can the new system connect to my EDMS? An EDMS is an effective and useful tool for storing content and collaborating, and offers many advantages over basic file shares. But should your EDMS systems be limited to on-premises applications? If your organization s answer to that question is no, then you should consider selecting a cloud vendor with the ability to offer integration between your EDMS and the hosted systems. This solution might involve establishing a VPN tunnel between your EDMS location and the cloud data center or providing a dedicated circuit for that tunnel. Logically, cloud data centers are located off premises, meaning that data needs to be transferred to and from the hosted systems. File shares of various sizes can be provided within cloud-based solutions to store content. When this takes place, managers need to ensure that key functionality and features are available, such as version control, document workflow, collaboration tools, commenting features and virtual documents. 9. DISENTANGLEMENT What happens if I want to move my system? One important issue that needs to be addressed by life sciences IT leaders when hiring a cloud vendor is determining what processes are in place if a disentanglement becomes necessary. As with any relationship, unanticipated situations may arise in which you would need to move your data or opt for an alternative solution. No matter what the reasons are for moving to the cloud or for selecting a specific vendor, it is always important to understand the exit strategy and how you would extract your data from a cloud vendor, if needed. Life sciences companies should ensure that cloud vendors are able to demonstrate the ease with which an organization can obtain its data, and also establish which entity is responsible for each process. For instance, as part of the Life Sciences in the Cloud agreement, CSC offers a Provisions of Disentanglement framework that defines the responsibilities and processes should a disentanglement be required. The creation of a disentanglement framework should be completed before entering into any agreement and should be included as part of the formal documentation. 10. DATA CENTER LOCATION Do I get a choice about where my system is based? Although the name cloud might imply that cloud-based information exists in some ethereal dimension, the data does of course exist in a specific physical location. For some life sciences entities, it may be important to be selective about the location of the data. For example, it might not be acceptable to have data hosted in just any off-premises location, as there may be a regulatory requirement for data to reside in the country of the organization itself. Not all suppliers can accommodate this requirement, so it s important to look for a cloud vendor that has a wide range of global cloud data centers and the right level of expertise and reliability at each one. Data centers should adhere to the appropriate standards and hold the required ISO accreditations, where required. 7 RIM IN THE CLOUD

8 CSC s Robust Solution Simplifies Regulated Content Compliance Life sciences organizations need a simplified, centralized system to comply with complex regulations and enable seamless communication with regulatory bodies or approvals can get delayed. Slow, cumbersome, legacy enterprise content management (ECM) systems are costly to maintain, and some older systems cannot accommodate mobile devices and tablets. A key part of CSC s powerful Total Regulatory Solution (TRS), FirstDoc the industry s leading document management and collaboration solution simplifies and speeds up compliance for companies worldwide. FirstDoc s managed delivery options let enterprises deploy the solution on premises from their own data center, or from a secure private cloud or a hybrid cloud as a fully managed pay-as-you-go service. Users then can access the system and share information through a Web-based interface via a desktop, smartphone or tablet. Backed by CSC s vast, global experience with regulatory submissions, FirstDoc contains the functionality required for highly regulated environments. FirstDoc s phased, modular approach minimizes risk when transforming services and can help life sciences companies bring ECM into the cloud. On-Premises or Hosting Data Center Data Sources Databases Flat Files Migration Joining CSC Legacy Unstructured s Data And more... SaaS Systems Other s Customer Customer HTTP, HTTPs, FTP TCP/IP Customer Leaving CSC WHY LIFE SCIENCES COMPANIES TRUST CSC TO MOVE THEM TO THE CLOUD Life sciences leaders seek cloud solutions from proven, experienced vendors with global capabilities. They want a cloud solution that not only has robust security and regulatory compliance capabilities, but is also configurable to a company s specific needs. CSC provides the industry experience, technical expertise and partnerships to help guide cloud and other technology deployments for life sciences companies, based on having helped to develop life sciences IT solutions for more than 20 years. CSC also has a dedicated quality assurance team with a depth of knowledge acquired from serving some of the largest companies in the industry. ììto learn more about CSC Life Sciences, visit csc.com/lifesciencescloud Figure 3. CSC s On-Boarding and Disentanglement Process Customer Provisions of Disentanglement Framework w/technical Options Virtual Machine (VM) Exports and/or Physical Hardware Data Migration (Docbase-to-Docbase) Data Migration (Docbase-to-Other) Data Dump Existing Client On-Premises or Successor Hosting Data Center CSC s TRS portfolio of offerings for content management, electronic publishing, registration tracking and document processing also includes Tracker, Publisher and Viewer, as well as ectdxpress, a market-leading application that streamlines the electronic Common Technical Documents process. Learn more about these tools: csc.com/trs 8 RIM IN THE CLOUD

9 Regional CSC Headquarters The Americas 3170 Fairview Park Drive Falls Church, Virginia United States Asia, Middle East, Africa Level 9, UE BizHub East 6 Changi Business Park Avenue 1 Singapore Republic of Singapore Australia 26 Talavera Road Macquarie Park, NSW 2113 Australia +61(2) Central and Eastern Europe Abraham-Lincoln-Park Wiesbaden Germany Nordic and Baltic Region Retortvej 8 DK-2500 Valby Denmark South and West Europe Immeuble Balzac 10 place des Vosges Paris la Défense Cedex France UK, Ireland and Netherlands Floor 4 One Pancras Square London N1C 4AG United Kingdom About CSC CSC is a global leader in next-generation IT services and solutions. The company s mission is to enable superior returns on our clients technology investments through best-in-class industry solutions, domain expertise and global scale. For more information, visit us at csc.com Computer Sciences Corporation. All rights reserved. MD_8260a-16 11/2015