Demystifying FDA Compliance for Public Cloud Workloads in Life Sciences | Q&A

A key challenge life science companies face today is how to adopt cloud while ensuring security and compliance for FDA-regulated workloads.

On December 9, 2021, Alliance Partners Data Intensity and USDM Life Sciences hosted a live expert roundtable, DEMYSTIFY FDA COMPLIANCE FOR PUBLIC CLOUD WORKLOADS IN LIFE SCIENCES, to delineate best-practice approaches for industry attendees.

On hand for the informative discussion were Oracle ACE Director and Data Intensity Global Oracle Practice Lead Biju ThomasData Intensity Software License Solutions Vice President Paul Buckley, and USDM Life Sciences Cloud Assurance Vice President John Petrakis. With an overall solution perspective, Data Intensity Product Management Vice President Rich Froble moderated the conversation.

The expert panel addressed a series of key topics, including:

  • Regulatory and Economic Considerations
  • Workload Analysis and Designing for Public Cloud
  • Change Management and Speed-of-Business
  • Global Regulatory Compliance
  • Availability, Scalability, and Security

As the event concluded, a question-and-answer session produced the following additional responses, some of which were answered live, others subsequently.

Based on the status of the industry, should we evaluate GxP applications based on cloud options? In other words, should we even consider applications that cannot migrate to the cloud? We have some that may need to be upgraded, others that may need to be replaced, based on business needs. Whether or not they can operate safely and effectively in any cloud, including public cloud, seems to be an undeniable factor now. Is that fair to say?

John Petrakis answered this question live, just before the allotted time elapsed:

I would say yes, if you’re evaluating an application, it’s an opportunity to really assess not just from a compliance and security perspective, but from a cost perspective, there’s a balanced view. There are tremendous efficiencies that come with an application, a SaaS, that operates efficiently within the cloud and has a vendor that supports that set of technology.

Do the type of roadmaps, that’s the word I will use, that you’re discussing, these infrastructure assessments, allow me to better understand integration failure points, bandwidth errors, patching needs, even licensing lapses?

Biju Thomas offered a reply:

This question may have a three-part answer: workload analysis, license analysis, and cloud assurance. For workload analysis, the [Data Intensity] TCOT cloud readiness assessment will identify application/platform compatibility, upgrade opportunities — for application business functionality, and technical upgrade for vendor support. It will identify the patching needs and will help to document the integration and dependencies. The license analysis portion of the assessment gives you a complete picture of your effective license position (ELP). It shows you what you own, what you use. Are you using products that you are not entitled to or maybe not using a product that you licensed? It will give you a detailed picture of the quantities you are entitled to and need. The cloud assurance aspect is addressed by both Data Intensity and USDM Life Sciences. Data Intensity helps you identify the right cloud choices (we are leading partners of Oracle, Azure, AWS, yet cloud-agnostic) for your workload. USDM also assesses any regulated-workload components.

What about ongoing compliance management, once an Oracle workload is migrated to the cloud, do you train or help customers there, too?

Paul Buckley responded:

This is part of our License Management as a Service offering. We help customers understand how to obtain and maintain compliance regardless of where their footprint lands and is used. As part of this we train customers in the basics of licensing in any environment and advise them of the compliance position, how to remediate and fix issues and also how to remain compliant with our assistance and service help.

Is there a prudent balance between meeting FDA security requirements and our own needs for improved data security? Is there a better balance in the cloud?

John Petrakis offered a reply:

Well, security is a little different than some of the other regulations because patient safety is usually not one of the main things at risk. The risk is mostly financial and reputation (an obvious exception would be the security on a medical device itself). So, that may shift a risk analysis once that differentiation is realized. And, if I were able to speak with the individual asking the question live, I’d like to ask what the difference is between FDA and their internal requirements, just to understand what issues are under consideration. But, the overall answer to the question is almost always going to be yes, the cloud is better. The “cloud” just means your computers/data are being managed by someone else. And the someone else in this question is almost certainly better at data security than you. You do clinical trials, research, manufacturing, whatever. They do data security. And we provide the data integrity part. You provide the data; we make sure the data you put in is correct and stays correct. The cloud vendor keeps it safe. In practical terms, the cloud vendor most likely has already implemented whatever features you, a life sciences company, are considering. So, it’s the cost of designing/testing/implementing/maintaining it yourself vs. never having to think about any of that (and being up and running much sooner).

For more about the Data Intensity and USDM Life Sciences Innovation partnership, read the partnership overview, TRANSFORMING OPERATIONS WITH CLOUD INNOVATION AND COMPLIANCE. Data Intensity assists life sciences companies with cloud and business transformation requirements by applying proven offerings that include its Safe-Switch Cloud Migration MethodologyTotal Cost of Ownership Transformation Assessment, and both Professional and Managed Services.

Get in touch