Secure Electronic Records With Proven Best Practices, Expert Advises
Given the technical, financial and regulatory hurdles of adopting erecord security programs, it is perhaps no surprise that many FDA regulated life sciences firms have been wary of moving aggressively into this area. But those doing so have enjoyed significant benefits, expert Ty Mew said at last month's FDA Information Management Summit sponsored by FDAnews.
"Many resisted [adding controls] at first, but they enjoy the updates once they are put in place, such as having erecord histories and using esignatures, said Mew, president of Ofni Systems. Once erecord systems are properly secured, more people in an organization have access to data and the "information becomes more of an asset," he added. For starters, esignatures can facilitate review and approval of records.
Key to developing a strong erecord program is understanding the FDA's requirements for accurate record generation and audit trails.
The FDA requires regulated firms to be able to generate accurate and complete copies of records in both a human readable and electronic form suitable for inspection, review and copying by the agency. That means one must have a means to print and export data to the FDA's specifications.
Mew advised using filters in printing and export. Common formats include PDF, SAS Transport, XML, Text Files and Excel.
Audit Trail Tips
Audit trails, which are one of the areas FDA inspectors tend to focus on, are the use of secure, computer-generated, time-stamped trails that independently record the date and time of operator entries and actions that create, modify, or delete erecords. While the FDA has said it intends to exercise "enforcement discretion" on its Part 11 audit trail requirements, the agency maintains "audit trails are particularly important where the users are expected to create, modify or delete regulated records during normal operation."
Some firms make the mistake of spending a lot of time and money trying to determine which records require audit trails and which do not, Mew said. Instead it is usually "just easier to add [audit trails to all records] rather than explain when and where you didn't," he said. Mew outlined several strategies for smart audit trail construction:
Include a field to indicate if a record has been "deleted" and filter for "non-deleted" records; Maintain mirror copies of tables and move deleted records to these tables; Store contents of audit trails of deleted records; and Make certain records that are cascade deleted are recorded properly.
Controlling access to one's erecord system is critical, Mew said. Input checks should be used to enforce data integrity. Best practices here include:
Implement input at the table, form or event level; Restrict entries to predefined lists. He suggested open/closed drop down lists; and Encourage users to enter previously entered values by use of combo boxes.
Validation rules are also an effective and simple way to restrict entry into data fields, Mew said. He advised using a system that also forces implementation at the table, form or event level. The system should also display a custom message that explains what is expected by the validation rule. For example, the message could say "Please enter a value between 0 and 14" if those are the hard parameters, he said. But Mew also warned not to be so aggressive here that you "preclean" data. For example, if one sets up a prompt that essentially tells a user the figure he or she is going to enter will mean problems for the project or trial, that could look to an FDA inspector like the firm is trying to skew results to avoid negative entries.
Password control is a challenging issue that many firms tend to downplay. FDA inspectors have cited firms for leaving passwords written on Post-It notes affixed to a computer terminal. Mew outlined two basic approaches:
Build a form that requires users to change their passwords on a periodic basis. This requires advanced programming skills but remains the safest way to make sure the passwords are changed or automatically expire; and Enforce procedures via standard operating procedures to manually update passwords. While this requires no programming skills it is labor-intensive, Mew said.
Erecord security systems should also include program timeouts, Mew suggested. The program should restrict access after a set period of inactivity. Form or global timers are both effective, Mew said, and will restrict access to records and require user re-authentication.
Esignatures can be used here as a means of re-authenticating users for critical steps in a process, confirming dialog boxes, alerts and alarms, and locking or freezing records and preventing unauthorized changes after a certain time. -- Michael Causey