Disasters Over Past Years Underscore Need to Protect Critical Data
The high-profile natural and man-made disasters of the past few years, from 9/11 to Hurricane Katrina, have underscored the need for businesses of all sorts to protect their critical data.
Lisa Olson, principal consultant with SEC Associates, a computer validation and regulatory compliance consulting firm for pharmaceutical and biotech industries, said she sees a wide range in levels of disaster preparedness among her clients. “I see some with detailed plans, and others who say they can’t anticipate what kind of disaster could happen, so what’s the point of preparing? Most are in the middle — some organizations have a basic plan but haven’t done testing to see if it will work in practice,” she said. Unfortunately, she noted, the school of hard knocks is often the best teacher. “It’s sometimes hard to convince upper management of how big a problem [data recovery] can be if they haven’t experienced it.”
While data protection is vital for everyone, it is particularly critical for companies conducting clinical trials.
“Clinical studies run into the millions of dollars, so anything that means that you lose data or even a subset of the data is really expensive,” said Carolyn Walker, clinical data manager for Ondine Biopharma. “Typically, we do follow-ups after 12 weeks, so it ends up taking nine months just to collect the data. And then if you lose a hunk of the data, you have to go back to the agency to get approval to collect it again.”
Check Your Procedures
Walker emphasized the importance of checking backups to make sure they actually work. She said researchers should ask themselves, “When was the last time you backed up? Do you have a copy kept outside the office?”
Olson advises clients to take basic steps such as checking to see if their emergency contact numbers are correct and up to date. “Another thing I don’t typically see is [the ability to answer the questions], How are you going to verify your recovery? How do we know everything is there and we’re ready to go?”
To gain assurance on this point, disaster drills are a good idea, Olson suggested. In fact, one company she worked with had managers come in without warning on a given morning and announce, “We’ve had a fire in the computer room, the pipes have broken, or there’s been a hurricane or a big virus attack.” Those responsible for handling the situation had to show on the spot that they knew what to do.
On the other hand, Olson said, it’s important for management not just to assume the IT manager will handle everything in the event of an emergency. “People tend to rely on the tech person and just assume that ‘Bob will do it,’ so there’s not enough documentation. But what if Bob is affected by the disaster? IT sometimes has a problem convincing upper management of this.”
Geographical dispersion is another critical point, noted Walker, who works out of Ondine Biopharma’s offices in Redmond, Wash., a suburb of Seattle about three hours’ drive from corporate headquarters in Vancouver, B.C. Duplicating trial data and equipment helps assure continuity in case of disaster. “We have a room set up with a lock on it in Vancouver as backup in case of an earthquake in Seattle,” Walker said.
While that scenario has remained hypothetical, the company did lose one planned site for a dental study when New Orleans was inundated in the wake of Hurricane Katrina. “The dental school was underwater, but we had sites elsewhere so we could go ahead with the study and just shuffle the sites,” Walker said.
In such a large-scale disaster, the damage goes beyond direct losses to include clients and suppliers. “Even in a manufacturing environment, if they rely on a supplier for material it can affect their ability to ship product,” she said.
Moreover, Olson notes that many companies fail to think through all the implications of having to work from a different location. It’s not enough just to know there are plans to store tapes off site and use alternate servers. “They don’t see that if you have to operate off site, there are security issues. These are different depending on whether you own the facility or are working out of a third-party ‘hot site.’”
It’s also important to plan for the return from the emergency facility to the company’s regular location — since at that point the data transfer has to work in reverse, she said. — Martin Gidron