Electronic Records and Signatures: Warning Letters and Observations including proposed solutions.

Slides:

Advertisements

Similar presentations

How to Validate a Vendor Purchased Application

Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.

Installation & User Guide

PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM

Digital Certificate Installation & User Guide For Class-2 Certificates.

Document Control DAP Quality Conference May 12, 2008 Debbie Penn.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Lesson 13 PROTECTING AND SHARING DOCUMENTS

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Information Security Policies and Standards

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Instructions and forms

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Software Development Unit 2 Databases What is a database? A collection of data organised in a manner that allows access, retrieval and use of that data.

New Data Regulation Law 201 CMR TJX Video.

Welcome to the Electronic Permit Submittal and Processing System (EPSAP) Professional Engineer Submittal Instructions.

Today’s Lecture application controls audit methodology.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Software Validation in Accredited Laboratories A Practical Guide Greg Gogates Fasor Inc. 26 Sept 2001 A copy of this paper will be maintained.

Project co-financed by European Union Project co- financed by Asean European Committee for Standardization Implementing Agency1 GMP Workshop Kuala Lumpur.

Annual Certification IDEAS-PD Select your IDEAS role from the list at the right. After completing that module, be sure to take the User Preference Setup.

The Islamic University of Gaza

HR & Payroll System. Aids analysis of employee data for reliable decision making Real time accessibility of information Track salary and personal information.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Agenda Overview of Seneca Computer System –File Servers / Student Computer Accounts –Telnet application –How to Logon to Learn / Phobos accounts How to.

Information Systems Security Operational Control for Information Security.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

System Security Chapter no 16. Computer Security Computer security is concerned with taking care of hardware, Software and data The cost of creating data.

PwC 21 CFR Part 11 – A Risk Management Perspective Patrick D. Roche 07 March 2003, Washington D.C.

I.Information Building & Retrieval Learning Objectives: the process of Information building the responsibilities and interaction of each data managing.

Protecting and Sharing Documents Lesson 13. Objectives.

Module 9 Configuring Messaging Policy and Compliance.

Today’s Lecture Covers

Chapter 2 Securing Network Server and User Workstations.

Agenda Overview of Seneca Computer System File Servers / Student Computer Accounts Telnet application How to Logon to Learn / Phobos accounts How to Change.

MBA 664 Database Management Dave Salisbury ( )

WorkManager Concepts & Schema Course Outline The Old “Business Rules” Traditional LBNL CAD Method New “Business Rules” Engineering Data Management WorkManager.

LEADS/EMS DATA VALIDATION IPS MeteoStar December 11, 2006 WHAT IS VALIDATION? From The Dictionary: 1a. To Make Legally Valid 1b. To Grant Official.

The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.

Data Coordinators Conference – 2014 Laura Marroquin CASEWORKER/JCMS Specialist Everything New Data Coordinators Should Know.

Agenda Overview of Seneca Computer System File Servers / Student Computer Accounts Telnet application How to Logon to Learn / Phobos accounts How to Change.

Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.

Protecting Data. Privacy Everyone has a right to privacy Data is held by many organisations –Employers –Shops –Banks –Insurance companies –etc.

Learning Intention Security of Information. Why protect files? To prevent unauthorised access to confidential information To prevent virus/corruption.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

RECORDS MANAGEMENT Judith Read and Mary Lea Ginn Chapter 12 Electronic Media and Image Records 1 © 2016 Cengage Learning ®. May not be scanned, copied.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Lesson 13 PROTECTING AND SHARING DOCUMENTS

21 CFR PART 11.

FDA 21 CFR Part 11 Compliance

DOCUMENT AND DATA CONTROL

Unit 13 IT Systems Troubleshooting and Repair Anne Sewell

Welcome to the Electronic Permit Submittal and Processing System (EPSAP) Professional Engineer Submittal Instructions.

Controlling Computer-Based Information Systems, Part II

UNIT 19 Data Security 2.

Managing the IT Function

Lesson 13 PROTECTING AND SHARING DOCUMENTS

Selenium HP Web Test Tool Training

בקרה תוך שימוש ב 21CFR Part 11 / אילן שעיה סמארט לוג'יק

Installation & User Guide

Software Validation in Accredited Laboratories

6. Application Software Security

OSU Controlled Substances Training Module for Researchers

Presentation transcript:

Electronic Records and Signatures: Warning Letters and Observations including proposed solutions

8Linweld (8/2/99), X 9Purepac (11/26/97), 10 Schein (3/2/00), X 11 Synthes (10/15/99), 12 Willis Eye Associates (7/7/98), 13 Ganes Chemicals (12/22/99) 14 Associated Regional University Pathologists (3/18/99). Red = Warning Letter Warning Letters and 483- Observations 1Ansell International (6/8/98), 2Cypress Bioscience (6/7/99), 3Fairbanks Memorial Hospital (4/28/99), 4Gensia Sicor (7/21/99), X 5Glenwood (5/20/99), 6Hydro Med Sciences (2/12/99), 7Johnson Matthey (3/7/00), X

Classification of 36 FDA-Observations from 14 Warning Letters and % 17% 11% 3% Procedures Authorisation System Audit Trail Issues Backup Password Change Control Data handling Goldsheet, October 2000 Recent Problems Observed in FDA-Inspections

Findings and Proposed Corrective Actions 1/12 Data edit rights available to all users –Restrict user authorizations to the necessary. Protect files wherever possible. Functions that "modify" or "delete" whole or partial data files available to all analysts –Restrict authorizations of people who can delete and modify All QC network users can edit permissions for fields, commands, and system menu functions; analysts can submit edited data All users can delete data, modify files, & overwrite raw data –Restrict authorizations

Findings and Proposed Corrective Actions 2/12 Original reports sent via differed significantly from QA Manager's official reports –Do not send reports by , without checksum or hash No evidence of system's ability to discern invalid or altered records –Evaluate the usage of checksums or other protection tools Inadequate HPLC controls; analysts can delete results –Check all Lab-Equipment that there are no “Delete” functions

Findings and Proposed Corrective Actions 3/12 Software does not secure data from alterations, loss, or erasure –Have Backup procedure in place. Evaluate new Software No written procedures for use of passwords, access levels, or data backup –Check if procedures are available User ID & password publicly posted for other employees' use –Keep the passwords secret, no group password

Findings and Proposed Corrective Actions 4/12 Employees terminated years earlier still had access privileges –Check list of authorized personnel and have a procedure in place that system administration is notified about changes in personnel No security procedures for lab computer systems; no security access levels established –Have different appropriate access levels defined in procedures and implemented in the lab No data file backup procedures –Check Backup Procedure

Findings and Proposed Corrective Actions 5/12 No password security on computer used for data entry and data transfer via the internet –Do not transfer the data via Internet except you are using encryption and have the corresponding procedures. No physical or password access controls on PLC to prevent unauthorized changes –Difficult one. PLCs should not be used to enter data or recipes. Lock PLCs in. PLCs – at least the old ones do not have any possibility to work with User access rights, passwords and the like. Needs to be solved procedurally if recipes are entered in PLC.

Findings and Proposed Corrective Actions 6/12 Primary CAD engineering drawings stored on unprotected computer –Define which drafts are relevant to GMP and need to be stored. Do not store GMP-relevant Data on unprotected computers No procedures to verify electronic SOPs against approved hardcopy prior to posting on company network –Verify formally all the documents that are distributed electronically. Validate the system.

Findings and Proposed Corrective Actions 7/12 Password protection can be bypassed Windows O/S security can be bypassed –Use Windows 95, 98 as operating system only if you know using TWEAK.UI. Windows 3.1, DOS...Do not use these Systems Password system does not ensure password expiration; passwords can be as short as 4 characters –There are no regulatory requirements behind this. In save systems such as ATM (automated teller machine) cards (e.g. Bankomat) the password does not age and is therefore never changed. These cards sometimes have also as short codes as 4 digits.

Findings and Proposed Corrective Actions 8/12 Audit Trail Issues System does not generate an audit trail No audit trail for changes to clinical data in e-records No audit trail –There are no immediate remedies. Show in plans when you are going to replace the Equipment. TurboChrom audit trail switch was intentionally disabled –Be sure to have an existing audit trail switched on. No SOPs or records for changes made to critical data –Have an SOP for the change of critical data in place.

Findings and Proposed Corrective Actions 9/12 Record Retention Issues No assurance that e-records could be stored/retrieved for entire retention period –Have details in a procedure Electronic files from lab instruments not properly maintained –Have clear maintenance procedures including maintenance of electronic files Software allows overwriting of original data –Difficult. Software needs to be replaced.

Findings and Proposed Corrective Actions 10/12 Failure to assure retention & security of PLC data captured by computer –Validate and test system No procedure to control secure retention of master PLC programs, or to identify & retain all versions –Establish Change Control Data files automatically deleted after printing –Difficult. Software needs to be replaced.

Findings and Proposed Corrective Actions 11/12 Backup tapes were never restored & verified; tapes stored at employee's home –Test Backup procedure regularly E-Signature Control Issues No written accountability procedures for actions taken under E-signatures –Establish procedure to make personnel accountable for their signatures. No safeguards to prevent unauthorized use of E-signatures when employee leaves the workstation –Screensaver and Lock the screen procedure

Findings and Proposed Corrective Actions 12/12 E-signature certification not sent to FDA prior to using E-signatures –Roche has sent out such a certification in 1998 Other Issues Could not generate copies of e-records –Verify that copies can be generated. In Windows: Provide Screenshot (Press Print-Screen Button, open an empty Word Document, and press CTRL+V)