GxP on AWS
By Chris Whalley. Chris is a Security Assurance TPM at AWS.
GxP (Good [anything] Practices) is an acronym that refers to the regulations and guidelines applicable to life sciences organizations that make food and medical products such as drugs, medical devices, and medical software applications. The term GxP encompasses a broad range of compliance-related activities such as Good Laboratory Practices (GLP), Good Clinical Practices (GCP), Good Manufacturing Practices (GMP), and others, each of which has product-specific requirements that life sciences organizations must implement.
These requirements are based on:
- The type of products the organization makes, and
- The country (or countries) in which their products are sold.
To help customers understand their roles and responsibilities for using the AWS Cloud, AWS employs a Shared Responsibility Model in which AWS manages security and quality of the cloud while security and quality in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their electronic records and computerized systems no differently than they would for applications in an on-site datacenter. Since compliance follows security and quality, there is a shared responsibility for compliance as well. AWS can help life sciences customers understand how to use and configure the AWS infrastructure software products and tools we offer as they look to manage their compliance requirements and architect for compliance, and our Life Sciences Competency Partners may also be able to assist when customers seek additional resources and guidance for their GxP systems development, validation, and operations.
To assist in architecting a GxP compliant environment, AWS has published a whitepaper titled, “Considerations for Using AWS Products in GxP Systems,” with the assistance of Lachman Consultant Services, Inc. (Lachman Consultants). Lachman Consultants is one of the most highly respected consulting firms on FDA and international regulatory compliance issues affecting the pharmaceutical and medical device industry today. This whitepaper contains an introduction to AWS, its benefits, and products, then dives into how to use AWS products in GxP systems. Covered in detail is how to configure and use AWS products as components in an organization’s GxP systems in key areas including:
- Quality Systems
- System Development Life Cycle (SDLC)
- Regulatory Affairs
Additionally, Merck, who is also an APN Technology Partner, presented at AWS re:Invent 2016 alongside AWS on how they achieved GxP Compliance on the AWS Cloud. In Merck’s cloud environment, called the Merck Managed Cloud (MMC), Merck uses several cloud service models, including many AWS services. The company’s strategy for creating a GxP compliant environment included creating a cloud systems assurance strategy, designing an enterprise-wide framework for security, risk, and compliance, and leveraging existing Merck SDLC analysis and deliverables. To learn more about the strategy and controls Merck used when architecting the Merck Managed Cloud to achieve and maintain GxP compliance, you can watch the re:Invent session here.
One of the themes in several of our healthcare and life sciences talks at AWS re:Invent 2016 was how you can achieve continuous compliance. One major component of this is any change that you make to both your environment and software should be traceable back to its origin. This is an important concept for auditors who may inspect the entire system that your GxP application runs on. While this is feasible, albeit tedious, to do manually, much of the process can be automated, which both can reduce errors as well as your operational burden.
A quickly realized benefit of moving to the cloud is that everything, not just traditional software applications, can be represented as code. Rather than having to provision and validate an entire infrastructure in a data center, which can take months or years to build, you can define your AWS Cloud infrastructure with JSON or YAML in AWS CloudFormation templates, and reliably and repeatedly deploy virtual data centers on AWS. You can have all of the appropriate logging pre-configured, which makes it easier for auditors to see the data they need when they need it.
Coming up in AWS Healthcare and Life Sciences Week:
- Guest post from Healthcare and Life Sciences Competency Partner and Premier Consulting Partner Cognizant
- HIPAA/HITRUST on AWS overview
- Profile of Healthcare Competency Partner ClearDATA focusing on HITRUST and discussing the company’s expertise in applying DevSecOps principles on AWS
- Profile of Healthcare Competency Partner hc1.com detailing the hc1 Platform and the team’s approach to HIPAA compliance on AWS
- Profile of Life Sciences Competency Partner and Premier Consulting Partner REAN Cloud detailing REAN’s approach to logging, monitoring, and continuous compliance, and the importance of automation in this space
- AWS Marketplace guest post
- Profile of Healthcare and DevOps Competency Partner Cloudticity focusing on how the firm drives automation and cross-segment innovation
- Technical recap and additional highlights of Healthcare and Life Sciences Competency Partners
- HCLS week wrap-up, highlighting HIMSS and practical tips and best practices for being an APN Partner