How Cognizant Approaches GxP Workloads on AWS
By Vandana Viswanathan, Associate Director, Process & Quality Consulting, Cognizant Technology Solutions, and Joseph Stellin, Associate Director, Cognizant Cloud Services.
Cognizant is a Premier APN Consulting Partner, an AWS MSP Partner, an AWS Public Sector Partner, and holds a number of AWS Competencies, including Healthcare, Life Sciences, Migration, Big Data, Financial Services, and Microsoft SharePoint.
Life sciences firms are rapidly accelerating their adoption of AWS to not only advance research in the space, but to optimize the development of software and the environment it runs on. We’ve found that questions around regulatory quality, security and privacy have been addressed to the point where many senior executives actively pursue using AWS as an extension of or replacement for their on-premises environments.
Most companies manufacturing medical products or developing drugs are required by regulations to follow Good Manufacturing, Clinical, and Laboratory Practices (GxP). IT systems running “GxP Applications” are subject to FDA audit and failure to comply with the appropriate guidelines could result in fines and potential work stoppage. Due to this impact, GxP regulations are often at the forefront of our customers’ minds when considering a move to the cloud.
In January 2016, AWS released a white paper on Considerations for Using AWS Products in GxP Systems. With this guidance, it has become easier to develop these regulated workloads on AWS. We have found that life sciences firms are able to achieve the same benefits of scale, cost reduction, and resiliency for their GxP applications that they’ve come to expect from non-regulated workloads on AWS. This was exemplified at re:Invent 2016 where Merck spoke publicly about how they have built GxP solutions on AWS.
At Cognizant, we’ve developed a transformation framework based on our experience working with many large organizations within the life sciences and healthcare verticals. This framework consists of many steps including analyzing cloud providers, developing and executing validation plans, and creation of governance and support procedures to ensure compliance to FDA regulations. This framework enables successful qualification of the cloud infrastructure (IQ) execution and operations and ensures compliance of the application/software being hosted on the cloud. We’ve applied our approach to live migrations of multiple GxP workloads, including Trackwise and Maximo, as well as to building out of new GxP environments natively on AWS.
Design principles for GxP
When developing GxP applications for our customers, we’ve found there are key design and operation principles that each workload requires. It is important to note that in a cloud environment, infrastructure is continuously improvable with new features and capabilities added regularly. The need to stay compliant shouldn’t stifle innovation, but proper controls need to be enforced to ensure that FDA requirements are continuously met. We like to think about compliance not as a fixed goal, but a continuous operational and design requirement.
The following key principles relate to the Cognizant proprietary transformation framework as well as key AWS and third-party services we use to address these principles.
Cloud Provider Assessment: This enables us to evaluate all cloud providers based on their viability of hosting a GxP application and also the ability to support the specific environment being migrated. The evaluation parameters include regulatory compliance, information security, data privacy, infrastructure application dependencies, and business criticality amongst other key parameters.
Data Security: All sensitive data should be encrypted both at-rest and in-transit. For example, we use AES256 encryption for data at rest. We always engage our enterprise security team to evaluate all current customer security solutions to determine if there a need for additional security solutions to meet customer compliance and security requirements.
Authentication and Authorization: As the data flowing through a GxP application can be sensitive, we need to ensure that only the appropriate authorized Individuals can access the data and control the access limitaions. We utilize AWS Identity and Access Management and/or extend out current on-premises domain controller resources to the cloud in a secure way.
Traceability and Auditability: We need to have a time-stamped, secure audit trail that documents how and when users access the environment and application and any changes to the core infrastructure or applications. The benefit of infrastructure as code is that we can validate and log changes to our infrastructure in the same way we do software. We use AWS CloudTrail for all logs and leverage Amazon CloudWatch for any alerts and notifications. We have also integrated a proprietary tool called Cloud360 for all tracking, monitoring, management and audit information.
How our GxP approach leads to customer success
Our Transformation Framework has helped simplify the process of creating and maintaining validated environments in a continuously advancing technology. This innovation has helped these organizations to take advantage of key benefits of the cloud including: reduction in cost, agility, time to market, scalability, and more importantly reliability through redundancy.
For several of our top 10 pharmaceutical clients, implementation of the transformation framework has enabled successful movement of regulated applications to the cloud. A framework for validating GxP workloads was established and precedence has been set to move ongoing applications to the cloud.
As this quest to move validated workloads to the cloud continues in the Life Sciences and Healthcare verticals, processes and technologies will evolve and be adopted to expedite the validation process, ensure compliance, and achieve larger cost savings. We look forward to our strong continuous relationship with AWS to assist many organizations with building confidence in moving GxP workloads to the cloud, advancing technology and streamlining validation processes.
Please leave any questions and comments below.
If you’re interested in learning more about how AWS can add agility and innovation to your healthcare and life sciences solutions be sure to check out our Cloud Computing in Healthcare page. Also, don’t forget to learn more about both our Healthcare and Life Sciences Competency Partners and how they can help differentiate your business.
Will you be at HIMSS? Stop by the Cognizant booth #3214. And be sure to stop by our booth #6969! We’d love to meet with you.