At AWS, security and privacy is the top priority
Gain greater agility, improve security of sensitive and personal health information, and automate GxP compliance with AWS.
GxP regulation includes the underlying international pharmaceutical requirements, such as those set forth in the US FD&C Act (Food, Drug, and Cosmetic Act), US Public Health Service Act (PHS Act), FDA regulations, EU Directives, UK MHRA regulations, Japanese regulations, or other applicable national legislation or regulations under which a company operates. These include but not are not limited to: Good Manufacturing Practice (GMP), Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Quality Practice (GQP), Good Pharmacovigilance Practice (GVP), Medical Device Regulations, Prescription Drug Marketing Act (PDMA).
Acquire the most comprehensive compliance controls with AWS, including the ability to encrypt at-scale to comply with local data privacy laws such as PCI DSS, SOC, FedRAMP, NIST, ISO, HIPAA, and HITRUST. AWS supports more security standards and compliance certifications than any other offering, providing life sciences organizations with the tools, services, and visibility to move faster while remaining secure and compliant.
Building GxP systems on AWS allows for improved control over your IT environment, gives enhanced testing and traceability, and helps respond to audits.
AWS & GxP Compliance
With access to purpose-built solutions, technical resources, and a team of GxP experts, AWS makes it easier for life sciences organizations to migrate existing and build new regulated workloads in the cloud.
Designed to expedite the migration of regulated workloads, The GxP Compliance on AWS solution helps organizations establish a GxP-alignment environment that reduces costs, improves security, and enhances agility.
How AWS supports GxP compliance:
- Automate the GxP compliance process: AWS provides the tools and guidance needed to automate the GxP compliant process so that you can move fast while staying compliant. Learn more
- Develop a consistent and controllable infrastructure: By leveraging AWS to enable your GxP environment, you can create templates that allow you to use your infrastructure throughout your organization with a high degree of consistency. AWS also gives you deep control over who can affect elements of your infrastructure software and when, where, and how they do it. See how Merck has set up GxP System Assurance in the AWS Cloud.
- Automatic traceability: use AWS tools to automatically log a wide range of activities in your environment, including how the infrastructure is deployed and how the infrastructure is accessed and configured. This improves traceability in your environment, making it easier to support audit requests. Learn more
Additional resources for building GxP applications on AWS:
WhitepaperIntroduction to Auditing the Use of AWS
WhitepaperGxP in the AWS Cloud
OverviewSecurity by Design
AWS & Data Privacy
Earning customer trust is the foundation of our business at AWS. We earn this trust by working to meet our customers’ privacy needs and by being transparent in our privacy commitments.
Customers always manage access to their services and content. We do not access or use customer content for any purpose without the customer’s consent. With access to the most extensive global infrastructure, life sciences organizations can choose the region(s) in which their content will be stored. We will not move or replicate customer content outside of the customer’s chosen region(s) without the customer’s consent.
Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
Customers are still responsible for other aspects of security, such as the security measures used to protect your applications - which is no different than if your application was running in a traditional data center.
AWS Life Science Compliance Alignments / Frameworks
- The AWS compliance certifications demonstrate the “security of the cloud” and the operating effectiveness of AWS controls. Customers are responsible for the security in the cloud.
- Customers inherit these compliance certifications and can use them to demonstrate part of their compliance to auditor and regulators.
Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.
AWS customers remain responsible for complying with applicable compliance laws and regulations. In some cases, AWS offers functionality (such as security features), enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Addendum) to support customer compliance.
Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function. AWS provides functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers) for these types of programs.
It is important to mention the shared responsibility model while discussing regulatory compliance. AWS bring in state of the art technologies, goes through the industry standard certifications and attestations both globally and regionally where possible and align to industry frameworks to help facilitate the compliant implementation of AWS services for healthcare compliance. Under the aegis of shared responsibility model, customers can inherit the compliant controls and capabilities to meet the needs of healthcare compliance in that region.
The information below provides representative certifications, healthcare laws and relevant frameworks.
Key Certifications & Attestations
ISO 27001, 27017, 27018
SOC 1, 2, 3
PCI DSS Level 1
Key Alignment & Frameworks
CSA (Cloud Security Alliance)
EU-US Privacy Shield
BioPhorum IT Controls
United States (Key Regulator: FDA)
US Food and Drug Administration (FDA) established 21CFRPart 11 - regulations on electronic records and electronic signatures. 21CFRPart11 applies to life science industries that fall under Federal Food, Drug, and Cosmetic Act, Public Health Service Act, or any FDA regulation other than Part 11. Collectively those are identified as “Predicate Rules”. In essence, Part 11 applies when the record in question is predicated.
Data Integrity & United States FDA:
The regulators around the world continue to look at the data integrity issues/concerns at life science industries. FDA published guidance on data integrity to provide clarity to life science organizations so that the issues/concerns can be proactively addressed.
United Kingdom (Key Regulator: MHRA)
MHRA continues to give greater focus on data integrity. The increasing use of electronic data capture, automation of systems, and use of remote technologies have increased the complexity of supply chains and ways of working – which includes use of third party suppliers. MHRA published the Data Integrity guidance specifically to provide greater clarity and setting expectations to the Life Science Industries to ensure data integrity compliance.
Europe (Key Regulator: EMA) – applies to member states of the European Union
The European Union Annex 11 – applies to all forms of computerized systems used as part of GMP (Good Manufacturing Practice) regulated activities.
Data Integrity & EMA:
Data Integrity continues to be an important topic worldwide. EMA- European Medicines Agency have published a new Manufacturing guidance (GMP) to ensure data integrity that covers the data related to the data generated in the process of testing, manufacturing, packaging, distribution and monitoring of medicines.
Featured customer stories
Lyell streamlines GxP validation on AWS, reducing time to validate compliance from weeks to minutes.
FDA’s precisionFDA multi-omics cloud environment leverages AWS to connect data and tools to experts around the world, for validating variant calling technology.
Bristol Myers Squibb implements a fully-automated self-service platform for business users with automated governance.
Merck reduces change assessment duration by up to 90% and total manual effort per assessment by 30–70%.
Aizon applies artificial intelligence in a GxP environment with AWS.