Is Office 365 GMP Compatible?

Office 365 GMP, can you trust the cloud?

Operating as a Quality manager in a small regulated company can be tough, you business needs to remain innovative to be competitive in a global market but your hands are tied by regulations and red tape, and your highest priority is always patient safety and product Quality. You spend all your time putting out fires and dealing with operational and people issues, the last thing you you have on your mind is your whether your productivity suite and IT infrastructure is helping or hindering your progress…until it falls down, the latest virus locking out your data, corrupted hardware with expensive and time consuming replacements or worst malicious actors inside your organisation stealing your information. Can you afford to rely on your internal systems and employees to manage your critical infrastructure or should you consider Office 365 GMP applications?

Data and data integrity are the lifeblood of any modern organisation, we have found using the Microsoft Office 365 platform we have benefited from key compliance and security features, relying on the security and infrastructure experts at Microsoft to maintain a 99.9% up time for our critical operational services. The risks of malware and virus’ are dramatically reduced and hardware is managed by Microsoft so there is no unexpected and costly replacements, which would be devastating for us as a small business.

We have confidence in Office 365 for our business because it’s backed not only by Microsoft, but the Microsoft cloud is used and validated by over 90% of Fortune 500 companies, it is used by almost 100 million users actively. It is not only for big corporations, the cloud gives small companies access to the resources of the biggest companies in the world. Our research and experience

The Office 365 GMP compliance requirements

How does using a cloud provider help you to meet your compliance requirements? Generally the GxP requirements for electronic records and signatures relies on the predicate rule that all records are generally a substitute for handwritten records signatures. As with any GxP regulation, it is still the responsibility of the regulated company to ensure that all the processes and systems work as they are intended to and are fit for purpose. There are several best practices that are recommended broadly, (see our blogs section for the tag Office 365 GMP for how it meets the compliance requirements point by point):

• Documented procedures for backup, security and validation etc, that control and manage electronic records
• All significant events should be secure and have an audit log with all relevant metadata available for review
• Clearly documented specifications for the intent and purpose of the system, and evidence that the system it operating in a way to support that purpose, i.e. regular audit acitivity.

Microsoft enterprise cloud services undergo regular independent third-party SOC 1 Type 2 and SOC 2 Type 2 audits, and are certified according to ISO/IEC 27001 and ISO/IEC 27018 standards.
Although these regular audits and certifications do not specifically focus on FDA regulatory compliance, their purpose and objectives are similar in nature to those of CFR Title 21 Part 11, and serve to help ensure the confidentiality, integrity, and availability of data stored in Microsoft cloud services. Our qualification approach is also based on industry best practices, including the International Society for Pharmaceutical Engineering (ISPE) GAMP series of Good Practices Guides and the Pharmaceutical Inspection Co-operation Scheme (PIC/S) Good Practices for Computerized Systems in Regulated GxP Environments.

– Microsoft cloud trust center – 2017

Our Learnings

It was early on in the start of the QikSolve’s second year that we had out first brush with near disaster. We had been working on a migration of our data to a new structure to meet the growing needs of the company. We thought we had done all the relevant checks and balances and sent off the old data to the recycle bin in SharePoint, come 60 days later and we realised that one of the critical pieces of source code for our software had become corrupted during the migration due to the user error. Fortunately we were able to reach out directly to Microsoft who responded immediately and recovered the critical client code from their data backups. Our internal systems were not robust enough, and due to time pressures and short sightedness we made a mistake. We had the backing and maturity of Microsoft to support us and save us months of work rewriting code. We have learnt our lesson, but it’s good to know we have the capability if something ever went wrong again.

What do you need to consider for Office 365 GMP application?

• Review the controls and reports available
• Understand the scope and breadth of the Microsoft security capability
• Check the tools available for securing your data in the cloud
  • Office 365 eDiscovery
  • Office 365 Archiving
  • Office 365 Auditing
• Assess the risks of staying where you are as well as the risks of change
• Ensure your governance documentation and processes captures the relevant information for dealing with a new environment, you are still responsible
• Consult with experts to get the most of out Office 365 GMP applications.