Managing the technology infrastructure for a straightforward business can be complex, but when you add in the need for compliance and system validation the connections become ever more intricate. Compliance agencies around the world utilize highly structured procedures to validate that computerized systems are presenting consistent and reproducible results to ensure the effectiveness and safety of products and research. When changes or upgrades of any kind are made to computer systems, this type of validation is required to ensure that the systems are performing within expected tolerances. Traditional managed services providers and internal IT departments may not be familiar with this level of rigor in terms of validation, making it vital to work with technology partners with experience in this detailed and painstaking work.
Making Changes to Validated Systems
Managing change requests for a validated environment can be dicey, as even the simplest changes can result in computational changes or an audit trail that leaves lingering questions about compliance in the minds of regulatory authorities. Once a system has been validated, any type of change could potentially trigger a shift in results, which is why older systems are often left alone even when you know there are necessary upgrades available. By explicitly defining the changes that need to be made, ensuring that there is full documentation throughout the process and extensive testing after validation, companies are able to prove that they are proactively managing change control throughout the process.
One of the key challenges is that these validated systems are often left alone for some time, while significant changes and advancements happen in the world of computing. That could mean that these validated systems — while compliant and validated — are potentially open to malware or other intrusions simply due to the age of the systems. Inexpensive workstations that are running expensive, purpose-built lab equipment successfully can mean that engineers are reluctant to tinker with the systems due to concerns of related incidents or changes in computations.
Challenges with Validated Systems
Why go to all of the trouble associated with creating a validation plan, scoping the approach, testing and defining acceptance criteria? Validated systems are often running extremely important controls, meaning they may be at greater risk of cyberattack or espionage. Once you have these systems set in place, making changes is a multi-step process and requires strict attention to detail and additional time far beyond what you would need to change a simpler system. Many times, the risk of making changes is greater than the reward, or so it may seem at first. With cybercriminals becoming more blatant in their attacks on organizations in the life sciences sector, ensuring all updates are applied in a timely manner is crucial.
Securing Validated Systems
New malware patches are released on a fairly regular basis, but are they always being applied in a timely manner to your validated systems? Patching can feel like a losing battle, with new vulnerabilities being discovered in all types of systems. With thousands of pieces of software and hardware running in any given enterprise, it’s not surprising that vulnerabilities continue to crop up and cause problems. Malware experienced a new level of growth in 2019, with Kaspersky’s reporting a 13.7% growth in malicious objects throughout the year and more than 24 million threats reported including scripts, executable files and exploits. When you add in the concerns caused by tightly managing access control and the possibilities of removable media introducing an external threat, it’s no surprise that IT security teams are feeling overwhelmed with attempting to stay up-to-date with patches and upgrades.
Defining Appropriate Change Controls for Validated Systems
The process for defining change control systems is straightforward, although there are several additional steps beyond what you would expect for upgrading a less-connected system. The typical steps utilized in change control for a validated system include:
- The system owner formally makes a change request
- System owners and technology teams work together to define the scope of the change and potential impact
- Changes are made in a non-development environment, often a duplicate system in Sandbox mode
- Systems are validated and tested to ensure the accuracy and reliability of the change
- Changes are fully implemented on the production system
- Final validation of the production system
Each of these stages will take time, and engineers or product owners could find potential issues and need to roll back changes at any time.
When you are facing an unexpected problem with your technology or need to make upgrades or changes to validated systems, it’s good to know that you can trust the team at Coretelligent to provide the guidance and expertise you need to be successful. Our managed IT services offer you White Glove treatment — an exceptional level of support that goes beyond the expected. You can relax knowing that your technology environment is fully protected, compliant and agile enough to grow with your business. Contact the Coretelligent team at 855-841-5888 or via firstname.lastname@example.org to schedule your complimentary, no-obligation consultation and see why we are one of the fastest-growing IT service providers in the country.