While everyone knows of giant companies such as Wal-Mart and General Motors, Fortune magazine occasionally runs articles about huge companies that most people don’t know of. Similarly, in the information security space, many people have heard of regulations such as Common Criteria, ISO-17799 and HIPAA. Yet there is a huge regulation that many people know nothing of; namely, 21 CFR Part 11.
Title 21 Part 11 of the US Code of Federal Regulations (AKA 21 CFR Part 11, or simply Part 11) falls under the authority of the United States Food and Drug Administration (FDA). The FDA felt that the risks
of falsification, misinterpretation and change without leaving evidence are higher with electronic records than paper records, and therefore specific controls are required.
Part 11 deals with the conditions under which the FDA will accept electronic records and electronic signatures as equivalent to paper records and handwritten signatures and electronic New Drug Application (NDA) submissions as equivalent to paper submission. A Gartner report Truth and Misconceptions: The Federal Electronic Records Statute 002 stated that Part 11 shows how important and unfamiliar Part 11 is when it states that it is “the most misunderstood regulation across the pharmaceutical industry and is the most comprehensive and broad-reaching FDA regulation today.”
The FDA is wants the bio-pharmaceutical industry to adopt the electronic medium for NDA submissions with the hope of greatly reducing the cost and time involved in compiling and submitting NDAs. Jacques Francoeur CEO of TrustEra notes “the FDA wanted to set a standard to which electronic submissions would be considered as demonstrably trustworthy to their paper counterparts. This makes Part 11 the first-in-industry trust regulation.” Francoeur notes that the FDA uses the term trust and its variations (i.e., trustworthy) over 30 times in the Part 11 preamble; but unfortunately, never defines what exactly trust is.
Part 11 builds on security towards trust in many other ways. For example, the clear intent of the regulation is to control the basis of repudiation. Part 11 states, “ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.”[1]
The difference between security and trust is that security seeks to control rights and access, to maintain confidentiality and integrity of information and trust seeks to control the basis of denial, ensure the accountability of individuals for their electronic acts, the creation and preservation of electronic forensic evidence and the legal enforceability of electronic signatures and records. Trust is an aggregate characteristic of the system or process that is only as strong as the weakest link. Electronic trustworthiness is measurable and can be assessed and designed into e-processes.
Why was 21 CFR Part 11 needed?
In the days of old, pharmaceutical companies would literally ship truckloads of data to the FDA. There clearly had to be a better, faster, cheaper and easier way to move this data. And indeed there was - via electronic networks. The quandary was how to take the paper system and move it to an electronic system with the same controls and safeguards. With that, Part 11 provides criteria under which the FDA will consider electronic records to be equivalent to paper records, and electronic signatures equivalent to traditional handwritten signatures.
The pharmaceutical security community is a rather small one, and that explains why Part 11 has not gotten the same amount of exposure as other regulations. Technically, Part 11 is also voluntary in nature in that a company can decide to make the NDA submission on paper. However, for information created and maintained electronically, that information must now comply with the requirements of Part 11. From a practical perspective, no serious pharmaceutical company is doing anything on paper anymore.
In the early 1990’s, a number of pharmaceutical companies met with the FDA to determine how they could submit information in an electronic format. The outcome of this was 21 CFR Part 11, which became effective in August 1997.
Way back in 1997, the FDA put on their thinking caps and were trying to anticipate the effects of network technologies on the entire gamut of the pharmaceutical field; from drug discovery, to testing and manufacturing. Part 11 then enabled electronic signatures and records to meet the stringent compliance requirements for the manufacturing and distribution of FDA regulated products.
The intent of Part 11 was to reduce the generation of paper, as a clinical trial or submission of a medical device for approval by the FDA can easily generate truckloads of paper. Moving that data paper to bits and bytes is both cost effective and more efficient. But in the move to a digital format, the need for security and privacy was created. While Part 11’s main requirement is about paper reduction, the key to making it work is all about security.
Part 11 has many security requirements, of which most fall into the requirement to implement procedures to control system access, prevent unauthorized modifications to electronic records, audit trails, checks to ensure that only authorized individuals can access systems and data, and much more.
Those charged with Part 11 compliance must ensure that electronic records have the same degree of confidence as their paper counterparts. If that same degree of confidence can’t be assured, then all of the functionality and security afforded by digital systems falls by the wayside.
Part 11 applies only to those regulated by the FDA. To date, Part 11 has been primarily been used by the pharmaceutical, biotech and medical device sectors.
Part of the difficulty with Part 11 is that there is not a single way to interpret it. Each organization is free to interpret Part 11 in anyway they see fit; albeit in a reasonable manner. The FDA has also not helped in this matter as they have provided little practical guidance on how to interpret the regulation.
When Part 11 was made official in August 1997, the there was a short grace period for compliance. But since then, the FDA has become much more aggressive in their interpretation and enforcement of Part 11. In November 1999, Abbott Laboratories entered in a consent decree with the FDA and agreed to a $100 million fine relating to Part 11 compliance. In 2002, Schering-Plough Corporation agreed to a similar consent decree and paid fines in excess of $500 million.
Conclusions
Organizations are facing complex requirements to comply with security and privacy standards and regulations and it is simply a matter of time until much of cyberspace is regulated. For those in FDA regulated companies, that time is now, and 21 CFR Part 11 is one of those regulations.
[1] FDA 21 CFR Part 11: 11:10