Life Sciences IT Risk Management, Cloud Security and Regulatory Compliance

Ann Nguyen:
Hello and welcome to this Cambridge Healthtech Institute podcast for the 2015 Bio-IT World Conference & Expo, which runs April 21-23 in Boston, Massachusetts. I'm Ann Nguyen, Associate Conference Producer.

Today we're chatting with Krista Woodley, Director of Information Technology at Biogen. She's one of our featured speakers during a shared session for the Cloud Computing and Data Security conference tracks.

Krista, thanks so much for carving out a few minutes for us.

Krista Woodley:
Thank you for having me.

Ann Nguyen:
How did you end up working in IT risk management and regulatory compliance in the life science industry, and how do your daily activities support your goals at Biogen?

Krista Woodley:
I would say I first got my start in IT compliance when I worked at Ernst & Young. I was taught to lead a validation initiative, building what we call validation boot camps, so I was lead for that, and I was also the lead for the Part 11 remediation for several clients, so that was really my first step into this world.

After leaving Ernst & Young, I joined Genentech, where I was the manager who was responsible for software quality assurance and validation, so we basically had oversight of all the regulated systems to ensure that they were meeting Part 11 requirements. That was the FDA, EMA, etc., so I had a lot of experience at Genentech.

That role evolved into a government function where I was responsible for setting up all the policies and procedures as it relates to all of the IT control, such as security management, validation, SDLC, change management, etc. Then, from there I ended up moving to Massachusetts and starting at Biogen Idec, and here I'm now the head of IT quality, and this role was rather expanded from what I did at Genentech.

We oversee all the governance functions, so establishing the policies, procedures, work instructions, templates for all of those IT controls I mentioned before. But in addition we oversee all the, I would say, SDLC activities, and change management activities, for all systems that fall under any kind of regulation. That being GMP systems, GLP, GCP, SOX and then also just key enterprise systems that are critical to our business.

Lastly, we are the focal point during all inspections and audits, so we are the interface to all regulatory authorities when it comes to how are we managing our IT systems? How are we making sure that they're secure? How are we making sure that they follow Part 11 and Annex 11, etc., so pretty extensive experience in this stuff, but still continuing to learn, as well.

Ann Nguyen:
How has the rise of cloud-based computing altered data security management, especially for those who handle biological information?

Krista Woodley:
Yes, I think it's imposed some challenges, but I also think it's imposed some very good things, as well. I'll talk about the challenges first. We're always worried about data breaches. I mean, we've heard a lot in the news about what's happened at different organizations, Target, etc. People basically hacking into systems and stealing critical bits of information, and we worry about the same thing. As soon as the data is out of our hands, you have to be more concerned about that. Especially in these multitenant cloud environments where you don't have control over the maintenance of your servers. You're sharing your servers with other tenants. It just imposes a little more of a threat of these things occurring.

The other threat that we have to worry about is data localities, so we just have to make sure that where these cloud providers are setting up their data centers, that we know that those places, basically those countries, have the controls in place to adhere to our laws, especially when it comes to privacy and confidentiality, but the good news is that the data centers are generally more modern than our data centers at home. If you work with a major provider, like an Amazon or Savvis, or CenturyLink, generally speaking, they have the infrastructure.

They have the environmental controls. They have the security controls that surpass even what we can do here, because they've made that investment, so we're finding out moving to this environment, yes, we have to do more work, and we have to make sure that we know where our data is, who’s controlling the data, what policies and procedures they have. We also too know that their controls are tighter. Their infrastructures are more modern, and can meet out security requirements.

Ann Nguyen:
What will be the main theme of your presentation on “Compliant Cloud Computing” on April 22?

Krista Woodley:
Yes. We talked about security just now, and I will touch on security. I think that's always the first thing people want to know about, but I actually want to spend probably more time talking about how to validate these systems in the context of the regulatory expectations, including FDA expectations, EU expectations.

When working in this industry, I think there's a lot of hesitation around moving our critical validated systems to the cloud. I think people are worried about, I can't do my traditional IQ, OQ, PQ when a vendor is controlling the software, and controlling changes. How do we do change control, so the emphasis of this presentation is really going to be around how do we ensure that we can still demonstrate to these regulatory authorities that we still have the same type of controls in place, yet leverage the goodness that comes from working in a cloud environment.

We'll be talking about the shift of validation moving away from traditional IQ, OQ, PQ testing, and moving more towards the importance around quality audits, having a good quality management system in place, building quality agreements with the vendors, service-level agreements, etc. Again, the FDA is aware that this is coming our way. In fact, there have been many conferences on this topic, so I do want to leverage what I've learned from those, and share that with the team.

Ann Nguyen:
Excellent. Well, we're definitely looking forward to learning more about this topic, which is definitely evolving and there's a lot more to learn, and thank you for now though, Krista, for sharing some of your experiences and insights in the field.

Krista Woodley:
Thank you.

Ann Nguyen:
That was Krista Woodley of Biogen. She'll be a featured speaker at the Cloud Computing and Data Security conferences during Bio-IT World Conference & Expo, taking place April 21-23 in Boston.

To hear more from her in person, go to for registration information, and enter the keycode “Podcast”.

I'm Ann Nguyen. Thank you for listening.

Exhibit Hall and Keynote Pass

Data Platforms and Storage Infrastructure