Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Hi everyone,

I am looking for some advice regarding cloud storage vs the more traditional IT serve / network setup.

We are a medical device startup company (working our way through the CE marking process) and are currently using cloud storage (google drive) to store documentation related to our device (i.e. the DHF, etc.) and as a means to share this within our team.  I was wondering what stance the regulators take on cloud storage - is it acceptable and if yes, which one is best, e.g. from a security point of view?

Perhaps some of you have already tackled this question / are in a similar position and can offer some guidance.

Thanks in advance for your help!

Hi, the strategy i've employed previously with this is the same as any other software system.  I define my requirements, how I intend to use the system.  I then qualify to make sure it meets my requirements.  

so with cloud storage, i would define my security requirements, data integrity, treaceability etc and test we meet these.  From a regulators perspective, they expect us to define our user requirements and verify we meet these.  Use 21 CFR part 11 to help define  these for your system as well.

I don't have any direct experience of a regulator reviewing a particular cloud storage system, so maybe some else on the forum can comment on that.
Seb

------------------------------
Sebastian Clerkin
GMP Advisory Services
Ballincollig
Ireland
------------------------------

Original Message:
Sent: 15-Jan-2018 06:14
From: Anonymous Member
Subject: Acceptability of Cloud Storage

This message was posted by a user wishing to remain anonymous

Hi everyone,

I am looking for some advice regarding cloud storage vs the more traditional IT serve / network setup.

We are a medical device startup company (working our way through the CE marking process) and are currently using cloud storage (google drive) to store documentation related to our device (i.e. the DHF, etc.) and as a means to share this within our team.  I was wondering what stance the regulators take on cloud storage - is it acceptable and if yes, which one is best, e.g. from a security point of view?

Perhaps some of you have already tackled this question / are in a similar position and can offer some guidance.

Thanks in advance for your help!

Sebastian's approach is a good one and what I would suggest. I will say that Cloud storage, managed appropriately, is acceptable in the regulated environments. In particular, both Google and Amazon Cloud Services offer versions that tend to meet requirements. Additionally, many other software that is now run in the cloud, such as QMS or PLM systems, can also be managed to meet obligations, and, for small companies, actually add significant benefits.

The trick, as with most things, is to know your requirements and be clear as to how they are met. Need HIPAA compliance? need audit trails? need disaster recovery? You need to define and check, because even these good vendors offer levels of service that don't meet these needs. Yes, you tend to get what you pay for. Also, a key reminder that you are expected to validate your implementation of any cloud solutions you use as part of your QMS - generally the validation done by the vendors is at best an IQ, not a full validation.

g-

------------------------------
Ginger Glaser RAC
Chief Technology Officer
MN
------------------------------

Original Message:
Sent: 17-Jan-2018 05:03
From: Sebastian Clerkin
Subject: Acceptability of Cloud Storage

Hi, the strategy i've employed previously with this is the same as any other software system.  I define my requirements, how I intend to use the system.  I then qualify to make sure it meets my requirements.

so with cloud storage, i would define my security requirements, data integrity, treaceability etc and test we meet these.  From a regulators perspective, they expect us to define our user requirements and verify we meet these.  Use 21 CFR part 11 to help define  these for your system as well.

I don't have any direct experience of a regulator reviewing a particular cloud storage system, so maybe some else on the forum can comment on that.
Seb

------------------------------
Sebastian Clerkin
GMP Advisory Services
Ballincollig
Ireland

Original Message:
Sent: 15-Jan-2018 06:14
From: Anonymous Member
Subject: Acceptability of Cloud Storage

This message was posted by a user wishing to remain anonymous

Hi everyone,

I am looking for some advice regarding cloud storage vs the more traditional IT serve / network setup.

We are a medical device startup company (working our way through the CE marking process) and are currently using cloud storage (google drive) to store documentation related to our device (i.e. the DHF, etc.) and as a means to share this within our team.  I was wondering what stance the regulators take on cloud storage - is it acceptable and if yes, which one is best, e.g. from a security point of view?

Perhaps some of you have already tackled this question / are in a similar position and can offer some guidance.

Thanks in advance for your help!