mercredi 26 juillet 2017

US FDA et Cloud Computing

Cette ligne directrice de la FDA donne des recommandations intéressantes sur l'utilisation des enregistrements et signatures électroniques dans les études cliniques et plus particulièrement sur l'utilisation des services applicatifs dans le Cloud : 

B. Outsourced Electronic Services 
FDA recognizes that sponsors and other regulated entities may choose to outsource electronic services. Examples of these types of electronic services are data management services, including cloud computing services. According to the National Institute of Standards and Technology, cloud computing is defined as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” 
When these electronic services are used to process data for FDA-regulated clinical investigations, sponsors and other regulated entities should consider whether there are adequate controls in place to ensure the reliability and confidentiality of the data. Sponsors and other regulated entities should consider the factors in the following bulleted list when determining the suitability of the outsourced electronic services. If the outsourced electronic service does not provide the data security safeguards described in the following bulleted list, sponsors and other regulated entities should consider the risks of using such service (e.g., infringement of patient privacy rights, lack of reliability of the data in the clinical investigation and its regulatory implications).
  • Validation documentation (see sections IV.A.Q1 and IV.B.Q15)
  • Ability to generate accurate and complete copies of records
  • Availability and retention of records for FDA inspection for as long as the records are required by applicable regulations
  • Archiving capabilities
  • Access controls (see section IV.A.Q4) and authorization checks for users’ actions
  • Secure, computer-generated, time-stamped audit trails of users’ actions and changes to data
  • Encryption of data at rest and in transit
  • Electronic signature controls (see section V)
  • Performance record of the electronic service vendor and the electronic service provided
  • Ability to monitor the electronic service vendor’s compliance with electronic service security and the data integrity controls

Plus d'information ici.