With many recent instances of cybersecurity attacks and data breaches, it is more important than ever for laboratories to protect the integrity and security of their data. Maintaining properly secure and reliable data for your laboratory is not just important for your lab, its patients, and the general public, it is mandated by the government. 21 CFR Part 111 sets forth the federal requirements to ensure the integrity and security of electronic records. It protects public health and safety by mandating secure and accurate electronic data. If compliance with 21 CFR Part 11 is not achieved, you may receive a warning letter, citation, monetary penalty, injunction, or even criminal prosecution, among other potential punishments designed to right the non-compliant wrong(s).
What is the scope of 21 CFR Part 11?
Using 21 CFR Part 11 as a guideline for electronic records’ administration and maintenance alongside your lab’s quality management system, your lab’s electronic data transmission can remain compliant and serve you, your team, and your customers or patients well. The code applies to companies operating under the Food and Drug Administration’s (FDA) oversight that utilize electronic records and signatures, including research and clinical laboratories. According to 21 CFR 11.3(b)(6), electronic records are anything in digital format handled by a computer system, which includes patient records and spreadsheets, as well as audio and video files. 21 CFR 11.3(b)(7) defines electronic signatures as any symbol approved or used by the individual to constitute the equivalent of their handwritten signature.
21 CFR Part 11 is broken into three subsections to address the scope and offer general definitions of key terms utilized therein (Subpart A), establish requirements for electronic records (Subpart B), and instruct the use of electronic signatures (Subpart C). In general, the code serves as a means to ensure that all electronic records are reliable, accurate, and equivalent to paper records such that they can be a complete substitute. It is important to note that all computer systems maintained under 21 CFR Part 11 must be made available for FDA inspection; thus, maintaining continual compliance is of the utmost importance.
Subpart A concerns itself with the general provisions and scope of 21 CFR Part 11 as a whole, i.e., what the code does and does not apply to. Implementation as it pertains to records that must be submitted to the FDA are outlined, and key definitions for terms are provided as well.
Subpart B, covering electronic records, instructs both closed and open systems; closed systems are those that are controlled by users in the system that also create or edit the electronic records, while open systems are controlled by individuals who are not responsible for the content of the electronic records. The same base requirements apply to both, but open systems are mandated to have additional security measures that can be achieved through efforts such as data encryption. Both open and closed systems are required to be validated to show that the data is accurate, reliable, and the system has consistent performance, as well as that the records can be retrieved with ease. Limiting personnel access to those necessary and performing authority and device checks, alongside using timestamps and performing regular operational checks, are required. Controls over documentation, including access and distribution are necessary, as are policies holding individuals accountable for actions signed off on through their electronic signatures. This section also touches briefly on electronic signatures, noting that they must include specific, pertinent information, including the person’s name, the date, the time, and the meaning of the signature (i.e., whether it indicates approval, review, authorship, etc.). Finally, to avoid falsification, the electronic signature must be directly linked with the record itself.
Perhaps the first step for labs to maintain compliance and audit readiness is to avoid common pitfalls in data integrity and security. Some of these hazards include the inadequate validation of computer systems and/or software, insufficient data backup processes, and inadequate staff training.
Subpart C wholly concerns itself with electronic signatures and prescribes the requirements for its components and controls, including those for passwords and identification codes. Essentially, each individual’s signature must be unique, organizations must verify the signer’s identity prior to electronic signing, and signers must certify that their electronic signatures are the equivalent, legally, of their handwritten version. There are a number of controls that companies must be aware of to meet electronic signature compliance requirements outlined in the code’s Parts 11.2 and 11.3. The FDA provided a comprehensive, 12-page guidance document to assist with full compliance of all aspects of 21 CFR Part 11.2
How to maintain audit readiness and compliance with 21 CFR Part 11
Perhaps the first step for labs to maintain compliance and audit readiness is to avoid common pitfalls in data integrity and security. Some of these hazards include the inadequate validation of computer systems and/or software, insufficient data backup processes, and inadequate staff training. Continuous monitoring can be used to identify potential threats in data security and produce real-time documentation of non-compliant activities—such as unauthorized personnel gaining access to sensitive data—to address those compliance issues as soon as possible. Some software allows you to create rules that trigger immediate notifications to authorized personnel when violations occur.
Addressing other issues, such as insufficient data backup procedures, may require lab managers to work together with their organization’s information technology department to solve.
Jihoon Baek, founder and CEO of LIS provider Dendi, provided his thoughts about 21 CFR Part 11 and what he regularly sees in the laboratory industry: “The biggest pitfall by far in data integrity is human errors during manual data entry, which can lead to inaccuracies and inconsistent data records.” He elaborated that fully integrating electronic workflows as a means to reduce these errors is the best solution.
Another pitfall Baek sees regularly is a lack of data standardization. He describes many laboratories as using “Frankenstein software” which has been cobbled together over the years and never fully systematized. Rather than utilizing this “Band-Aid approach” to solving issues as they crop up over time, making a conscious effort to standardize the infrastructure of a lab’s systems regularly is key not only to ensure compliance but also optimizes efficiency; he states that a lack of data standardization can lead to huge delays in what should be simple tasks.
In terms of data security, Baek mentions that many labs take a checklist approach but emphasizes that security cannot simply be a box that is checked; rather, it needs to be part of the organization's culture. Avoiding all-or-nothing approaches to IT security, such as eliminating arbitrary security policies that accomplish little more than increasing the workload of already overburdened laboratorians, is key. Along with ongoing assessment of possible security risks, labs can implement necessary security policies in order to achieve compliance.
How can my lab enhance its potential audit outcomes?
Baek, whose company offers a cloud-based software system, admits that it is not a panacea but reduces the risk of breach as compared to on-premise systems for small laboratories in particular. “Cloud-based software . . . tends to be more agile by nature with more frequent updates, which also allows issues in data integrity [and] security to be patched faster,” but he acknowledges that larger facilities may benefit from on-site software given the control, cost, and maintenance management such localized systems provide.
No matter the size of your laboratory, Baek suggests employing two-factor authentication for all users and a mobile device management program so that security policies align with the code and achieve compliance. He advises that validating security protocols is as much about the lab’s processes as it is about the tools they utilize, including software systems. Leveraging a lab’s own testing and documentation to assist with validation efforts is a suggestion he offers for those focusing on that particular aspect of compliance.
Final thoughts
As briefly touched above, there are serious ramifications for laboratories who are non-compliant with 21 CFR Part 11. Baek calls attention to the fact that incurring fines and legal fees for non-compliance can jeopardize the financial security of the lab. Additionally, he highlights that accreditation could be placed in jeopardy for a lab with rogue data and security policies; loss of accreditation, the exiting of critical lab partners, and even complete laboratory shutdown are potential negative outcomes associated with non-compliance.
References:
1. https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11