Labmanager Logo
Female scientist sits at a computer workstation, using her tablet

iStock, Kobus Louw

An Audit Readiness Guide to Data Integrity and Security

Examining the scope of 21 CFR Part 11 and what you can do to remain compliant

| 5 min read
Share this Article
Register for free to listen to this article
Listen with Speechify
0:00
5:00

With many recent instances of cybersecurity attacks and data breaches, it is more important than ever for laboratories to protect the integrity and security of their data. Maintaining properly secure and reliable data for your laboratory is not just important for your lab, its patients, and the general public, it is mandated by the government. 21 CFR Part 11sets forth the federal requirements to ensure the integrity and security of electronic records. It protects public health and safety by mandating secure and accurate electronic data. If compliance with 21 CFR Part 11 is not achieved, you may receive a warning letter, citation, monetary penalty, injunction, or even criminal prosecution, among other potential punishments designed to right the non-compliant wrong(s).

What is the scope of 21 CFR Part 11?

Using 21 CFR Part 11 as a guideline for electronic records’ administration and maintenance alongside your lab’s quality management system, your lab’s electronic data transmission can remain compliant and serve you, your team, and your customers or patients well. The code applies to companies operating under the Food and Drug Administration’s (FDA) oversight that utilize electronic records and signatures, including research and clinical laboratories. According to 21 CFR 11.3(b)(6), electronic records are anything in digital format handled by a computer system, which includes patient records and spreadsheets, as well as audio and video files. 21 CFR 11.3(b)(7) defines electronic signatures as any symbol approved or used by the individual to constitute the equivalent of their handwritten signature.

Lab manager academy logo

Get training in Lab Quality and earn CEUs.

One of over 25 IACET-accredited courses in the Academy.

Certification logo

Lab Quality course

21 CFR Part 11 is broken into three subsections to address the scope and offer general definitions of key terms utilized therein (Subpart A), establish requirements for electronic records (Subpart B), and instruct the use of electronic signatures (Subpart C). In general, the code serves as a means to ensure that all electronic records are reliable, accurate, and equivalent to paper records such that they can be a complete substitute. It is important to note that all computer systems maintained under 21 CFR Part 11 must be made available for FDA inspection; thus, maintaining continual compliance is of the utmost importance.

Subpart A concerns itself with the general provisions and scope of 21 CFR Part 11 as a whole, i.e., what the code does and does not apply to. Implementation as it pertains to records that must be submitted to the FDA are outlined, and key definitions for terms are provided as well.

Subpart B, covering electronic records, instructs both closed and open systems; closed systems are those that are controlled by users in the system that also create or edit the electronic records, while open systems are controlled by individuals who are not responsible for the content of the electronic records. The same base requirements apply to both, but open systems are mandated to have additional security measures that can be achieved through efforts such as data encryption. Both open and closed systems are required to be validated to show that the data is accurate, reliable, and the system has consistent performance, as well as that the records can be retrieved with ease. Limiting personnel access to those necessary and performing authority and device checks, alongside using timestamps and performing regular operational checks, are required. Controls over documentation, including access and distribution are necessary, as are policies holding individuals accountable for actions signed off on through their electronic signatures. This section also touches briefly on electronic signatures, noting that they must include specific, pertinent information, including the person’s name, the date, the time, and the meaning of the signature (i.e., whether it indicates approval, review, authorship, etc.). Finally, to avoid falsification, the electronic signature must be directly linked with the record itself.

Perhaps the first step for labs to maintain compliance and audit readiness is to avoid common pitfalls in data integrity and security. Some of these hazards include the inadequate validation of computer systems and/or software, insufficient data backup processes, and inadequate staff training.

Subpart C wholly concerns itself with electronic signatures and prescribes the requirements for its components and controls, including those for passwords and identification codes. Essentially, each individual’s signature must be unique, organizations must verify the signer’s identity prior to electronic signing, and signers must certify that their electronic signatures are the equivalent, legally, of their handwritten version. There are a number of controls that companies must be aware of to meet electronic signature compliance requirements outlined in the code’s Parts 11.2 and 11.3. The FDA provided a comprehensive, 12-page guidance document to assist with full compliance of all aspects of 21 CFR Part 11.2

How to maintain audit readiness and compliance with 21 CFR Part 11

Perhaps the first step for labs to maintain compliance and audit readiness is to avoid common pitfalls in data integrity and security. Some of these hazards include the inadequate validation of computer systems and/or software, insufficient data backup processes, and inadequate staff training. Continuous monitoring can be used to identify potential threats in data security and produce real-time documentation of non-compliant activities—such as unauthorized personnel gaining access to sensitive data—to address those compliance issues as soon as possible. Some software allows you to create rules that trigger immediate notifications to authorized personnel when violations occur.

Interested in Analytical News?

Subscribe to our free Analytical Tools & Techniques newsletter.

Addressing other issues, such as insufficient data backup procedures, may require lab managers to work together with their organization’s information technology department to solve. 

Jihoon Baek, founder and CEO of LIS provider Dendi, provided his thoughts about 21 CFR Part 11 and what he regularly sees in the laboratory industry: “The biggest pitfall by far in data integrity is human errors during manual data entry, which can lead to inaccuracies and inconsistent data records.” He elaborated that fully integrating electronic workflows as a means to reduce these errors is the best solution.

Another pitfall Baek sees regularly is a lack of data standardization. He describes many laboratories as using “Frankenstein software” which has been cobbled together over the years and never fully systematized. Rather than utilizing this “Band-Aid approach” to solving issues as they crop up over time, making a conscious effort to standardize the infrastructure of a lab’s systems regularly is key not only to ensure compliance but also optimizes efficiency; he states that a lack of data standardization can lead to huge delays in what should be simple tasks.

In terms of data security, Baek mentions that many labs take a checklist approach but emphasizes that security cannot simply be a box that is checked; rather, it needs to be part of the organization's culture. Avoiding all-or-nothing approaches to IT security, such as eliminating arbitrary security policies that accomplish little more than increasing the workload of already overburdened laboratorians, is key. Along with ongoing assessment of possible security risks, labs can implement necessary security policies in order to achieve compliance.

How can my lab enhance its potential audit outcomes?

Baek, whose company offers a cloud-based software system, admits that it is not a panacea but reduces the risk of breach as compared to on-premise systems for small laboratories in particular. “Cloud-based software . . . tends to be more agile by nature with more frequent updates, which also allows issues in data integrity [and] security to be patched faster,” but he acknowledges that larger facilities may benefit from on-site software given the control, cost, and maintenance management such localized systems provide.

No matter the size of your laboratory, Baek suggests employing two-factor authentication for all users and a mobile device management program so that security policies align with the code and achieve compliance. He advises that validating security protocols is as much about the lab’s processes as it is about the tools they utilize, including software systems. Leveraging a lab’s own testing and documentation to assist with validation efforts is a suggestion he offers for those focusing on that particular aspect of compliance.

Final thoughts

As briefly touched above, there are serious ramifications for laboratories who are non-compliant with 21 CFR Part 11. Baek calls attention to the fact that incurring fines and legal fees for non-compliance can jeopardize the financial security of the lab. Additionally, he highlights that accreditation could be placed in jeopardy for a lab with rogue data and security policies; loss of accreditation, the exiting of critical lab partners, and even complete laboratory shutdown are potential negative outcomes associated with non-compliance.

References:

1. https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11

2. https://www.fda.gov/media/75414/download

About the Author

  • Tara Cepull, MA, earned a master’s degree with high distinction in clinical psychology in 2009. She offered inpatient and outpatient psychological services for seven years prior to a career pivot that allowed her to gain nearly eight years of executive leadership experience in the recruiting and staffing industry with a particular focus on laboratory personnel, CLIA lab directors, and pathologists. She is now focusing her vocational energy on writing, editing, and content creation. In her free time, Tara enjoys hiking in Shenandoah National Park with her husband, playing video games, and curling up with a good book.

Related Topics

Loading Next Article...
Loading Next Article...

CURRENT ISSUE - November 2024

The Blueprint for Lab Safety Success

Protecting your lab's greatest asset: its people

Lab Manager November 2024 Cover Image
Lab Manager Analytical eNewsletter

Stay Connected with Analytical News

Click below to subscribe to Analytical Tools & Techniques eNewsletter!

Subscribe Today