When any QA department turns their attention to data and security most of the focus is on how this is controlled internally in relation to common regulations like - 21 CFR Part11, Part 820, GMP, etc., and of course patient data regulations like HIPAA.
However what about outsourced data storage facilities, like the hosting services providers, where a client's, or your, data may be stored and managed?
Many companies, or vendors, that offer a Cloud application data storage and management solution rely on the terms of a hosting agreement but forget to add into the terms the ability to perform an audit related to items like:
- Quality Management System of the services provider including their SOP's and WI's.
- Security of the facility and the data stored in the facility.
- Back up processes and procedures.
- External audits and compliance related to local data security rules.
- Financial stability.
- Business interruptions and up-time service levels.
- A SAS 70 audit report.
Every Quality representative that works within the life sciences industry IT environment should have an audit plan that will be enable them to evaluate the competence of these types of outsourced services provider to be a "qualified" extension to their own QMS, and quality principles.
Does your QMS extend to audits of your outsourced data hosting services provider? If not perhaps it should.