One topic that has been top of mine for many validation engineers, chief information officers, and executive management is that of Cybersecurity. You may be asking yourself the question why are we talking about Cybersecurity and validation? Recent headlines will inform you as to why this topic should be of great interest to every validation engineer. As validation engineers we spend a lot of time stressing about risk assessments, system security, and qualification of system environments. Our job is supposed to be to validate the system to ensure its readiness for production use. Let me ask a question… How can you ensure that a system is ready for production use if it is not cyber-ready? This is why we are talking about Cybersecurity in the context of validated systems.
When it comes to computer systems in today’s highly networked environment, Cybersecurity is the elephant in the room. All networked systems may be vulnerable to cyber security threats. Businesses large and small may be subject to cyber-attacks and the exploitation of these vulnerabilities may present a risk to public health and safety if not properly addressed. Although we know these truths all too well, many validation engineers are not even discussing Cybersecurity as part of an overall validation strategy.
There is no company that can prevent all incidences of cyber-attacks but it is critically important that companies began to think seriously about how to protect themselves from persistent cyber criminals determined to inflict as much damage as possible on computer systems in either highly regulated or nonregulated environments. One thing we know about cyber criminals is they are equal opportunity offenders – everyone has a degree of vulnerability. To beat them at their game, you have to be one step ahead of them.
In the validation world, we often refer to validation testing as IQ/OQ/PQ testing. I would like to submit for your review and consideration another type of enhanced validation testing that we should be doing which is Cybersecurity qualification or as I like to refer to it “CyQ”. What is a CyQ? It is confirmation of a system’s protection controls and readiness to prevent a cyber-attack. In one of my recent blog posts, I declared that …”computer systems validation as we know it is dead!…” Now of course I mean that tongue in cheek! What I was referring to is that it is time to rethink our validation strategy based on the fact that we need to address the vulnerabilities of today’s cloud-based and on-premise systems with respect to the Cybersecurity risk imposed. We can no longer look at systems the way we did in the 1980s. Many life sciences companies are deploying cloud-based technologies, mobile systems, the Internet of things (IoT) and many other advanced technologies in the pursuit of innovation that may drive greater risk profiles in validated systems. Incorporating CyQ in your overall validation strategy is one way to address these challenges.
The national Institute of standards and technology (NIST) introduced as cyber security framework. The five elements of the framework are shown in the figure below.
As a validation engineer I have studied this framework for its applicability to validated systems. Each element of the strategy addresses a dimension of your cybersecurity profile. To conduct a CyQ assessment, you need to examine each element of the cybersecurity framework to determine your readiness in each respective category. I have developed a CyQ Excel Spreadsheet which examines each element of the framework and allows you to summarize your readiness to prevent a cyber-attack. (if you would like a copy of the CyQ Excel Spreadsheet, please contact me using the contact form and I will happily send it to you).
Remember, for validated systems, if it is not documented, it did not happen! Cybersecurity Qualification analysis must be documented. You must be ready to explain to regulators when it comes to data integrity and systems integrity, what controls you have in place to protect both the data and the systems under your management.
Another consideration in the management of cyber threats is EDUCATION. The biggest cyber breach may come from the person in the cubicle next to you! You must educate (and document) cyber training and do it on a frequent basis to keep pace.
For your next validation project, address the elephant in the room explicitly. Cyber threats are not diminishing, they are increasing. It is important to understand their origin and seriously consider how they can and will impact validated systems. We can no longer think that IQ/OQ/PQ is sufficient. While it has served its purpose in times past, we need a more effective strategy to address today’s clear and present danger to validated systems – the next cyber-attack. It could be YOUR SYSTEM. Deal with it!