GxP in FDA-regulated Industries: Comply With Complex Good Practices
What Is GxP?
Protecting an organization’s digital assets from crippling cyberattacks is more complicated than ever. Even more overwhelming is the ever-growing array of compliance regulations and standards that organizations must comply with. While acronyms like HIPAA, GDPR, GLBA, PCI DSS, NIST, and SOX easily roll off the tongues of security and compliance professionals, another acronym is becoming increasingly important in industries like pharmaceuticals, cosmetics, and food processing: GxP.
The "x" in GxP is a placeholder, and the other initials stand for “Good Practice.” Good Practice requirements for different aspects of the development and distribution of food and health products are maintained by the U.S. Food and Drug Administration (FDA) via the Food, Drug, and Cosmetic Act and the Public Health Service Act.
But since many manufacturers in these spaces are global, they are accountable to a somewhat broader set of requirements that includes directives from the European Union, Japan, and other places where companies might do business.
Specific GxP standards include:
- Current Good Manufacturing Practice (CGMP): Standards for “methods, facilities, and controls used in manufacturing, processing, and packing” of FDA-regulated products. These requirements extend to drugs for humans and animals, medical devices, blood products, food and dietary supplements—and even animal feed.
- Good Clinical Practice (GCP): Regulations for clinical trials of drugs, biological products, and medical devices.
- Good Laboratory Practice (GLP): Standards for nonclinical laboratory studies.
- Good Distribution Practice (GDP): Requirements for wholesalers to ensure the quality and integrity of medicines throughout the supply chain.
- Good Quality Practice (GQP): Applying CGMP within the framework of a pharmaceutical quality system (PQS). Japan’s Ministry of Health, Labour, and Welfare (MHLW) governs GQP in that country with its Ordinance No. 136, which has become something of a global standard.
- Good Pharmacovigilance Practice (GVP): Best practices for the ongoing safety monitoring of medicines.
The Critical Content Requirements of GxP
As you can see, GxP requirements are immense and confusing. There is no single set of rules that one can refer to, and organizations are largely on their own when it comes to collating the requirements in the United States—let alone adding in the requirements of other jurisdictions where they might do business. Unlike with other regulations and standards, there is no such thing as a GxP auditor, and true experts in GxP compliance are relatively rare.
But regardless of what the “x” represents in GxP, protecting sensitive content is of paramount importance for complying with the letter and spirit of GxP. This involves a number of angles:
- Electronic Records Requirements: Controls for a Closed System. FDA CFR Part 11 sets standards for electronic records and electronic signatures, impacting all digital data and content involved in GxP practices. This regulation requires the following technology controls:
- Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
- An ability to generate accurate and complete copies in human readable and electronic form
- Protection of records to enable their accurate and ready retrieval
- Limiting system access to authorized individuals
- Secure, time-stamped audit trails for all versions
The regulation also requires the following documented processes:
- Operational systems checks to enforce policies as appropriate
- Authority checks to ensure that only authorized individuals can view, alter, or sign a document
- Device checks to determine the validity of the source of data input
- Validation that those who manage electronic document systems have adequate training
- Written policies that hold individuals accountable for actions initiated under their electronic signatures
- Controls over the distribution of, access to, and use of documentation for system operation and maintenance
- Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation
Electronic signatures must contain:
- The printed name of the signer
- The date and time when a signature was executed
- The meaning associated with the signature (e.g., review, approval, responsibility, authorship)
Good Documentation Practices (GDocP). As with other GxP requirements, there is not a single, authoritative document that enumerates Good Documentation Practices (CDocP).
These requirements are sprinkled through the documentation for other GxP standards, as well as case law from entities that have been cited for past violations. But as the name suggests, commonly accepted best practices are required when it comes to documentation—things that every business should be doing as a part of general risk management.
One key element of GDocP is the establishment of standard operating procedures (SOPs) for record-keeping. This is required for certification in ISO 9001:2015 and is critical for compliance with laws like the U.S. Prescription Drug Marketing Act (PDMA), which prohibits the sale of compromised, expired, and counterfeit drugs. Avoiding this obviously requires detailed record-keeping.
GDocP guidelines for record-keeping SOPs include:
- Document creation must occur contemporaneously with the event they describe, not handwritten except for legible side notations, checked for accuracy, and free from errors.
- Document approval must be executed by the authorized person only, with physical or electronic signature and date.
- Handwritten entries must be made with indelible ink. Space must be left for handwritten entries when expected, and no spaces made for handwritten entries should be left blank (“N/A” should be used when there is no entry needed).
- Document maintenance is done on a regular schedule, documents are maintained for the specified duration, document management systems are validated, and electronic records are backed up.
- Document modification must be carefully accounted for, whether handwritten or electronic. Procedures should be in place to prevent the use of superseded documents, and an audit trail should be maintained for all versions.
ALCOA+. At the end of the day, the complicated patchwork of GxP and GDocP requirements boils down to the principle of ALCOA+. This framework is seeing increased visibility and adoption across different industries and at many government and quasi-government bodies.
The original ALCOA acronym covered five of the basics of keeping data secure, ensuring that it is:
- Attributable: Creators and contributors should be clearly identified, and version controls should protect against unauthorized changes.
- Legible: Documents must be visually readable and have linguistic clarity.
- Contemporaneous: It must be clear when a document was created, and the system should support ongoing contemporaneous record-keeping.
- Original: Original copies should be retained rather than later facsimiles.
- Accurate: Documents must be up to date and factually correct.
Since then, other important characteristics were added, and the framework was renamed ALCOA+. The added concepts are that content should be:
- Complete: An audit trail must demonstrate that no data has been removed.
- Consistent: Time and date stamps should verify that the content was put together appropriately.
- Enduring: Content should be retained for at least as long as regulations require, and the equipment it is recorded on must be durable enough to meet that life cycle.
- Available: Data must be accessible to authorized parties that need it—auditors and internal users who need it to inform later work.
How Kiteworks Helps Customers Achieve the Critical Content Requirements of GxP
At most organizations, private content is shared with a wide variety of external users via multiple communications channels.
When sharing private content with internal and external people, users tend to use the communications channel that creates the least friction—often email attachments, but also file sharing, managed file transfer (MFT), and collaboration tools. This makes content sharing very difficult to track, let alone secure, opening an egregious gap in an organization’s security protection—and its GxP compliance.
Recent research by Kiteworks accentuates this issue. The 2022 Sensitive Content Communications Privacy and Compliance Report found that 62% of organizations use four or more systems for tracking, controlling, and securing sensitive data communications with third parties. And more than half of organizations (51%) lack technologies and processes to measure risk associated with such communication—let alone mitigate that risk.
This patchwork of private content communications channels creates unmanageable complexity when it comes to compliance with many standards, including GxP. Organizations seeking to comply with GxP need to develop a robust cybersecurity risk management approach as well as a vendor risk management strategy to mitigate data breaches in the supply chain. Kiteworks enables customers to achieve data integrity and comply with GxP requirements by creating a Private Content Network (PCN).
A PCN unifies the sharing of all GxP-relevant content under one platform. The PCN unifies all communications channels (email, file sharing platforms, MFT, web forms, APIs) and systems of record (research tools, CRM, ERP, EMRs, collaboration tools).
It unifies the sharing of all private content types with all external users (suppliers, accountants, regulators, investors, partners, legal counsel) and must be integrated with an organization’s broader third-party risk management (TPRM) strategy. The PCN should be compatible with hosting on-premises, by the vendor, or in a hybrid cloud.
A Kiteworks PCN enables organizations to demonstrate compliance with the following elements described above:
- Electronic Records Requirements
- Validation of systems
- Generation of accurate and complete copies
- Protection of records
- Limiting system access
- Secure, time-stamped audit trails
- Good Documentation Practices (GDocP)
- Record-keeping about document creation: timing, verification of accuracy, and error elimination
- Memorialization of document approval
- Document maintenance for the entire life cycle and validation of document management systems
- Audit trails for document modification, version control, and superseded versions
- Documentation of every element of ALCOA+ in a common PCN for all content sharing
Achieving Data Integrity
Developing and producing food and health products is serious business and achieving all these “good practices” is essential for both public safety and commercial viability. In the case of pharmaceutical companies, cyberattacks are up significantly.
One of the reasons is the need for significant improvements in governance and risk management of third-party sensitive content communications; for example, 37% of pharmaceutical companies indicated a new approach or significant improvement is needed. The risk is certainly there. A recent investigation into data breaches and leakage in pharmaceuticals over a four-year period (2018–2021) found that 59% of the breaches and 76% of total exposures happened in the last two years of the time frame.
Considering that a typical drug that might be on the market for 10 years costs $2.6 billion, it is unacceptable to squander that investment with insecure private content communications practices.
Organizations must take a variety of actions to comply with all aspects of GxP. But when it comes to content, Kiteworks can help you comply with GxP requirements very quickly. By doing so, you can avoid myriad risks posed by your sensitive content related to every step of the development, manufacturing, and distribution process.
Request a Kiteworks demo for your organization today by clicking here.