GxP on AWS (Part 2): AWS Offers Cloud Solutions for Optimum GxP Regulations Compliance

Featured article by Tom Ricardo, Cloud Practice Director

Following the COVID-19 global pandemic, businesses in regulated industries are increasingly adopting cloud computing technologies to achieve more agility and efficiency in the face of uncertainty. As reported by Tech Republic, 85% of businesses will fully embrace the cloud by 2025, with 95% of workloads newly driven by the digital realm being deployed on cloud-native platforms. That percentage was significantly lower in 2021 at only 30%.

In addition to empowering companies to take control in times of adversity, our rapidly transforming digital-centric world practically demands a shift to the cloud. For regulated businesses, though, the cloud can be more than just the latest tech-savvy change. Cloud computing can assist regulated companies with GxP compliance.

As a result, Amazon Web Services (AWS) is emerging as a trusted provider to industry leaders in pharmaceuticals, biotechnology, and healthcare. AWS offers cloud solutions that enable organizations to overcome GXP-related challenges and achieve optimum compliance with GxP regulations.

Why Is GxP Compliance Important? 

GxP compliance is vital to protect public health by ensuring patient safety, maintaining product quality, meeting regulatory requirements, and establishing a strong foundation for success and sustainability in regulated industries such as pharmaceuticals, biotechnology, medical devices, and clinical research. When organizations work hard to adhere to GxP regulations, they demonstrate their commitment to delivering safe, reliable, and effective products while mitigating risks and enhancing patient and consumer confidence.

GxP compliance includes Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP), Good Clinical Practices (GCP), and many more disciplines. It establishes rigorous standards for manufacturing, testing, documentation, and quality management for continuous improvement. Finally, it helps foster a culture of quality, reliability, traceability, and accountability throughout an organization, ultimately benefitting patients and the industry.

Knowing what regulations apply directly to your region and discipline is important. Government agencies that promote, oversee, and enforce GxP compliance in the life sciences industry include:

• US Food and Drug Administration (FDA)
• European Medicines Agency (EMA)
• UK’s Medicines and Healthcare Products Regulatory Agency (MHRA)
• International Organization for Standardization (ISO)

Why Are Cloud Solutions Helpful? 

Cloud solutions can provide numerous benefits for achieving optimum GxP compliance. Though, even with the help of a cloud provider, GxP compliance is a shared responsibility. Therefore, it’s important to understand specific compliance requirements, properly evaluate the capabilities and offerings of the cloud provider, and configure the cloud environment appropriately to meet GxP regulations.

Cloud-based solutions that can help enhance GxP regulations compliance include:

• Infrastructure as a Service (IaaS)
• Compliance Documentation and Controls
• Data Security and Encryption
• Identity and Access Management (IAM)
• Logging and Monitoring
• Disaster Recovery and Business Continuity
• Scalability and Flexibility
• Change Management and Version Control
• Vendor Management and Auditing

GxP Compliance Considerations 

Achieving GxP compliance is an ongoing process. Businesses must regularly review and update their compliance practices as regulations evolve and technology changes. Ensuring compliance efforts continually align with industry-specific requirements and jurisdiction is important.

Some key considerations to keep in mind when striving for GxP compliance in the cloud or any technology infrastructure include:

• Regulatory Requirements (e.g., FDA 21 CFR Part 11, EU Annex 11, ICH guidelines, etc.)
• Validation Documentation (e.g., validation plans, risk assessments, standard operating procedures or SOPs, change control procedures, etc.)
• Data Integrity (i.e., prevent unauthorized access, modification, or deletion of data with controls like data encryption, access controls, data backups, and audit trails)
• Risk Management (i.e., conduct thorough risk assessments to identify potential risks and their impact on GxP compliance, implement risk mitigation strategies and controls to reduce risks to an acceptable level, and document risk assessments and ensure ongoing monitoring and review of risks)
• Change Management (i.e., implement change control procedures, document change requests, perform impact assessments, and ensure appropriate testing and validation of changes to control modifications to infrastructure, software, or systems)
• Data Security (i.e., use encryption for data at rest and in transit, implement strong access controls like role-based access control or RBAC and multi-factor authentication or MFA, and regularly monitor and audit access logs for suspicious activity)
• Supplier Management (i.e., for third-party services or vendors, conduct due diligence to ensure they meet GxP compliance requirements and implement appropriate vendor management processes, including evaluating supplier qualifications, conducting audits, and maintaining contracts defining responsibilities and obligations)
• Training and Awareness (i.e., provide appropriate GxP training to personnel involved in the infrastructure and related processes, make employees aware of their responsibilities and the importance of GxP compliance, and document training activities and maintain training records)
• Audit and Monitoring (i.e., tools that can help collect and analyze audit logs, monitor system performance, and track changes made to the infrastructure)
• Documentation Retention (i.e., data and documentation retention must follow regulatory requirements, be retained for the required period, and be stored securely and with easy access)

AWS Has the Tools to Support GxP Compliance  

AWS provides several tools and services that can be used to achieve GxP compliance. These tools and services can be used to:

• Support validation activities in GxP environments
• Monitor data integrity for GxP purposes
• Maintain audit trails that record all relevant events and activities related to GxP data on AWS
• Implement a change control process to manage changes to GxP data on AWS
• Manage compliance with regulatory requirements

When using AWS in a regulated environment, consider the following tools for GxP compliance:

AWS Artifact 

AWS Artifact is a self-service portal that provides on-demand access to a wide range of compliance-related documents, certifications, and audit reports, offering transparency and assurance regarding the security and regulatory compliance of AWS services.

In the context of GxP compliance, AWS Artifact offers valuable documentation that supports audits and assessments like GxP-related certifications, attestation reports, and third-party audit reports. These artifacts provide evidence of AWS’s commitment to security, data privacy, and compliance with relevant regulations.

Access to AWS Artifact allows organizations to obtain the documentation required to demonstrate GxP compliance and fulfill regulatory requirements.

AWS Identity and Access Management (IAM) 

IAM enables businesses to manage user access and permissions for AWS resources, helping to enforce least privilege principles and segregation of duties. With IAM, companies can define fine-grained access controls, assign roles and permissions based on job functions (role-based access control or RBAC), and implement multi-factor authentication (MFA) for added security.

These capabilities ensure that only authorized personnel can access GxP-related resources and data, reducing the risk of unwanted or unsanctioned actions or data breaches.

IAM also enables centralized user management, simplifying the administration of user accounts and access permissions.

AWS CloudTrail 

CloudTrail provides detailed logs of user activities and API calls within an AWS environment, enabling organizations to monitor and audit their infrastructure for compliance. These logs capture valuable information like user identity, timestamps, source IP addresses, and actions performed, providing a comprehensive audit trail for GxP-related activities. If it’s not documented, there’s no way to attest to it happening.

By analyzing CloudTrail logs, businesses can detect and investigate any unauthorized or non-compliant activities, ensuring the integrity and security of their GxP systems and data.

CloudTrail also supports integration with other AWS services, enabling automated responses and alerts based on specific events or compliance rules.

AWS Config 

AWS Config provides continuous monitoring and assessment of the configuration and compliance status of AWS resources. It helps businesses ensure their cloud environment adheres to GxP requirements by providing detailed insights into resource configurations, relationships, and changes over time.

Organizations can use this tool to define and enforce desired configurations, set compliance rules, and receive real-time alerts when configuration changes deviate from established policies. This enables proactive identification and remediation of potential compliance issues, reducing non-compliance risk.

AWS Config also provides a historic view of resource configurations, collecting evidence of GxP compliance to facilitate audits and investigations. This can also help with maintaining GxP requirements for data integrity purposes.

AWS CloudFormation 

CloudFormation allows organizations to define and provision their AWS infrastructure as code (IaC), enabling consistent and repeatable deployments. With CloudFormation, GxP-compliant infrastructure can be configured and deployed using predefined templates that include security controls, encryption, access management, and other compliance-related configurations. This ensures a standardized and auditable infrastructure that aligns with GxP regulations.

Additionally, CloudFormation enables efficient change management, as modifications to the infrastructure can be made through version-controlled templates, reducing the risk of configuration errors.

This tool is useful for validation because it can be used to create and manage AWS resources in a controlled and auditable manner.

Amazon S3 

Amazon S3 (Simple Storage Service) is a powerful solution for achieving GxP compliance in the cloud. S3 provides secure, durable, and highly scalable object storage for organizations to store and retrieve GxP-related data (i.e., data archiving, backups, and document management). Businesses that use S3 can take advantage of different features to meet GxP compliance, including data encryption at rest and in transit, access control mechanisms, and data lifecycle management.

Also, S3 offers versioning and replication capabilities, ensuring data integrity and availability. Amazon S3 Object Lock is a feature of Amazon S3 that allows businesses to enforce a write-once-read-many (WORM) model for objects. Object Lock can prevent GxP data from being modified or deleted for a specified period.

Finally, S3 integrates with other AWS services, enabling businesses to build GxP-compliant data pipelines and analytics workflows.

The comprehensive security and compliance features of S3, coupled with its scalability and reliability, make it an ideal choice for storing and managing GxP-related data in the cloud while meeting the stringent requirements of GxP regulations.

AWS Key Management Service (KMS) 

KMS allows organizations to create and control encryption keys to secure data at rest and in transit within AWS services. With KMS, businesses can encrypt sensitive GxP-related data stored in services like Amazon S3, Amazon EBS, or Amazon RDS.

KMS also provides granular access control over encryption keys, allowing companies to define who can create, manage, and use keys. By using KMS, organizations can ensure the confidentiality and integrity of their GxP data, mitigating the risk of unauthorized access or data breaches.

Finally, KMS integrates seamlessly with other AWS services and provides key management audit logs, simplifying the compliance reporting and auditing process.

Leveraging AWS KMS helps businesses meet GxP compliance requirements and maintain robust encryption practices to protect their sensitive data in the cloud.

AWS CloudWatch 

CloudWatch provides monitoring, logging, and alerting capabilities for AWS resources, enabling businesses to proactively monitor their cloud environment’s health, performance, and security. CloudWatch enables organizations to collect and analyze logs, metrics, and events, helping to detect and respond to potential compliance issues in real time.

Additionally, CloudWatch allows for the set-up of alarms and notifications based on predefined thresholds, ensuring prompt action when compliance-related events occur. By leveraging CloudWatch, organizations can gain deep visibility into their AWS infrastructure, track system changes, monitor resource usage, and safeguard GxP regulations adherence.

The comprehensive monitoring and alerting capabilities of CloudWatch contribute to maintaining a secure, compliant, and auditable cloud environment for GxP-related workloads and data.

Oxford Has the Right People to Support Regulated Businesses 

While AWS does not offer GxP compliance as a service, it has various features to help build a compliant infrastructure, making achieving GxP compliance a shared responsibility between AWS and the customer. Businesses must configure and use AWS tools appropriately to meet specific compliance requirements. That’s where Oxford can help!

We’ve pre-vetted The Right Talent. Right Now.®  These skilled individuals have extensive knowledge of the life sciences industry, relevant GxP compliance requirements, and specific expertise with AWS solutions.

Our AWS partnership enables us to solve your technical challenges related to GxP on AWS. Also, by working with AWS for our mutual customers, we are empowered with innovative solutions to your 21st-century problems.

We promise to be with you every step of the way as you strive for a more seamless and compliant future in business.