What cloud computing is, why it can save time and money, and how to select the right cloud solution.
Cloud computing is a relatively new phenomenon in the life sciences industry that many pharmaceutical companies and contract research organizations (CROs) are just beginning to adopt. Companies are looking to gain a better understanding of what cloud computing is, where its application makes sense in their world, and whether its web-based infrastructure complies with strict internal and regulatory requirements for data security and process in an increasingly globalized industry.
There is a spotlight on cloud computing because of its potential for streamlining clinical development processes, accelerating timelines, and cutting information technology (IT) costs. Initial efforts in life sciences have mostly concentrated on more efficient handling of the volumes of data generated by the R&D process, but there are also emerging clinical trials applications. Specifically, optimizing the way documents from multiple sources are collected, exchanged across a network, and archived is a significant focus. With tight security in place, document-centric processes involving internal and external stakeholders can be centralized, automated, and monitored in the cloud, which greatly improves operational efficiency. As research and development, complex protocols, and regulatory compliance activities are generating massive numbers of documents, traditional paper-based or simple desktop methods of document handling are becoming unsustainable, making the cloud an attractive alternative.
GARY S CHAPMAN/GETTY IMAGES
But what exactly is the cloud? This article attempts to answer this question from the perspective of the life sciences industry, which has concerns surrounding the security and compliance of the cloud. This article will also provide some practical considerations in selecting cloud solutions for clinical trial operations.
Cloud computing is a catchy term that refers to delivering hosted services over the Internet.1 It is an environment in which software does not reside on desktops, but rather resides on a web-based server with shared virtualized resources. Software is available on-demand, similar to what consumers experience when they download apps on their smartphones or personal digital assistants. This delivery model has the benefit of extending IT's capabilities for accessing web-based applications in real time while reducing the cost and footprint of the internal IT infrastructure. 2
The architecture behind cloud computing is a massive network of interconnected servers, often with a user-friendly front-end interface, which allows users to select services. These services have three characteristics that distinguish them from traditional hosting:3, 4
Besides the architectural component, cloud computing allows for a flexible operating platform. This means that in contrast to the traditional approach of using systems and processes that have been hardwired to particular technologies and providers, cloud computing offers a technology environment that changes the nature and economics of data exchange. The benefit of this platform is that companies can create a more open and responsive environment for innovation.5
The cloud platform has evolved to include an array of providers whose offerings fall into three broad categories: Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) (Figure 1). There is no requirement for upfront capital expenditure with any of these cloud configurations, so choosing the right cloud structure is a function of a customer's need to communicate outside firewalls, need for mobile access, interest in limiting upfront costs, scalability requirements, and high collaboration requirements.
Figure 1. Offerings fall into three broad categories.
Use of the cloud is expanding in the life sciences sector, with most of the emphasis on R&D activities and clinical trial management. Eli Lilly, for example, started using the cloud in basic research to accelerate the speed of development with less IT intervention, and to address the issue that the company's IT infrastructure was operating at full capacity.6-7 According to a recent article in Forbes, the company was under pressure to reduce fixed IT costs without compromising service levels; Eli Lilly began working with a cloud provider to offer computing capabilities to its global network of scientists.5
The resulting efficiencies have been quite compelling. The company was able to launch a 64-machine cluster computer working on bioinformatics sequence information, complete the work, and shut it down in 20 minutes, all for the cost of $6.40. To achieve that same process internally would have required 12 weeks of work.7
Similarly, for the past few years, the Pharmaceutical Research and Development IT organization at Johnson & Johnson (J&J) has been researching different models and providers of cloud computing to significantly expand computing and storage capabilities for its research and data-crunching functions.8 The company is working with business partners to move applications out of the grid and into the cloud, which will represent a growing portion of the company's IT expenditures.9 J&J Pharmaceutical R&D has been moving research projects to the cloud and is also looking to this technology to handle resource-intensive projects such as analyzing filing data for drug approval.
In January 2010, a survey of R&D researchers highlighted the growing acceptance of cloud computing within life sciences expected between 2010 and 2013.10 Of the 49 respondents, representing an array of large, mid-sized, and small pharmaceutical companies and academic institutions, more than half projected at least 11% of their IT budget over the three-year period will be dedicated to cloud computing. As a hint of things to come, 9.1% expect more than 50% of their IT budget will be allocated to cloud computing resources by 2013 (Figure 2).
Figure 2. Expected percentage of R&D budget devoted to cloud computing from 2010 to 2013.
Although cloud-based efforts in life sciences started primarily in basic research, the cloud is playing an emerging role in streamlining the heavily regulated world of clinical trials. During the start-up phase of clinical trials, for example, volumes of documents need to be exchanged with investigative teams around the globe, including protocols, investigator brochures, and budget work sheets, to name a few. Efforts by the investigative sites and other players to complete all of these documents can be a major obstacle to timely study start-up.11 Oftentimes, these processes are still handled using manual, paper-based methods such as unsecured e-mail, which does not track version changes or create a reliable audit trail. In a 2009 study of 252 investigative sites, 67 percent of respondents indicated they use unsecured e-mail as the primary method of document exchange during clinical trials.12 As further evidence of inefficiency, in the same study, one-quarter of investigative sites reported wasting more than three hours weekly searching for study-related documents.
The cloud transforms this labor-intensive process into one in which document exchange is efficient, secure, and controlled. As teams are no longer bound by the physical limits of paper, the cloud shifts the focus to the data contained within documents, and not on the administrative management of the static documents themselves. The data becomes essentially freed within the cloud and can be tracked, stored, and reused as necessary.
The issue of data security within the cloud is the top concern and the pivotal factor in its widespread use and acceptance. Data security in clinical operations has legal, regulatory, and competitive implications, so it must be robust, comprehensive, and reliable. Furthermore, in this industry, it must support compliance with the Food and Drug Administration's (FDA) 21 Code of Federal Regulations (CFR) Part 11, the Electronic Records; Electronic Signatures rule that requires computer systems and controls be available for FDA inspection.13 At the time of this writing, the FDA is in the early stages of developing a roadmap to explore areas where cloud computing may be effectively used.
Understandably, stakeholders looking to transition data to the cloud are seriously focused on the safety of their data and complying with regulatory mandates, even those yet to be defined. As there are no uniform data security standards, stakeholders considering outsourcing this function must find cloud technology providers who are sensitive to factors unique to the life sciences industry and adopt the highest level of security. Six key elements that should be considered when evaluating cloud-based solutions providers, such as those offering SaaS, are outlined in Figure 3, and are described in more detail below.
Figure 3. Key security elements that should be considered when evaluating cloud-based providers.
Application refers to the fact that when working in the cloud, the need for security starts immediately, as soon as users log on. It is the responsibility of the vendor to offer strong authentication and authorization systems. Authentication ensures that only those with valid user credentials obtain access to the application. Authorization entails controlling which services and data items users may access. As applications expand within the cloud, administrators decide which users are permitted to see and update them based upon defined parameters.
Additional security around applications includes:
Rigorous security checks to ensure data security and prevent breaches due to security vulnerabilities in the application are a must. While data are in use, all files should be encrypted, including electronically distributed copies, and no clear text versions should remain on end-user computers. Some advanced security features that a number of cloud providers may offer include real-time reports and user activity audit trails to track who is looking at what data, when information was accessed, and what changes, if any, were made to the data as a result of that access. Best-in-class vendors will ensure that sensitive data that are backed up to facilitate quick recovery in case of disaster are protected by strong encryption schemes to prevent accidental leakage.
Security for a redundant infrastructure is essential to provide uninterruptible service. Best practices for cloud technology providers include using real-time replication, multiple connections, alternate power sources, and state-of-the-art emergency response systems to provide thorough data protection.
Process security is a function that qualified cloud technology vendors take very seriously to ensure thorough reviews of their security policies and procedures. As a best practice, they should consider earning SAS 70 Type II certification from the American Institute of Certified Public Accountants or international equivalents.14 SAS 70 certification is an internationally recognized auditing standard, and Type II refers to an independent audit of a company's procedures, policies, and controls to verify and validate that the organization is actually following them. Another recognized measure of risk management strategies is the ISO-27001 certification, an Information Security Management System (ISMS) standard.15 The objective of this standard is to provide a model for establishing, implementing, operating, maintaining, and improving an ISMS.
Vendor personnel are a critical component of any information system, but they can also present insider threats by malicious employees that no outside attacker can match. At the vendor level, background checks of all employees and enforceable confidentiality agreements should be mandatory, and administrative controls should be in place to limit employee access to client information. Ideally, all employees with access to sensitive information should be tested, and possibly even certified, before interacting with clients. In addition, the best vendors ensure that their employees are kept current by providing ongoing training and certification retesting to verify that skills and knowledge remain sufficient.
Product development security can be overlooked if the outsourced provider is rushing to meet deadlines for a new market release. This can result in software with bugs that make it prone to security vulnerabilities. As a best practice, the cloud technology vendors should use a Security Development Lifecycle (SDL) process for developing and deploying applications. SDL refers to making certain that each phase of development—architecture, design, coding—has a security review, resulting in faster identification of security issues before a new product or upgrade is released.
As life sciences companies consider moving functions into the cloud to expedite aspects of clinical trial operations, they are likely to evaluate the process changes needed to implement this step. They will also be considering whether to build capability in-house or outsource to a cloud-computing vendor.
Making this decision forces companies to address the reality that developing and administering a comprehensive and secure cloud-based system in-house requires a major time and resource commitment. Not only would in-house IT professionals be responsible for procuring the hardware for a data center, installing and validating it, and managing ongoing software updates, they would also have to develop, oversee, and maintain a large security system. Furthermore, an in-house system would require ongoing support for investigative sites around the world that are using the platform. Large biopharmaceutical companies might have relationships with many thousands of sites, meaning that responsibility for supporting this many end-users is a very tall order. They would have to manage thousands of active end-user credentials, and provide a 24/7/365 multi-lingual help desk to assist sites across the globe with issues such as forgotten passwords, or how to perform specific functions within the platform.
By comparison, opting for a hosted solution requires no upfront capital investment and relieves companies of the burden of managing, maintaining, and supporting it. With the data security checkpoints described earlier (Figure 3), and with global around-the-clock end-user support, internal IT resources are freed up for other purposes. Furthermore, the best vendors are staffed to scale-up quickly, so adding studies and investigative sites is simple and fast.
A comparison of outsourcing to a hosted provider vs. building in-house capability appears in Table 1.
Table 1. Outsourcing to a SaaS provider offers significant economic and time savings.
In a recent study by the Pew Internet and American Life Project, 895 technology stakeholders were questioned on their expectations for growth in cloud computing.16 Nearly three-quarters of respondents—71 percent—believe that by 2020, the cloud will dominate information transactions. According to the survey, this is due to the distinct advantages offered by the cloud, such as easy, instant, and individualized access to tools and information consumers need wherever they are, using any networked device.
This is a generalized expectation of the cloud, but industries that are highly regulated, such as life sciences, financial services, and telecommunications have complex security concerns that may limit its growth in comparison to other industries. As data security issues are hammered out, however, cloud computing holds a great deal of promise for the life sciences sector.
Throughout the clinical development continuum, from R&D to the pre-clinical phase to clinical trial work and beyond, the volumes of data being generated must be analyzed and stored in accordance with corporate directives to improve time- and cost-efficiencies. The cloud offers this option. Not only can the cloud eliminate the inefficiencies and costs associated with traditionally paper-based manual processes, it can also add a layer of security and control that is simply not possible with paper. Introducing these critical efficiencies into routine processes helps companies adhere to increasingly aggressive timelines, and comply with changing global regulations in a timely manner. And importantly, with the cloud, there is the promise of reining in IT expenditures by no longer having to procure, maintain, and update the system or support all end-users.
Over the next few years, the industry will watch with keen interest as the transition to the cloud unfolds. Companies will work through their decisions to enter various applications into the cloud, and during this process, they will be evaluating whether this work will be done internally or with outsourced cloud technology vendors. In an effort to toe the line on infrastructure costs and limit strain on internal resources while raising the bar on data security, outsourcing becomes a compelling option.
Linda Bowers is Vice President of Life Sciences Product Marketing at IntraLinks, 150 East 42nd Street, 8th Floor, New York, NY, e-mail: email@example.com.
1. Cloud Computing Definition, http://Whatis.com, http://searchcloudcomputing.techtarget.com/definition/cloud-computing.
2. J. Russell, "Next-gen Cloud-based eClinical: Timaeus Speeds Set Up, Cuts Costs, Delivers Flexibility," Cambridge Healthtech Media Group Custom Publishing, http://johnrussell99.files.wordpress.com/2009/11/cmedtechnologies_cloud-based-eclinical.pdf.
4. E. Knorr and G. Gruman, "What Cloud Computing Really Means," InfoWorld, http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031?page=0,0.
5. J. Harris and S. Nunn, "Cloud Computing's Great Promise," http://Forbes.com, June 30, 2010. http://www.forbes.com/2010/06/30/pharmaceuticals-mobile-salesforcecom-technology-cloud-computing.html.
6. J. Foley, "Q&A: Eli Lilly On Cloud Computing Reality," InformationWeek, November 13, 2010, http://www.informationweek.com/news/hardware/data_centers/228200755.
7. R. Mullin, "The New Computing Pioneers," Chemical & Engineering News, 87 (21) 10-14 (2009), http://pubs.acs.org/cen/coverstory/87/8721cover.html.
8. G. Miller, "J&J Pharma Looks Skyward," FierceBiotechIT, June 12, 2009, http://www.fiercebiotechit.com/story/j-j-pharma-r-d-looks-skyward/2009-06-12.
9. C. Brooks, "The Hartford and Johnson & Johnson Tout Cloud Benefits," http://SearchCloudComputing.com, November 4, 2009, http://searchcloudcomputing.techtarget.com/news/1373566/The-Hartford-and-Johnson-Johnson-tout-cloud-benefits?ShortReg=1&mboxConv=searchCloudComputing_RegActivate_Submit&.
10. K. Rubenstein, "Cloud Computing in Life Sciences R&D Report," Insight Pharma Reports, April 2010, http://www.insightpharmareports.com/uploadedFiles/Reports/Reports/Cloud_Computing/SamplePages.pdf.
11. CenterWatch Survey of Investigative Sites in the US, 2009, http://neeman-medical.com/UserFiles/CW%20Monthly%20May_2009%20_%20Part%20I(2).pdf.
12. IntraLinks Poll: Document Management Inefficiencies Cost Clinical Trial Sites Time, Money, IntraLinks, June 2, 2009, http://www.intralinks.com/news-events/press-releases/2009/06/02/document-management-clinical-study.
13. Code of Federal Regulations, Title 21, Part 11, "Electronic Records: Electronic Signatures," http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfCFR/CFRSearch.cfm?CFRPart=11&showFR=1.
14. Statement on Auditing Standards No. 70: Service Organizations, Wikipedia, http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_Service_Organizations.
15. The ISO27001Certification Process, The ISO27001 Directory, http://www.27000.org/iso-27001.htm.
16. J. Anderson, L. Rainie, "The Future of Cloud Computing," Pew Internet and American Life Project, June 11, 2010,http://www.pewinternet.org/Reports/2010/The-future-of-cloud-computing/Overview.aspx.