Life Sciences Security Standards, and Why They’re So Strict for LMSs
By Henry Kronk
November 03, 2017
The universe of learning management systems (LMS) can seem, at times, to be one of innovation. Providers must assess the needs of learners and create the technology that will allow them to gain valuable knowledge anywhere in the world on their own time.
But among some industries, LMSs must conform to strict standards. In Pharma, Healthcare, and Life Sciences, both public health and large investments are on the line.
While no legislation exists, no self-respecting LMS provider can hope to sell their system to Life Sciences company without adhering to industry standards.
The FDA’s “Industry Guidance”
The going documents that compiles these standards in the U.S. at the moment is the Food and Drug Administration’s industry guidance documents. These documents do not represent any legal mandates of any kind. Instead, they confer the FDA’s “current thinking on this topic.”
According to the authors “You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations.” In other words, ‘do what you want; just don’t break the law.’
Section 11 of these documents refers to electronic records, which is a primary concern for LMSs.
Suggestions lie anywhere between the need to ensure that non-biometric signatures can’t be copied and used by someone else to the inclusion of continuous, real-time reporting of a learner’s progress.
It boils down to the fact that a Life Sciences professional can’t mess up. They can’t be placed in a role that exceeds their education or abilities. They can’t lie about their expertise. So when a company trains an individual to take on more demanding or technical work, they have to make certain that he or she can do it. The burden of responsibility of quality assurance falls on the company. And they need to have a record to prove it.
Security is paramount
One huge focus of Life Sciences LMS standards is taking many steps to ensure the protection of user information. Systems must ensure that only authorized users can complete training modules and electronically sign a record of their activity. It must also take all steps necessary to block any attempts to falsify or alter these records.
The system needs to make sure that no electronic signatures can be copied and that two or more users can’t use the same information. Each user must input two forms of identification, such as a password and a user code.
There is also, always, the risk of a cyber security breach. In June, for example, the American pharma company Merck fell victim to hackers. Life Sciences companies can be large and enticing. They may employ hundreds, if not thousands of professionals and share industry secrets.
Maintaining these security standards of compliance is a good practice. The battle against cyber criminals will never end. Elsewhere in the world, governing bodies have passed laws requiring security standards.
The E.U., for example, passed the General Data Protection Regulation (GDPR) in April of 2016. It will go into effect in May of next year. The legislation seeks to bring all data security among member countries under the same standards, and it will penalize those who don’t comply.
The measure will standardize data protection in all E.U. countries and apply to any company that has European users. Each country will establish a Data Protection Officer.
According to security advocate Thomas Fischer, “The GDPR is being made out to be a compliance issue, when in reality it is about accountability; making the company and management teams ultimately responsible for a data breach.”
Despite the confusion over it, many U.S. companies support implementing it on American cyber soil. A recent PwC poll found that 92% of respondents considered complying with it. Over half said it was a top priority.
Accountability and compliance seem to be two sides of the same coin. At the end of the day for LMSs, it boils down to following industry standards for security.