Using SharePoint In A Regulated Environment

By John Postle

The regulatory landscape is constantly changing and requires a greater number of businesses to demonstrate compliance. The compliance landscape for most organizations consists of either Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), or the FDA’s Code of Federal Regulations (CFR) 21 Part 11 regarding electronic records and electronic signatures. The critical information format organizations use to demonstrate compliance with these regulations are documents or records of some type. In today’s environment, most of these records are maintained or authored in some type of electronic format.

Historically, the largest pharmaceutical companies have invested tens of millions of dollars and countless years implementing traditional electronic document management systems (EDMSs) to address the repository requirements of security, access control, workflow, 21 CFR Part 11 compliance, search and retrieval, access to previous versions of documents, and eventual submission publishing.

Pharmaceutical companies which did not want to or could not afford to follow this path have implemented alternative approaches. However, these companies are struggling with their current business processes for managing paper and electronic documents. They are expending untold years:

• tracking down the correct document version
• determining where documents are in the review and approval cycle
• maintaining on-site and off-site paper document control repositories
• attempting to configure shared file servers for security and access control
• taking down the network many times to retrieve inadvertently deleted documents from backup tapes (if they exist)
• correcting the submission of incorrect content to regulatory authorities
• scanning because the version in the electronic repository is not “the official record” or the electronic version cannot be trusted as final
• attempting to find the final version among numerous copies stored in individual’s folders in the shared file server.

Furthermore, it doesn’t help that electronic information is flowing in and out of organizations via a variety of electronic paths (i.e. websites, emails) as everyone tries to push for the paperless virtual work environment.

One solution to these problems is Microsoft SharePoint, which has multiple versions that are available, but not all will meet the compliance needs of a regulated organization. Many organizations are looking at SharePoint to help solve their electronic document management problems, due to a perception that the application comes with the Microsoft Windows Server Operating System and has no additional cost. The free version that comes with Windows Server is Windows SharePoint Services (WSS) 2003 or 2007. These versions of SharePoint are limited in their functionality. They provide for basic collaboration, version control, out-of-the-box workflows, and portal web services. It is not recommended that companies use this version for compliance issues.

The step up from WSS was originally SharePoint 2003 (SharePoint Portal Server or SPS). This version required the purchase of licenses for all users. It offered more functionality over WSS by providing more extensive collaboration and workflows. In addition, users saw improved access control, email integration, improved searching and indexing, as well as superior portals and web services.

Today, Microsoft recommends Office SharePoint Server 2007 (MOSS). This release took SharePoint to a completely different level. No longer was SharePoint an organization collaboration tool competing with eRooms (EMC), but rather a more complex application with the capability to be a complete enterprise content management system. Some of the key additions to MOSS were:

•  enterprise search capabilities of both structured and unstructured content
•  full content management including libraries, policies, auditing, and compliance
•  business document workflows
•  control of documents through detailed extensible policy management
•  use of browser-based SharePoint forms for gathering information
• the capability to integrate business intelligence features by accessing other data sources (SAP, Oracle, etc.) to present real-time dashboards.

The process for implementing SharePoint to meet compliance is more important than even selecting the proper version of SharePoint to implement. In many organizations, the IT group has deployed SharePoint as a collaboration tool to host shared documents. This most often results in business units driving the advancement of SharePoint in the organization. To meet their business unit needs, these groups start developing point solutions that address their own internal needs. They create their own taxonomies, libraries, folder structures, policy and rights, etc. This type of implementation results in an “out of control” SharePoint implementation.

Think of the overall impact — you have divergent business units with their own needs implementing business solutions to meet these needs. IT is only providing the IT Infrastructure. Quality assurance has no input on what is going on, and of course the business units are not thinking how they can share information across the organization or to their customers or collaborators. Layer on top of this the fact that these “nonsystems systems” are being used for business decision making and even regulatory compliance requirements. It is for these reasons that it is important for IT and quality assurance to take the lead in the effort for an enterprise deployment of SharePoint.

AVOID AN “OUT-OF-CONTROL” IMPLEMENTATION
The “out-of-control” implementation can be prevented. To ensure control and compliance of the SharePoint implementation, the organization needs to establish a governance model to address all components of the implementation. In particular, the governance model will define the infrastructure requirements; address the establishment of overall policies for libraries, folders, templates, workflows, and documents; define roles and responsibilities; establish information rights processes for controlling access; and establish the taxonomy and structure of the content.

Following the governance model will ensure a successful deployment; however, to ensure the SharePoint deployment adds value to the organization, the deployment must align with the business goals of the organization. This alignment will expand the use of SharePoint across the organization providing easy access to structured and unstructured information to all who need it.

A scenario that we are familiar with shows the value of this approach. In many organizations, especially life sciences companies that have significant amounts of structured and unstructured data, people with valuable skills become gatherers and disseminators of information, coordinators of processes, and connectors of people. The return on IT investment in these organizations is low as these people are required to constantly deliver complex point solutions. Through the use of SharePoint and the associated governance model, the use of human capital can be optimized by providing individuals with a broadly accessible connection to the people, processes, and information, customized to their role, task, and personal work style.

DON’T FORGET ABOUT SECURITY
We have discussed the different versions of SharePoint and the steps that should be followed for a successful enterprise implementation, but how does all this address compliance? The compliance regulations differ, but they all share common elements and are based on the widely accepted principles of information security. These principles are:

•  confidentiality — information cannot be accessed by unauthorized users
•  integrity — data cannot be altered by unauthorized users, and its completeness and accuracy are ensured
•  authenticity — the information objects (documents) are authenticated and have not been forged or altered
•  nonrepudiation — this implies that a party of a transaction (signing a document) cannot deny having done so.

SharePoint addresses confidentiality, integrity, and authenticity of electronic records through access control and permission to the records on either the individual record level or a document library level. Nonrepudiation of signed records is addressed through the use of electronic and digital signatures when integrated with Office 2007.

In MOSS, all of these items become an auditable system of records. In configuring SharePoint, the audit trails are defined by the information management policy for each content type. The information management policy will specify which events will have audit logging. This will enable audit reports to be provided for each content object depicting who has authored the object, who has modified it, who has approved it or signed it, and even who has accessed it. Unlike other applications, the audit trail is kept with the document throughout its life cycle.

Another feature of a compliant document management system is the ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. SharePoint addresses this requirement as well, enabling output to be generated in XML (extensible markup language) or XPS (XML paper specification) formats.

CFR 21 PART 11 COMPLIANCE
For life sciences companies to be in compliance with CFR 21 Part 11, the system that the compliance documents must be retained in must be a validated application. A question that Microsoft is constantly addressing is, “Can SharePoint be validated?” To answer that question, we should first define what is computer system validation. A common definition that has been widely accepted is that computer system validation is a process that establishes documented evidence and provides a high degree of assurance that the system will consistently perform according to predetermined specifications and quality attributes.

The key components to achieve such a validated state consist of:

•  a qualified infrastructure — your IT infrastructure is the foundation and needs to be in control
•  the predetermined specification equates to developing defined business requirements for the specified functionality
• development and execution of a validation plan.

Many life sciences organizations both large and small have already validated MOSS. So the answer to the question is “yes,” SharePoint can be a validated application.

Further detail on this can be viewed in a document that Microsoft has prepared entitled, “Guidance for a CFR 21 Part 11 Implementation on Microsoft Office SharePoint Server 2007.” This document will walk through in detail how MOSS can be configured to achieve compliance to CFR 21 Part 11. It is available at http://msdn.microsoft.com/architecture/ lifesciences.

THE STEPS TO FOLLOW
In summary, the key to a successful implementation of a regulatory-compliant SharePoint is to start the planning process early (getting in control). Planning for using SharePoint as your enterprise content management repository is no different from planning for any other enterprise application such as an ERP (enterprise resource planning) application. The recommended steps for planning your SharePoint implementation to achieve and maintain compliance are:

• Establish a governance policy and procedures
• Define a document library structure that aligns to your business (SOP library, change control library, etc.)
• Establish the hierarchical classification of content types (taxonomy)
• Define the attributes of documents, lists, and folders (content types); these attributes consist of properties, workflows, associated policies, templates, etc.
• Determine versioning, approvals, and checkouts, which establish guidance on planning content control items such as model for version control, approval for publishing, and policy for check-in/ checkout of documents
• Define roles and access rights for the specific roles (information rights management)
• Establish workflow based on libraries and content types; these workflow actions usually consist of approval/signatures, collecting feedback, and disposition
• Create your information management policies, which are the rules for each content type to ensure compliance with regulatory and legal guidelines, as well as auditing and archiving
• Establish enterprise content storage, since large-scale implementations require significant planning to ensure adequate performance for accessing information
•  Define policies for maintaining records (record retention) based on libraries and content type
• Define a training program, since many deployments fail because the training aspect has been overlooked

Planning in advance will save time and money after implementation. After all, using SharePoint in a regulated environment isn’t as simple as just flipping a switch.

About The Author
John Postle is VP of life science enterprise for Court Square Group. Prior to joining Court Square Group, he spent more than 11 years with Pfizer. As a Technology Portfolio Manager, he was responsible for establising strategic IT investment, managing the multimillion dollar budgets for his clients areas, and ensuring delivery of IT solutions and services.