Magazine Article | May 9, 2017

Pharma Embraces The Cloud ... Cautiously

Source: Life Science Leader

By Gail Dutton, Contributing Writer
Follow Me On Twitter @GailLdutton

Pharmaceutical companies that have, until recently, eschewed cloud computing are migrating applications into that environment. Adoption began gradually, first with functions that aren’t mission-critical. After a few years’ experience, they’re still cautious, seeking to adopt the cloud strategically while minimizing risks.

Santen, a Japanese pharmaceutical company specializing in ophthalmology, uses the cloud-based SAS data analytics platform to collaborate with its global team of programmers, statisticians, and scientists. “We wanted a centralized location for all our data from all of our sites,” says Nina Worden, director of statistical programming at Santen.

As a benefit, “Everyone is working off the same version of the data. Study results can be combined for exploratory analysis, eliminating the need to email snapshots of data with updates later.” Consequently, charts, graphs, and reports are more current and accurate.

The Software as a Service (SaaS) model Santen uses from SAS offers the ability to assign levels of access to specific individuals or groups. “For example, we can permit access to a single file without also giving a user access to all the contents within its folder. Our CRO in China, for instance, has contractor access, while our own programmers in California have slightly higher access,” Worden explains.

The analytics application is 21 CFR Part 11-compliant, which allows audit logs and version control for documents. “Each modification to a program is logged by the system, and reports can be produced to document these changes.”

Learning the UNIX operating system was the main challenge for Santen’s team as it migrated analytics from its Windows-based PC SAS application (which ran on a server) to the cloud-based SAS application. “My programmers had to get used to minor coding differences,” Worden says. Likewise, managers needed to learn how the application was structured in terms of storage allocations for development and production space. Sometimes new processes had to be created to manage those areas efficiently.

"Some of our smaller operations and marketing analytics projects have leveraged the cloud."

Andy Newsom
SVP & CIO, CSL Behring


For example, the development system, production area, and repository are each separate, which effectively partitions storage. Managers need to be aware of that when they allocate space. They also need to be aware of where data is stored to ensure, for instance, that classified data isn’t stored on virtual servers with lesser security protections. Other changes included new data-handling processes that enabled allowed portions of studies to be reviewed and new rules on when or whether data could be downloaded from the SAS cloud.

Any inconvenience was more than offset by gains in efficiency and oversight. Creating a centralized database that is available to researchers at all of Santen’s sites virtually guarantees that, as datasets evolve, analysts are working with the most current versions. Throughout the organization, Worden says, “Results are more consistent.”

The single system also helps Worden manage projects across the enterprise. Using a single application makes it easier for developers to create macros and tools they can share with colleagues at other sites. Therefore, “with programmers in China, Japan, and California, we can hand off tasks across time zones so the work continues, nearly around the clock.”

Santen has been in the cloud for approximately five years, but “we’ve really seen the benefit in the past three years, when we added our sites in China and Japan to the cloud. Adopting cloud computing has broadened our ability to be truly global and more efficient,” Worden says. “It helps us foresee possibilities beyond our core mission. For example, we could use the cloud as a combined area for studies and to conduct exploratory analysis that could shape the design of a future study in a way that streamlines data mining.”

“Cloud computing is gaining traction in pharma,” acknowledges Andy Newsom, SVP and CIO at CSL Behring. Pharmas of all sizes are trying to leverage the cloud’s value while ensuring data security and integrity. Typically, that means minimizing risk by first deploying noncore functions such as HR and purchasing.

“Some of our smaller operations and marketing analytics projects have leveraged the cloud,” Newsom says, and larger projects might enter the cloud after the company’s policies regarding Big Data analytics are further defined. GxP data, however, will remain on premises — not in the cloud — for the foreseeable future. That’s in line with the pharma industry, he says.

Before migrating any application to the cloud, CSL Behring performs an on-site audit of the cloud provider. This involves ensuring the provider’s certifications are current and assessing risks and vulnerabilities in technologies, processes, and staff, and the adequacy of protocols and controls. (Audit guidelines are available from organizations such as the Cloud Security Alliance and the National Institute of Standards and Technology.)

Before the cloud was adopted, purchasing a new HR application, for example, was a capital expense. In a cloud environment, however, that HR application is an operating expense that manifests as an annual subscription fee (which can’t be depreciated). Finance departments treat those cost categories differently and apply different governance guidelines. “Companies are struggling with this difference,” Newsom says.

Cloud computing comes in three basic varieties:

  • Infrastructure as a Service (IaaS) – Infrastructure for a virtual computing environment
  • Platform as a Service (PaaS) – IaaS plus the operating system and server software for a development environment
  • SaaS – IaaS, PaaS, and specific user-facing applications

“The largest cloud providers [e.g., Amazon and Microsoft] provide security and data protection that is as good as or better than the security provided by the IT functions in other industries,” Newsom says. In addition to their deep expertise, cloud providers rigorously install software updates and security patches – tasks their prospective clients too-often ignore.

Cloud providers enhance standardization within clients’ organizations, too. By allowing configuration but not customization, cloud deployments help pharmas ensure that all their sites are technologically compatible. Therefore, data can be shared within the enterprise without having to convert it to other formats. At the application level, SaaS providers update their applications so users don’t have to.

“The disconnect between the cloud and pharma is philosophical,” according to attorney Gerry Stegmaier, partner in the privacy, data security, and internet strategy practice at Reed Smith. Often the conversation involves a list of needs by pharma and a list of specifications by cloud providers, without an understanding of the extent to which those specifications actually meet pharma’s needs.

“Companies are responsible for the integrity of their data regardless where it’s stored,” Newsom points out, and relying on another entity to protect it makes pharma executives nervous.

The financial industry was in that position seven years ago, concerned about regulations and fiduciary liability. “Cloud providers heard those concerns and adapted. In the past two years, cloud providers developed HIPAA-compliant services for healthcare clients. Now they are beginning to address the needs of pharma,” Stegmaier says.

Pharma’s acceptance of cloud computing, even for mission-critical applications and data, is inevitable. Stegmaier calls it “an eventuality.” Migration, however, will continue gradually as more and more pharmaceutical companies realize the benefits of cloud computing in ancillary business functions before entrusting mission- critical work to the cloud.

“If, as a company, you’re betting against the cloud, you’ll be on the wrong side of history,” Stegmaier concludes.