How 21 CFR Part 11 Impacts Life Sciences Security Standards

Many learning management systems (LMS) can apply similar technologies to various different educational opportunities. But clients’ needs vary widely based on their industry. Among the Life Sciences, such as pharmaceutical firms, hospitals, biotech innovators, physical therapists, rehabilitation centers and others, industry standards are actually quite strict. The industry requirement to adhere to the US Federal Standard 21 CFR Part 11 requires rigorous, validated software platforms. 

21 CFR Part 11 LMS

Here’s what the FDA actually says about 21 CFR Part 11

PART 11 — ELECTRONIC RECORDS; ELECTRONIC SIGNATURES

Subpart A–General Provisions

Sec. 11.3 Definitions.
(a) The definitions and interpretations of terms contained in section 201 of the act apply to those terms when used in this part.

(b) The following definitions of terms also apply to this part:

(1) Act means the Federal Food, Drug, and Cosmetic Act (secs. 201-903 (21 U.S.C. 321-393)).

(2) Agency means the Food and Drug Administration.

(3) Biometrics means a method of verifying an individual’s identity based on measurement of the individual’s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.

(4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

(6) Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.

(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

(8) Handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.

(9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

—————————

A huge emphasis is placed on security. Any LMS must be able to verify with 100% certainty that a given employee or learner has acquired the skills imparted by the learning modules and that they can be trusted to use them on the job in a potentially high-risk scenario.

Life Sciences companies also can tend to attract cybercriminals. Among large firms, a systems breach could compromise hundreds, if not thousands, of users’ personal information. This increased exposure is what prompted the FDA to adopt the 21 CFR Part 11 standard.

In order to go above and beyond the industry expectations for LMSs, eLeaP has conformed to the U.S. Food and Drug Administration’s “Industry Guidance.” While these documents are not legally binding, they provide an inside look at how the eLeaP Learning Management platform helps our clients comply with the 21 CFR Part 11. If your organization maintains or compiles data on individuals (private or otherwise), it might be useful to see how eLeaP might be able to help you keep that data safe and meet this stringent federal standard. 

10 ways eLeaP LMS meets 21 CFR Part 11

The following are the top 10 industry standards to which eLeaP conforms:

  1. Protect user data at all cost

For any user to access the eLeaP LMS, they must provide their unique User ID and password. System administrators can control who can and cannot access certain content, and they can block suspicious users altogether. The eLeaP LMS is a cloud-based learning and training management platform and entirely secure service. The platform employs advanced algorithms to detect and disrupt duplicate or deceptive log in sessions ensuring that medical device manufacturers, biotechnology, pharmaceuticals are all adhering to 21 CFR Part 11.

  1. Ensure that all user log-in info is unique

Related to the previous mandate, some systems must accommodate a huge amount of learners. In these situations, the possibility arises that certain individuals will create the same or similar user data in order to access the LMS. In the worst case scenario, this can allow some people to unwittingly sign on as a different user. eLeaP protects against this danger.

  1. Ensure that non-biometric signatures relate to a given user

In the best case scenario from a security standpoint, each user on any system would log in with some form of identification that no one else would be able to copy. One might use, for example, a fingerprint. At the moment, this is unfortunately not realistic.

For this reason, we require each user to log in with two separate items that prove his or her identity, such as a User ID and a password. eLeaP passwords must confer to certain additional standards. Administrators can require users to change their password on a period basis of their choosing.

  1. The system must detect and report suspicious or unauthorized activityHow eLeaP LMS does 21 CFR Part 11

The technology does yet exist that can determine when user error leads to incorrect log-in info and when someone is trying to illegally gain access to the system. We can, however, come pretty close. eLeaP can provide a custom report of strange or suspicious activity.

  1. Provide real-time progress reports confirmed by electronic signatures in a legible form

When it comes to Pharma and Biotech, things move pretty quickly. When an employee earns a new qualification or proves themselves able in certain situations, management needs to know immediately. Even weekly reports aren’t going to cut it. eLeaP audits all user progress in real time and, whenever an administrator wishes, they can access a given learner’s progress in a legible, easy to read, date-stamped report.

  1. The system must ensure that all learning modules progress in a given sequence and that users cannot access future modules before completing one that comes before.

The software engineers at eLeaP understand that, in the context of Pharma and Biotech training, learning new info is contingent on knowledge and skills previously acquired. Administrators using the system will be able to mandate that learners progress through learning modules one at a time. Clients can even set progressive access rules to ensure that users cannot access future modules unless they have completed pre-requisites.

  1. All uses of a separate user’s electronic signature must be confirmed by two other individuals

In general, we do not recommend sharing user data at all. If you must, however, and someone wishes to use another user’s electronic signature, we have put in place measures that require extra security clearance from two other authorized users.

  1. If long periods of inactivity occur, users must be timed out

We’ve all been in a situation in which we left a password-secured account open on our computer in a social setting. The eLeaP LMS cannot run the risk of allowing sensitive information be made available to strangers or even friends. After a given period of inactivity, users will be automatically logged out. Clients are able to set their own timeout threshold.

  1. The system can be configured to require password authentication at periodic points of progress

While many systems will require password authentication only when initially logging on, eLeaP can be configured to require a user’s electronic signature or password at specific points throughout a given learning module.

  1. Electronic signatures must correspond to user data

Among Pharma and Biotech LMSs, one’s electronic signature is the first point of authorization. They cannot be used to falsify progress in any way. Our LMS automatically pairs user progress with their User ID and a date stamp as they move through learning modules.

These are just ten of the measures that eLeaP takes to ensure that the LMS conforms with industry standards and protects user data. All measures have been tested extensively. We can guarantee that they will meet and exceed industry expectations.   

If you are in the Life Sciences industry especially Pharma, Biotech, Medical Device manufacturing, contact eLeaP today to schedule your free consult.