The FDA has requirements for Pharmaceutical IT and QA departments about validating 3rd party vendors, particularly GxP vendors. But even for 3rd party vendors that do not require full validation it is a pharmaceutical IT best practice to thoroughly vet 3rd party technology/service vendors.
For 3rd parties that do not require formal validation the factors that determine how intensively you should investigate them are:
- How much will you organization depend on the availability of this service or data? How long could you function without it if it were offline? If this is a critical service that would majorly disrupt your operations were it not to be available you must understand the level of quality and robustness of their technology architecture, their support infrastructure, their processes and change control procedures, their security against malware and hackers, and their backup and disaster recovery systems and processes. I will provide a blog post providing more detail on what types of questions to ask and what to look for.
- How sensitive is the data they will house? is it public information? Is it material non-public information subject to Sarbanes Oxley and/or SEC regulation? Is it HIPAA data? Or is it just highly confidential information that you would not want to get out? The more confidential this information is the more you have to investigate their security technology and processes. If the data is subject to specific regulations such as HIPAA then you have to additionally check for compliance. You should also contractually require compiance.
- How irreplacable is the data they will house? Is this just a copy of data you have elsewhere? Is the data easily reconstructable from other sources? or is this the only copy that exists? The more irreplaceable the data is the more dependent on their backup and disaster recovery system and processes you are. I'll post another blog specifically on how to evaluate a vendor's backup and disaster recovery in detail.
It is common for IT firms and departments to focus on evaluating technical risk and I will indeed post a more in-depth blog post on that soon. But you also need to consider business and legal risk. What if this vendor goes out of business? What if a law enforcement body siezes the servers that your data resides on? Any time you outsource technology you are taking some business/legal risk -- you can't avoid that. But there are steps you can take to minimize the risk. There are certain contractual clauses you should insist upon. I will provide a blog post specifically on dealing with financial and legal risks in the future.
Lastly remember that this is not a 1-time thing. You have to periodically go back and recheck the vendor. Are they still backing up your data using the same technology with the same processes? If they do annual tests of their Business Continuity System how did the most recent test go? Did they meet their objectives? Have they had any breaches or have any audits uncovered any problems? Their finances may have been great when you first talked to them but are they still doing well financially years later?
There is a lot to think about when vetting a 3rd party vendor. This is a big topic so I will provide several follow-on blog posts that will delve into these topics deeper. Stay tuned!
In the meantime if you need IT help in evaluating a 3rd party vendor, or in creating a 3rd party vendor evaulation process please call GizmoFish at 866-MY-GIZMO (866-694-4966) or just click on the button below