good informatics practice (gip) chapter 1 - executive...

February 2011

© Healthcare Information and Management Systems (HIMSS)

Good Informatics Practice

(GIP) Chapter 1 -

Executive Summary A framework for trusted information systems

Ford Winslow, Anette Asher, Steven Fouskarinis, Gabor

Fulop, Damian Gomez, Oscar Ghopeh, Andrew Jacobson,

John Kim, Linda Speake, Mark Vilicich, Howard Asher

Good Informatics Practice (GIP) Chapter 1 - Executive Summary

2011

www.himss.org of 24

Preface

The Life Sciences Organizations, Health Care providers, Food Processing and Cosmetic Industries are governed and regulated by domestic and international government agencies and ministries whose prime purpose is to protect public health. These regulating bodies often issue various ‘Guidances’ suggesting various areas of recommended “Good Practice.” These Good Practices Guidances frequently refer to associated functional areas and relevant standards and regulations. They provide a means to adopt these guidances in order to safeguard the public health and safety and minimize the risk associated with specific products or services. Today most of the business services employed by these regulated companies and institutions are facilitated by information technologies (IT). As IT business services gain wider and deeper adoption by these regulated firms, so does the IT complexity. Currently, the government agencies and ministries that routinely inspect these regulated firms don’t have the tools necessary to be able to inspect objectively all of the complex IT systems that are at the core of critical business services and functions. The Life Sciences Information Technology (LSIT) Global Institute was founded in May 2004 with its first public announcement in the same month on a local San Diego news channel 1The genesis of LSIT occurred during a meeting of Federal Drug Administration’s (FDA) IT management and Sun Microsystems celebrating the successful conclusion of a Cooperative Research & Development Agreement (CRADA). During this meeting the FDA’s IT management was asked to speak about its greatest concern with IT rapidly converging into the life and health sciences industry. Their response: “Of the top 100 life sciences companies we regulate, they do the exact same thing with IT systems, 99 different ways – tell us which one we should trust?” The LSIT Founding Committee2 was formed to determine if ‘we’, the industry, could develop an IT guidance called Good Informatics Practice (GIP) that eventually the US FDA and other international regulatory public health bodies could trust. LSIT Global Institute’s founding was modeled after the International Committee on Harmonizing ( ICH)3 The ICH set about the process of organizing world experts to develop what is called today Good Clinical Practice (GCP) and spent a number of years globally socializing, redrafting and obtaining international acceptance of GCP. Good Informatics Practices (GIP) are methods and processes of aligning IT Governances with Corporate or Institutional Objectives, Regulations and Industry Best Practices. GIP leverages a risk-based framework, scaled in direct proportion to risk to health and public safety, that enables companies, regulatory agencies and the public to trust IT business services that may impact Food, Cosmetic or Medical product quality or public safety.

Howard Asher

Founder, LSIT

1 LSIT public debut video link http://www.scivee.tv/node/12332 2 www.lsit.org/about/foundingcommittee.php 3 www.iCH.org

http://www.scivee.tv/node/12332

http://www.lsit.org/about/foundingcommittee.php

http://www.ich.org/


2011

www.himss.org of 24

Preface .................................................................................................................. 2

1. Executive Summary ...................................................................................... 5

1.1. Introduction............................................................................................................................... 5

1.2. Intended Audience of GIP ......................................................................................................... 6

1.2.1. Life and Health Sciences Industry Technology Practitioners ............................................. 6

1.2.2. Auditors and Regulators ................................................................................................... 6

1.2.3. Internal Quality Organizations ......................................................................................... 6

1.3. Examples of Successful GIP Outcomes ..................................................................................... 6

1.3.1. Audit ............................................................................................................................... 7

1.3.2. IT Quality ........................................................................................................................ 7

1.3.3. Vendor Management ........................................................................................................ 7

1.3.4. Trusted Data Interchange ................................................................................................. 8

1.3.5. Certification ..................................................................................................................... 8

1.3.6. Validation and Verification .............................................................................................. 8

1.3.7. Trusted Modeling ............................................................................................................. 8

1.4. Framework Organization and Layout ......................................................................................... 9

1.4.1. Technology Governance GIPs ........................................................................................ 10

1.4.2. People GIPs ................................................................................................................... 11

1.4.3. Process GIPs .................................................................................................................. 12

1.4.4. Technology GIPs ........................................................................................................... 12

1.4.5. Data GIPs ...................................................................................................................... 13

1.5. The GIP Body of Knowledge .................................................................................................. 14

1.5.1. IT Governance and Corporate IT Policy Management .................................................... 14

1.5.2. Risk Management .......................................................................................................... 15

1.5.3. Training and Practices .................................................................................................... 15

1.5.4. Process Management...................................................................................................... 16

1.5.5. Architecture ................................................................................................................... 16

1.5.6. Infrastructure / Cloud ..................................................................................................... 18

1.5.7. Application Management ............................................................................................... 18

1.5.8. Data Management .......................................................................................................... 18


2011

www.himss.org of 24

1.5.9. Validation and Verification ............................................................................................ 19

1.5.10. Security ......................................................................................................................... 20

1.5.11. Program and Project Management .................................................................................. 20

1.5.12. Electronic Submissions .................................................................................................. 20

1.5.13. Computerized Machines and Instruments ....................................................................... 21

1.5.14. IT Strategy ..................................................................................................................... 22

Appendix A - Glossary .................................................................................................................. 22

Appendix B - Index ....................................................................................................................... 22

Acknowledgements ........................................................................................................................... 24


2011

www.himss.org of 24

1. Executive Summary

1.1. Introduction

This guidance document is intended to assist Life and Health Science organizations by

describing a model for demonstrating trust in the governance, people, processes, technology

and data used across the lifecycle of health delivery from molecule to population.

Good Informatics Practice (GIP) describes one comprehensive model for aligning the IT and

Informatics functions that support Life and Health Science organizations with the strategic,

commercial and regulatory goals of the business. Information Technology supports all business

and scientific functions within life and health science organizations. GIP is a model by which an

organization’s IT function may support business, scientific, medical and other functions

concurrently and be trusted to comply with all applicable regulations. GIP is not intended to

create new regulation or replace existing standards. Rather, GIP is intended to be guidance for

the Life and Health Sciences community that refers to applicable regulations, best practices and

industry standards so that the industry and regulators alike may have a common framework

and language.

Successful adoption of GIP represents industry and regulatory joint support of an effective

framework for trust in the data generated, stored, manipulated and used in the Life and Health

Sciences community. Trusted data and information systems are the basis for all discovery and

delivery of safe and effective therapies. GIP is designed to facilitate technical innovation and

continual improvement in informatics while maintaining trust in the data these systems

produce, store, transmit, modify and retrieve.

The HIMSS Life Sciences Information Technology Committee (LSIT) recognizes that each

organization’s circumstance is unique. This guidance document does not establish enforceable

standards or responsibilities for industry. Instead, GIP demonstrates practical strategies,

approaches and tools that organizations may adopt and use to achieve the optimal outcome

for each unique circumstance.

In order to support industry innovation and continual improvement, the GIP has been designed

in an open, flexible architecture that references other relevant standards where possible. LSIT

realizes new technologies and regulatory strategies are constantly being developed. To help

facilitate adoption of new technologies and innovative practices, GIP has been designed to

evolve with the scientific and technical landscape to capture current best practice and leave

space for future innovation.


2011

www.himss.org of 24

1.2. Intended Audience of GIP GIP is intended for any person or company managing or using IT while performing business

services within organizations governed and regulated by domestic and international

government agencies and ministries whose prime purpose is to protect public health.

1.2.1. Life and Health Sciences Industry Technology Practitioners

GIP is intended to provide guidance for those who implement, maintain, validate, use or

otherwise are concerned with information systems. GIP is built around general best

practices and specific examples with guidance on how to scale activities relative to an

organization’s risk and maturity. GIP provides qualified technology practitioners with Life

and Health Sciences specific knowledge necessary for their jobs.

1.2.2. Auditors and Regulators

GIP is intended to provide a common framework around which internal and external

auditors may gauge the applicability and compliance of common best practices.

Scalability is built into GIP in all areas so that organizations and auditors alike may

objectively determine which best practices should be implemented based on product risk

and maturity.

1.2.3. Internal Quality Organizations

GIP is intended to provide a “lingua franca” among IT and Quality staff and organizations.

By leveraging quality-driven best practices for people, processes, technology and data, IT

organizations begin to speak the language of Quality and can thus partner with those

parts of the organization for optimal outcomes that will ultimately benefit all medical

products.

1.3. Examples of Successful GIP Outcomes Multiple positive impacts are achieved as GIP is deployed within the Life and Health Sciences

community. The overarching result is trust, by all stakeholders, of the IT business services and

infrastructure systems within the entire ecosystem.

An important paradigm shift is considered to be the optimal outcome once a GIP process is

fully deployed to the “GIP Certified” state. The IT staff places much higher contribution and

applied skills to IT centric business initiatives and thereby grows and strengthens the business

core values.


2011

www.himss.org of 24

1.3.1. Audit

Auditors must have unambiguous standards against which to audit. Today it is up to each

organization individually to determine the standards with which it will align. Having a

common reference framework for auditors and organizations is an optimal outcome of

GIP.

1.3.2. IT Quality

IT departments and staff must have the tools they need to be innovative and support

complex, regulated technologies in a cost-effective, timely manner. By providing a

Quality-by-Design framework for IT, organizations will have the tools necessary to provide

high-quality, efficient services that are of appropriate quality to meet the needs of the

business and regulations. Examples of Quality-driven IT practices and processes are an

optimal outcome of GIP.

1.3.3. Vendor Management

Manufacturers and Vendors must provide products and services to a wide array of clients

in many different industries. In order for those vendors to also serve the Life and Health

Sciences community, they must understand the unique regulatory, business and


2011

www.himss.org of 24

operational challenges that face this community. Providing guidance to manufacturers

and vendors on information systems for how to provide high-quality service to the Life

and Health Sciences industries is an optimal outcome of GIP.

1.3.4. Trusted Data Interchange

In order to enable a wide array of optimal outcomes for patients, there must be a

framework for trusted data interchange among all the parties in the Life and Health

Sciences community. Translational medicine and public health policy decision-making are

made much more efficient and robust by leveraging common standards for data

management and interchange. Data de-identification and other security and privacy

issues must also be solved in order to facilitate trusted data exchange. Providing trusted

guidance for Life and Health Science organizations to manage and exchange data for the

benefit of patients and the public is an optimal outcome of GIP.

1.3.5. Certification

Professionals and organizations benefit from certification that is based on a trusted

framework and body of knowledge. Certification provides a basis for trust that can lead to

time and cost efficiency and simplicity at the time of audit. Providing the basis for

certification in Good Informatics Practice is an optimal outcome of GIP.

1.3.6. Validation and Verification

Organizations spend vast amounts of money and time validating information systems for

use in regulated environments. Often each organization must determine its own

validation strategy and make best effort judgments on the scale and scope of validation.

Providing organizations and auditors with common guidance on efficient, appropriate

validation and verification is an optimal outcome of GIP.

1.3.7. Trusted Modeling

The global Life and Health Sciences community and the patients this community serves

require trusted computational modeling of disease states, injuries and disorders as well as

the therapies required to restore health or improve quality of life. The complexity of

disease identification and therapy choices requires computational resources to be able to

efficiently and confidently treat patients with minimal risk. The skyrocketing costs of

therapy development along with the explosion of research data also require

computational modeling to be able to confidently develop innovative therapies with

minimal risk. Providing the guidance within which Trusted Modeling can occur is an

optimal outcome of GIP.


2011

www.himss.org of 24

1.4. Framework Organization and Layout

GIP applies to all information and computerized systems used by an organization. LSIT realizes

that organizations use shared infrastructure for regulated and non-regulated functions. In

support of this, the GIP focuses on identifying where computer systems are used for regulated

business functions and appropriately applying control to those systems based on risk.

GIP applies to the governance and regulations, people, processes, technology and data that

make up the Information Ecosystem.


2011

www.himss.org of 24

Figure 1: GIP Alignment

1.4.1. Technology Governance GIPs

Most, if not all, organizations have a business function dedicated to Information

Technology. This function may be in-sourced, out-sourced or co-sourced and can vary in

size from one part-time individual to a staff of hundreds or thousands. In all cases, some

level of governance is required to enable optimal outcomes over the life of the

organization and comply with applicable regulations.

Governance usually occurs at multiple levels. The organization as a whole may have some

rules around decision-making. Financial limits are common, but organizations may or may

not choose to formally govern initiatives, risk management and other key governance

factors. Organizations may also group hardware, software, configurations, procedures

and data into systems and govern those systems. Application governance or data

governance for specific functions are common. Technology Governance can take many

forms and may be implemented many ways. No matter the tools and methods used for

governance, the outcome of effective governance is a trusted IT Ecosystem.

This diagram is an example of the breadth of the scope of the IT Ecosystem by function.

Figure 2: Example IT Ecosystem Functional Diagram


2011

www.himss.org of 24

An organization may choose to implement these IT Functions as an organizational format

as depicted by figure 3.

Figure 3: Example Organization IT Ecosystem

Each organization must choose how to design, build and govern its IT Ecosystem based on

the organization’s specific risk and business circumstances. Governance GIP gives the Life

and Health Science community tools to build an effective governance program.

1.4.2. People GIPs

People are the most critical part of an information system. People purchase, implement,

operate and decommission technology. People perform processes that leverage

technology to achieve business results in their every day work where technology has the

capacity to create, modify, transmit, analyze and delete data that are used in regulated

activities. The people who implement, use and maintain information systems must be

trusted to perform their roles reliably, effectively and must be qualified to do so.

Additionally, the organization must demonstrate that proper care is taken when

recruiting, hiring and managing personnel.


2011

www.himss.org of 24

People are also a critical link in information security. Most security breaches are related to

human causes. Effective practices for managing personnel improve not only the

effectiveness and compliance of the organization, but also the security and quality of the

data and systems in use.

People GIPs provide best practices that organizations can adopt to demonstrate to

regulators, business partners and customers that personnel can be trusted to carry out

responsibilities. This section of GIP does not replace the need for other standards and

bodies of knowledge. These GIPs provide tools and strategies that can be adopted by

organizations as well as references to other, more in-depth standards and best practices.

1.4.3. Process GIPs

Reliable, repeatable processes are how high performing organizations deliver trusted

services to their customers, business partners and regulators alike. Processes link people

with technology. Most frameworks for compliance have some level of process. COBIT,

ISO, ITIL and others all leverage process frameworks to achieve results over a wide array

of technology. IT professionals in the Life and Health Sciences are faced with multiple

process frameworks from which to choose.

Trustworthy processes allow tasks to be performed with a high degree of accuracy and

confidence. They leverage technology in a consistent and reliable way. This consistent

use of technology has many benefits. Systems (and validation) can be simpler, cheaper

and easier to maintain if the regulated use of the system is consistent. Consistency also

allows for better and more focused allocation of IT resources, which drives quality higher

and reduces total cost of ownership (TCO). For the most critical systems, trusted

processes result in decreased risk due to error or mishap and the ability to recover

systems quickly and provide business continuity.

Process GIPs represent a common process framework that can be implemented by an

organization to reduce specific risks. These GIPs leverage these and other existing

standards to implement appropriate processes correctly.

1.4.4. Technology GIPs

Hardware, Software, and Configurations to those hardware and software, make up the

technology in each information system. These systems in turn are leveraged to carry out

business processes. The Technology Ecosystem can be broken down into discreet

elements. These elements or systems each have unique requirements, hardware,

software, configurations and testing needs. Each organization assembles technology to

meet its unique business and compliance needs.


2011

www.himss.org of 24

When these systems are used for regulated business functions, organizations must

demonstrate and “…provide a high degree of assurance that a specific process will

consistently produce a product meeting its pre-determined specifications and quality

attributes4.” That means organizations must “establish by objective evidence that all

software requirements have been implemented correctly and completely and are

traceable to system requirements.5”

This section of GIPs provides organizations with strategies and tools they can adopt that

will help them correctly purchase, configure, implement and maintain the hardware and

software used by industry. They contain requirements for manufacturers, integrators,

providers, resellers and purchasers of technology. These GIPs also provide specific

guidance, where possible, on key configurations or activities that lead to trusted

technology. Also provided are testing recommendations to demonstrate that the

requirements have been met and the hardware, software and configurations

implemented correctly.

1.4.5. Data GIPs

Data are the core to all regulated activity. Regulations, best practices and standards are

created to ensure data can be trusted throughout its lifecycle. Data are used in all manner

of regulated processes from product development to clinical trials, to manufacturing and

testing, to healthcare delivery and reimbursement. Trusted data are critical to enabling

trusted decisions.

Development and delivery of therapies are increasingly dependent upon electronic data.

Data sets are becoming so voluminous that warehouses are incapable of storing all the

necessary data. Search and retrieval would require a small army. For these reasons,

paperless development and delivery is a reality today and increasingly will be adopted by

the Life and Health Sciences community. Paper “safety nets” will not be viable. Electronic

data must be trusted to be the definitive source record for the Life Science and Healthcare

industries.

Organizations are increasingly obligated to maintain trusted data. The consequences for

not maintaining trusted data can range from embarrassment to financial penalty to felony

4 http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM070336.pdf 5 http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm085281.htm


2011

www.himss.org of 24

charges. Having a framework for maintaining trusted data is becoming a requirement in

Life and Health Sciences.

Trusted data enables decisions that can be relied upon to save lives and positively impact

public health. When trusted data interchange becomes a reality, data can be shared in

ways that are impossible today. Organizations pay immense sums of money to generate

data sets, which in some cases, might otherwise be mined from existing data. Modeling

and other visualization technologies could replace invasive studies and the resulting data

sets trusted by scientists.

This type of GIPs provides organizations tools and best practices that will enable their data

to be trusted as appropriate for their situation. These GIPs can be adopted by an

organization based on business need and Risk.

1.5. The GIP Body of Knowledge

Figure B: Topical Structure of GIP Guidance

1.5.1. IT Governance and Corporate IT Policy Management

The Life and Health Sciences business functions, services and processes are rapidly

becoming codependent upon information and communications technologies (ICT). These

ICT Life and Health Sciences systems must be as trustworthy as the former paper based

systems. All stakeholders must trust ICT healthcare and life sciences systems and

successfully withstand any third party independent governance audit.


2011

www.himss.org of 24

Stakeholders who will benefit from this chapter include those in leadership roles in the

“C” Suite, and IT Managers and Quality Managers who are responsible for strategic

alignment, quality controls and assurances, compliance and efficient IT ecosystem

workflows.

This chapter will address the institutional and corporate governances of ICT systems

throughout the entire IT and corporate ecosystem. It includes associate functional and

clear ICT policy, procedures and specifications that engender successful unburdened

business functions, services and processes while reducing barriers and silos for

interoperability and data exchange. The GIP guidance is designed to be a global ICT

reference tool with risk-based consideration, quality by design, and practicality at the

forefront.

1.5.2. Risk Management

Risk Management is a set of good practices and guidelines to ensure that the things that

can potentially harm an organization’s business are identified and managed. The risks

addressed are not simply those pertaining to the lifecycle of the products and services

offered by that organization (most often limited to regulatory compliance considerations),

but the entire spectrum of risks inherent in the broader environment in which that

organization conducts business. Risk management is applied to the people, process,

technology and data in use in the Life and Health Science community today.

The Risk Management chapter provides a framework of best practices, along with tools,

example standard operating procedures (SOPs) and sample use cases to assist Life and

Health Science organizations in identifying applicable risks. Included in the best practices

framework are recommendations of key elements of an effective risk governance

structure.

At the conclusion of this chapter, IT professionals who serve and support the Life and

Health Sciences Community will be able to incorporate the recommendations, best

practices, SOPs and tools into their organization’s governance structure and overall risk

management program.

It is important to note that this chapter does not tell the reader which risks are important

or which risks to address. However, this chapter guides organizations in making informed

decisions to manage their unique circumstances.

1.5.3. Training and Practices

The Training and Practices GIP chapter contains the suggested guidance for designing,

delivering, evaluating and documenting training critical to deploy GIP practices. This


2011

www.himss.org of 24

chapter details how to ensure and demonstrate that all individuals (employees, temporary

staff, contract workers, and consultants, etc.) are qualified to perform their respective

duties in accordance with GIP practices.

Documenting requirements for training and the best practices for designing, delivering,

evaluating and documenting each individual’s training is a compliance requirement.

Management is responsible for confirming that all staff have the necessary knowledge and

skills. They must additionally prove individuals’ abilities to perform their jobs and that

their positions are aligned with specific job and functional role descriptions. Qualifications

and records attesting to proficiency when following a standard operating procedure must

be proven. This is often referred to as Training Records Management certifications.

Training is a dynamic process that must be continually evaluated to ensure the training

programs and associated materials keep pace with job requirements and performance

expectations. This chapter will provide the Life and Health Sciences community specific

guidance for creating, implementing and maintaining an effective, compliant training

program that is risk- appropriate and aligned with the needs of the business and GIP

practices.

1.5.4. Process Management

People run the processes and processes run the business. In parts of the organization that

manage IT, this is particularly true. System lifecycles, change control service management,

delivery and support are all examples of processes that manage technology.

These processes have traditionally been hard to adopt for IT organizations. One of the

reasons for this is that the IT Organization’s traditional role has been seen as reactive and

non-value added. In today’s environment where systems must be reliable and robust, the

undocumented (i.e., SOP) knowledge of one IT employee about a critical process that runs

the business creates risk that is unacceptable in the Life and Health Sciences community.

The Process Management chapter provides IT Organizations and practitioners with

consistent, reliable guidance on how to implement quality-driven processes that make

sense to IT and are effective. Included in this chapter will be examples of processes that

enable IT organizations to be innovative, cost effective and compliant.

1.5.5. Architecture Architecture is the conceptual design and fundamental operational structure of a computer

system.

This chapter discusses Architecture as a discipline for Good Informatics Practices. In Life

and Health Sciences, architecture is applied both internally to the corporate IT Ecosystem


2011

www.himss.org of 24

as well to how the IT Ecosystem interacts with its external environment within and across

organizations.

Architecture operates on a variety of levels in Information Management, from business

strategy and industry standards, through operational processes and infrastructure design,

to the smallest components of internal hardware and software systems.

The use of Architecture as a principle in Life and Health Sciences IT/Informatics is essential

to achieve strategic as well as operational and tactical goals, and in many ways underlies

the core concept of best practices in Information Technology. Architectural processes

address high level organizational and IT goals in tuning technology designs, prioritization

and organizational capabilities to align to and meet the changing needs of the business

throughout the organization’s lifecycle. On an operational level, use of quality

architectures greatly increases the effectiveness of the technology organization by

reducing the difficulty of design, installation, and maintenance of systems and data.

Examples of architecture include:

Business Architecture (Enterprise Architecture): business process and plans are

identified, and technology underpinnings and strategic planning aligned to them. In

organizations where Enterprise Architecture is used as a discipline, proactive

technology solutions are designed to meet existing and planned business, industry

and regulatory requirements.

Systems architecture: technology platforms and business processes that contain

information are designed in a structured, layered fashion to ease development and

allow robust operation, interfacing and administration. Goals typically include

standardization of platforms and integration points to facilitate common

compatibility, economies of scale and reduction in risk and cost. Examples in

technology platforms include the selection of equipment standards, design of network

topologies, and the concepts of multi-tiered architectures, such as in web applications

and lab systems. Examples in information-centric processes include manufacturing

disciples used in medical products, such as ISA-S95 and S88, where business scopes

are hierarchical and coupled for maximum throughput and flexibility.

Software architecture (internal systems architecture): a best practice serving the

technical design of systems within a software or system development lifecycle (SDLC).

Architecture in this context includes the selection of languages, design of interfaces,

and use of design patterns in initial and ongoing development iterations.

Data architectures: include design and development of the logical and physical

mapping of data in databases, use of metadata in driving logic, and adoption of

standardized terminologies. Key outcomes of software and data architectures include

speed and quality of development, ease of analyzing, testing and addressing risk in


2011

www.himss.org of 24

complex systems, the matching of systems to business domain, and the longevity and

robustness of interfaces between components and systems.

1.5.6. Infrastructure / Cloud

Infrastructure is defined as the supporting technologies and operating environments that

enable business information systems to operate successfully. Trusted infrastructure is the

basis for trusted information systems. In today’s evolving technology landscape, costly

infrastructure purchases are being deferred or augmented with “Cloud” resources.

While these solutions are often quite effective and affordable, issues arise when the

systems must be trusted to perform Life and Health Science functions and pass audit.

Vendors, auditors and clients must have a common framework upon which to leverage

trusted “Cloud” and on-premise resources. This common framework must account for the

flexible nature of Cloud computing and the strenuous quality requirements of validated

systems while maintaining continuity with traditional on-premise solutions.

The Infrastructure / Cloud chapter provides organizations with the guidance necessary to

be confident that the infrastructure in use is appropriate and correctly qualified for its

intended use. This chapter will address infrastructure purchased and installed by

organizations (on-premise), cloud (collocated, hosted, IAAS, PAAS) and hybrid (on-

premise/cloud) models and provide effective guidance for organizations, service providers

and auditors to architect and operate trusted infrastructure.

1.5.7. Application Management

The alignment of an organization’s application portfolio with the organization’s

prioritizations is a rapidly evolving area of IT. The IT landscape is expanding with

companies adopting one or more of the application development and hosting strategies of

outsourcing, off shoring, in-sourcing, consolidating, etc. A means of rationalizing the

portfolio and its value proposition becomes even more complex when compliance and

other Life and Health Science specific considerations are incorporated.

The Application Management GIP addresses an organization's lifecycle management for

software applications and provides a knowledge framework for the IT professionals who

serve and support the Life and Health Science community. Industry best practices are

presented for managing the Total Cost of Ownership (TCO) as well as the business value of

the applications portfolio for the Life and Health Science community.

1.5.8. Data Management


2011

www.himss.org of 24

Data Management in Life and Health Sciences is truly a matter of life and death. From

molecule to population, a wide range of stakeholders has interest in data: researchers

discovering new products and methods, physicians prescribing treatment for their

patients, and of course, patients and their families, regulators, hospitals, insurance

companies, and many more. Information technology evolutions provide new capabilities

while also creating new challenges. Mergers, acquisitions, divestitures and partnerships

result in further data requirements and complexities.

Today there is a lack of consistency in data standards and practices across companies and

industries within Life and Health Science. Further there are competing forces, such as

protection of intellectual property, accessibility, privacy, and regulatory compliance that

can make the data manager’s job in this field an extremely challenging one. Until now,

there hasn’t been one place for interested parties to quickly and effectively identify best

practices and standards related to this industry.

Some of the areas this chapter addresses are current data management standards, best

practices and methodologies for metadata, storage, retention, structured and

unstructured data, interoperability and data exchange. By having a good understanding

and methodology for addressing these areas, the stakeholders will gain more useful data,

find and access it quickly, and trust its accuracy to be able to make better decisions and

get actionable information useful to their work.

1.5.9. Validation and Verification

Validation and Verification (V&V) GIPs are a set of good practices and guidelines to

ensure that the people, processes, technology and data used to support medical

products throughout the product lifecycle, maintain pre-determined specifications for

quality and applicable regulations based on the intended use.

The V&V chapter will provide an understanding of best practices, along with tools and

example standard operating procedures to assist Life and Health Science organizations

to comply with their regulatory compliance requirements.

The V&V chapter provides concepts and methods for organizations to scale the rigor

and level of detail based on their business, regulatory and safety risks. Organizations

whose business scope is within the molecule-to-patient lifecycle will be able to make

use of these V&V best practices and concept materials and to incorporate them as part

of their overall quality program and processes.

The V&V chapter also lends itself as a knowledge framework for the IT professionals

who serve and support the Life and Health Science industry and need to expand their

skills to meet the customers’ regulatory expectations.


2011

www.himss.org of 24

1.5.10. Security

Security GIP applies to all aspects of the people, processes, technology and data in the

Life and Health Science community. The security GIP will address the risks,

confidentiality, integrity and availability of the pertinent data and systems related to

medical products and services. The stakeholders for this chapter include corporate IT

organizations responsible for addressing such data and systems. They will use the

security GIP content to determine how to appropriately secure data and systems in

concert with applicable regulatory standards to protect the integrity and confidentiality

of subject matter data for patients.

The application of the security GIP can identify deficiencies in transformation of the

products, services and data. They will be able to guide the stakeholders to proactively

anticipate similar scenarios and apply the appropriate controls to benefit the target

cases with precautionary measures to avoid risks.

1.5.11. Program and Project Management

The project management best practice has proven to be more effective and has yielded

greater documented results in recent years. It is also evident that this methodology

when applied in Life and Health Science does not run in the same linear time cycles as

Information Technology. We do have the responsibility to synchronize the development

process beyond production and into patient related care activities and results.

It is important to understand as the ultimate stakeholder that we own the responsibility

for the discovery or invention of the product or device through the development

process and beyond. An efficient management of all phases of Life and Health Science

can significantly impact the viability of medical products or devices.

The role of demonstrated program and project management methodologies is an

important one. In fact, this responsibility can even continue long after the product or

device has received regulatory approval and been marketed – a period of time that

exceeds the lifecycle of practically every IT project. The benefit of the project

management methodologies and processes is realized through an end-to-end

relationship with the Life and Health Science community.

1.5.12. Electronic Submissions

The Life and Health Science industry is encouraged by many public health government

agencies6 7 to utilize electronic submissions of human clinical research and market

6 http://esubmission.emea.europa.eu/ 7 http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm064994.htm

http://esubmission.emea.europa.eu/

http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm064994.htm


2011

www.himss.org of 24

approval applications for medical products and even veterinary medicine8. It is clearly in

the best interest of the Life and Health Science industry to strongly support this

efficiency improvement. The US Food and Drug Administration (FDA) are building an

Electronic Submissions Gateway (ESG) as an Agency-wide solution for accepting

electronic regulatory submissions9. HIMSS & LSIT believe a global gateway is on the

horizon and will collaborate with government agencies and industry to assure this

process is expedited and harmonized to bring further efficiency worldwide.

Regulatory Affairs, Privacy and Security Officers, Clinical Development and IT leaders are

some of the stakeholders who are relying on learning best practices for electronic

submissions of medical product applications to the US FDA and international public

health government agencies. This chapter will address the regulatory requirements of

eCTDs in such areas as labeling, patient data management, and clinical study

applications, HIPAA, language and file structure, as well as generally accepted software

applications used by the US FDA and others.

One will have a better understanding of the systems requirements and procedures for

most types of e-Submissions allowing for expedient regulatory review/response and

processing.

Labeling

Clinical Study Applications

Patient Data Management

Product Approval Submission Documents

IND, NDA, SNDA, etc.

Market Approval Applications

Sales Communications

Marketing Communications

Product Problem Management

Recall Management

1.5.13. Computerized Machines and Instruments

This chapter provides an understanding of best practices, along with tools and example

standard operating procedures to assist Life and Health Science organizations to plan

effectively, implement efficiently, and operate computer based or computer related

8 http://www.fda.gov/AnimalVeterinary/DevelopmentApprovalProcess/ElectronicSubmissions/default.htm 9 http://www.fda.gov/ForIndustry/ElectronicSubmissionsGateway/default.htm http://www.fda.gov/downloads/Drugs/DevelopmentApprovalProcess/FormsSubmissionRequirements/ElectronicSubmissions/UCM229728.pdf

http://www.fda.gov/AnimalVeterinary/DevelopmentApprovalProcess/ElectronicSubmissions/default.htm

http://www.fda.gov/ForIndustry/ElectronicSubmissionsGateway/default.htm

http://www.fda.gov/downloads/Drugs/DevelopmentApprovalProcess/FormsSubmissionRequirements/ElectronicSubmissions/UCM229728.pdf

http://www.fda.gov/downloads/Drugs/DevelopmentApprovalProcess/FormsSubmissionRequirements/ElectronicSubmissions/UCM229728.pdf


2011

www.himss.org of 24

systems and equipment within regulatory expectations. It will discusses subjects and

topics related to planning, design, implementation, operations and maintenance of

computer based or computer related systems and the equipment utilized. Examples

include computer based lab instruments or manufacturing equipment.

Topics include the effective management and efficient operation of IT infrastructure

systems (network, access control, change control, configuration management, etc.) in

support of regulated and other risk adverse environments.

This chapter is intended for IT professionals who serve and support the Life and Health

Science industry where computer based or computer controlled systems and equipment

are utilized, and for IT professionals who need to expand their skills to meet the

customers’ regulatory expectations.

Business managers (lab, operations, manufacturing, etc.) or others involved in planning,

design, implementation, operations and maintenance of systems where computers

(computer based or computer related systems and equipment) are utilized may also find

this chapter helpful. Examples include clinical laboratory, quality control laboratory,

meteorological laboratory, and manufacturing operations.

1.5.14. IT Strategy

The stakeholder for this chapter is anyone responsible for corporate and IT strategic

planning, budgeting and aligning IT with the organization’s business objectives. IT

Strategy addresses what it means for IT to be an enabler for the overall corporate

strategic plan. Developing strategic objectives for a long term and near term

perspective will help one to be responsive to advanced/leading edge technologies and

future trends and proactive in making good decisions for pursuing that technology or

not. By having an IT strategic plan, one can align with the business and corporate

objectives, deliver good IT governance and stay contemporary. Using the Risk Based

decision-making and Risk-based prioritization approaches will assist the stakeholder to

analyze and evaluate advanced technologies with a practical and quantitative focus as

well as a focus on quality. Some of these leading technologies include RFID, Sensors,

Wireless, Cloud, and other devices. This chapter will prepare one to make purposeful

decisions in planning for the future and identifying systems in an IT architecture

platform that is capable and scalable to refresh and incorporate on these technologies

more proactively.

Appendix A - Glossary Appendix B - Index


2011

www.himss.org of 24

Together, these GIPs offer a framework that can be leveraged by each organization

based on their specific situation and risks to provide guidance and examples that

illustrate a practical set of best practices that can be implemented.


2011

www.himss.org of 24

Acknowledgements Special Recognition:

Elaine Wuertz, Elizabeth Kennedy, Anette Asher, Beth Everett Ph.D., Howard Asher

Go Team:

Linda Speake, John Kim, Anette Asher, Steven Fouskarinis, Cathy Francis, Gabor Fulop, Oscar Ghopeh,

Kimberly Green, Summer Harriff, Ph.D., Robert Sturm, Mark Vilicich, Ford Winslow,

Technology Advisory Board:

Andrew Jacobson, Ph.D., Cliff Baker, William J. Branan, Monica Cahilly, Bikash Chatterjee, Leslie Cirillo-

Plante, Jason Cooper, John Kim, Paul Laskin, John McNeil, Richard Siconolfi, Linda Speake, David

Spellmeyer, Ph.D., Mark Vilicich, John F. Murray, Robert D. Tollefsen.

Industry Advisory Board

Ford Winslow, Kyle Brown, Michael J. Doyle, Michael Elliott, Keith Glassford, Greg Horowitt, Donald

Jones, Jeanine Martin, Steve Romeo, Dr. Michael R. Stapelton, Nicholas Ventresca

LSIT Board of Directors

Beth Everett Ph.D., Andrew Jacobson, Ph.D., Paul Allen, Anette Asher, Terry Schmidt DrHA, Andy Spinks,

Greg Caressi, Alan Edwards, Steven Fouskarinis, Charles Jaffe, MD, Ph.D., FACMI, Howard Asher, Paul

Laskin, Gerry Martin, Jonathan Morris, M.D., Geoffrey Odell, Ford Winslow

LSIT Founders

Anette Asher, Alan Edwards, William J. Branan, III CMC, Howard R. Asher, Edward Holmes, M.D., Ward

Fleri, Ph.D., Bart McDermott, Jay Kunin, Ph.D., Paul Laskin, Phil Bourne Ph.D. , Gerry Martin, Jonathan

Morris, M.D., John C. Reed, M.D., Ph.D., Geoffrey Odell, Elaine Wuertz (1959-2009)

Vera Pardee, Jacqueline Townsend, Mark Miller Ph.D. , Greg Horowitt, Benny Chien, Dr. Michael R.

Stapleton

Corporate Sponsors

Pfizer, Novartis, Amylin, Abnology, Salient Networks, Frost & Sullivan, Nodality, UniConnect,

Mission3, Biocom, DBM.

http://www.lsit.org/about/biographies/Anette_Asher.php

http://www.lsit.org/about/biographies/Alan_Edwards.php

http://www.lsit.org/about/biographies/William_Branan.php

http://www.lsit.org/about/biographies/Howard_Asher.php

http://www.lsit.org/about/biographies/Ed_Holmes.php

http://www.lsit.org/about/biographies/Ward_Fleri.php

http://www.lsit.org/about/biographies/Ward_Fleri.php

http://www.lsit.org/about/biographies/Bart_McDermott.php

http://www.lsit.org/about/biographies/Jay_Kunin.php

http://www.lsit.org/about/biographies/Paul_Laskin.php

http://www.lsit.org/about/biographies/Phil_Bourne.php

http://www.lsit.org/about/biographies/Gerry_Martin.php

http://www.lsit.org/about/biographies/JonathanMorrisM.D.php

http://www.lsit.org/about/biographies/JonathanMorrisM.D.php

http://www.lsit.org/about/biographies/John_C_Reed.php

http://www.lsit.org/about/biographies/Geoffrey_Odell.php

http://www.lsit.org/about/biographies/Elaine_Wuertz.php



http://www.lsit.org/about/biographies/Jacqueline_Townsend.php

http://www.lsit.org/about/biographies/Mark_Miller.php

http://www.lsit.org/about/biographies/Greg_Horowitt.php

http://www.lsit.org/about/biographies/Benny_Chien.php

http://www.lsit.org/about/biographies/Benny_Chien.php