FDA Warning Letter - Secure Desktop

Observation

Date: 25 April 11
Link FDA Warning Letter (New Window)
4. Your firm has failed to exercise appropriate controls over computer or related systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel [21 C.F.R 211.68(b)].

For example, your firm lacks control of the (b)(4) computer system which monitors equipment, room differential pressure, room humidity, and stability chambers. Although the system is password protected for temperature and humidity set points, all employees have access to the room where the (b)(4) computer system is located and the external hard drive is not password protected. During the inspection we observed that an employee was able to alter or delete data without a password and save the changed file.

In your response, your firm states that additional controls were implemented including validating the remote access to the (b)(4) computer, password protecting the room where the computer is stored, and limiting the (b)(4) control room to authorized personnel only. Although your corrective actions may adequately address the protection of the (b)(4) computer from non-traceable changes, your firm has not taken a global approach to this deficiency. It is our expectation that your other manufacturing and laboratory computerized systems will be reviewed to ensure similar deficiencies do not exist.

Comment

This warning letter is a common observation relating to the security control of a computerised system, which can include Automation and Laboratory Systems. There are a number of ways controls can be established to ensure a secure environment and stop users having access to the computer hard drive either internal or external.

Generally computerised systems used to interface with users (including Automation Systems, SCADA, Monitoring Systems and Laboratory)  are rarely configured to secure the operating system.  The configuration must be configured to secure data and records stored on it. A standard Windows desktop allows the user to access the internal and external hard drives, USB drives and networked drives.

This FDA warning letter could have been cited against FDA 21 CFR Part 11 as the concern is to the integrity of data and records stored on the computerised system. It is a regulatory requirement that data generated by computerised systems are secure and the integrity of the data is maintained.

Computer Settings
Windows can be configured to lockdown the desktop. The secure environment can be established using Group Policy and Windows Registry settings to ensure that users have access to the application. However this has configuration difficulties and requires significant effort to verify the settings.

Secure Desktop
A third party application such as Visual Automations Secure Desktop can provide a simple desktop tool that can be configured to ensure that users only have access to applications they are authorised to use. The application is simple to configure and performs the windows registry edits simply from the selection. It is capable of only delivering the applications that are required by the user (remove access to windows explorer, etc.) to provide a secure environment.

The application also allows for the configuration of access to USB ports and combined key strokes.

Using a Secure Desktop (such as Visual Automations Secure Desktop) can reduce the development time for locking down the Windows XP / Windows 7 environment. In addition with well-defined installation procedures will reduce the validation effort. The configuration of the Secure Desktop application can be verified to demonstrate that the system provides the required functionality and then the deployment controlled via approved installation and configuration documentation (Standard operating Procedure / Works Instruction).

In the FDA warning letter it was stated that

Although your corrective actions may adequately address the protection of the (b)(4) computer from non-traceable changes, your firm has not taken a global approach to this deficiency. It is our expectation that your other manufacturing and laboratory computerized systems will be reviewed to ensure similar deficiencies do not exist.

The use of third party applications with common configuration can provide a cost effective solution to demonstrate that the controls have been implemented and that a common approach has been adopted.

Note
The author is not affiliated in any way to Visual Automation and the application is provided as an example of using third party applications to secure the Windows Desktop of a computerised system used within the pharmaceutical environment to improve the security and compliance (of the computerised system).

Comments on other available tools or solutions for securing the Windows Desktop for use in a pharmaceutical environment are welcome.