Understanding risks related to

Information Systems

Humans are the most unpredictable factor, and the errors resulting from them must not be underestimated. They can have major impacts on the security and integrity of data and information systems.

These errors may stem from inadequate data handling, carelessness, lack of training, or negligence in applying security protocols by users. With technologies continuously evolving, the skills required may be lacking internally, whether for choosing suitable solutions or for performing IT management and maintenance tasks.

One can no longer ignore deliberate, malicious actions with lucrative or ideological goals, carried out through various cyberattacks. The ANSSI (French National Cybersecurity Agency) has published a report on the rise of incidents and alerts, from 2.87% in 2020 to 11.4% in 2023.

In the pharmaceutical and medical device sectors, such errors can lead to severe operational and legal consequences, including production downtime, loss of data integrity leading to incorrect product release decisions or wrong medical diagnoses, or leaks of confidential information.

Quality culture
Promote an organizational culture where data quality and security are top priorities.

Use of advanced technologies
Leverage advanced technologies, such as artificial intelligence to detect intrusions or anomalies, or blockchain to ensure secure and traceable data exchanges.

Access management
Implement strict access control measures over system and network rights in order to prevent unauthorized manipulations and malicious acts.

Life sciences companies are subject to strict regulations that are regularly updated by national or supranational agencies. For example, one can cite the GDPR (General Data Protection Regulation), ISO 14971 (risk management for medical devices), ISO 27001 (information security management), and FDA 21 CFR Part 11 (electronic records and signatures across GxP) which set out specific regulatory expectations.

Non-compliance may result from misunderstanding or lack of awareness of diverse regulatory texts, variable in scope depending on the international context. It may also stem from a lack of traceability or digital signature tools, often revealed during audits or inspections. Patient complaints may also highlight non-conformities concerning information system use and generated data.

Non-compliance can lead to financial penalties, loss of certification, damage to company reputation, or even a complete ban on production and sale. Data integrity and traceability are essential to prove compliance during audits.

Warning letters and recall notices from regulatory bodies such as ANSM (France) or the FDA provide concrete examples of significant impacts on patient health. These include massive recalls of cardiac monitoring devices due to cybersecurity rule violations and software validation failures, or product recalls prompted by falsified analytical data released via insufficiently validated computerized systems. The resulting legal, logistical, and market losses can total tens of millions of dollars.

• Compliance audits: Conduct regular audits to verify that systems meet current standards and regulations.
• Define compliance remediation action plans
• Rigorous documentation: Maintain complete, up-to-date documentation of processes and controls in place.
• Legal oversight: Work with legal experts to anticipate and respond to regulatory developments.

• Performing compliance audits of installations and information systems
• Defining and implementing risk analysis methodologies adapted to the context / IT risk management
• Conducting risk mapping and process analysis
• Carrying out criticality analyses and risk analyses of company information systems, and validating associated systems (“VSI link”)
• Defining and drafting Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP)
• Designing training programs and delivering Data Integrity training adapted to business contexts