Development of a Small Volume Sampling Technique and LC-MS Orbitrap Assay for Pediatric Pharmacokinetic Studies of Fentanyl and its Metabolites (Uwe Christians, Clinical Research and Development, Department of Anesthesiology, University of Colorado Denver).  In this talk, Uwe showed the sensitivity and selectivity of using full scan data for PK type data.  Because you don't have to select a specific transition, you get a full spectrum during each aquisition which can be interrogated later for metabolites that may not have been part of an initial hypothesis.  Kevin Bateman from Merck showed this type of experiement a few years ago at ASMS, but it appears that the Oritrap can really do this experiment.  This blows up the amount of data collected in a PK study by at least an order of magnitude, and it increases the value of data stored for long term access by at least as much.

 

Dr Hood suggests that signal-to-noise in biological measurements is so bad that we must use 1) Statisics 2) a deep understanding of the pathways and 3) data integration; to make any progress. All of his data is shown as networks - perfectly aligned with the large-scale linked data approach Indigo uses. Hood said: "Medicine is becoming an information science." If that's true, new approaches to informatics and IT will be essential.
Sent from my BlackBerry

Indigo BioSystems is now using BlueLock LLC to provide hosting/infrastructure for the Indigo Platform and our Software-as-a-Service offerings.  Indigo selected BlueLock for security-intensive applications in the pharmaceutical industry and apparently we are not alone.

From ComputerWorld: "Cloud security: Try these techniques now"

BlueLock's virtualized environment allowed data and volumes to move between systems in a dynamic, low-cost way that would be impossible with a traditional, hosted environment, Westgate says.

There were, however, security concerns to be addressed before Logiq³ would entrust its critical systems to BlueLock's cloud. The life reinsurance company handles death records, which include personal information like social security numbers, as well as financial data and information about major assets that its large financial customers have on their books. Although Logiq³ isn't regulated by the U.S. government's Sarbanes-Oxley Act, its customers in the financial sector are, "so they'll be auditing us," says Westgate. As a result, Logiq³ needed potential cloud vendors to demonstrate that they were in compliance with applicable regulations and could provide high levels of security.

The thing we like about BlueLock is the data protection architecture and the ability to perform audits while still achieving the elasticity and location transparency need for SaaS.  We too are audited by our customers to ensure our applications protect data and prevent tampering.  The idea of separating roles is key to security in externally hosted systems.  Our approach discussed at the ALA Conference takes the separation one step further by encrypting the data so that neither the Indigo admin's nor the BlueLock admin's have the needed keys to access customer data.

Encryption adds to the security enabled by the "division of labor" described in the article:

The division of labor between Logiq³ and BlueLock actually strengthened security, because "no one person, or company, has all the keys to the kingdom." says Westgate.

Because BlueLock manages the firewall, for example, "none of my admins can go in and decide to sell or move the data," he notes. "And BlueLock admins can't do it either, because they don't control the systems."

Audits and accreditation are also needed because as good as this all sounds it won't work if the SOPs are not being followed, or if there are holes in the procedures.

Therefore, due diligence is critical, Anderson says. Pfizer uses SAS 70 Type 2 certification, in which an independent third party audits the service provider's internal and data security controls. Anderson also verifies the vendor's level of Safe Harbor compliance and checks Dun & Bradstreet research to make sure it's legitimate, he adds.

Another standard by which to evaluate a service provider is ISO 27001, which defines best practices for designing and implementing secure and compliant IT systems.

While such standards provide a useful starting point, their criteria tend to be generic, says Gartner's Heiser. Companies still need to match a service provider's specific controls to their specific requirements, he adds.

For example, after checking out BlueLock's SAS 70 Type 2 accreditation, Logiq³'s IT staff did a further evaluation to "make sure the controls we require are supported by the controls they have in place," Westgate says. His team then followed up on discrepancies, identifying missing controls and working with the vendor on solutions. The company plans to repeat the process at least once a year, he says.

It is clear that shared services and externally hosted data are a part of pharma's future.  Indigo is working hard to make sure that its customers gain the benefits of this new approach while minimizing the risks.

To read more of what we are up to, check out our website and blog.

Indigo showed that shared services that would arise from standards in data models and communications at the interface between Pharma and CROs would result in the need for improved security and more flexible data models.