Title 21 CFR Part 11: Security Compliance

January 17, 2012 by
Filed under: Business, Compliance, Healthcare, Regulatory 
Security implementation details:

security is part of the law required for part 11 compliance here is what the law says itself

Sec. 11.300 Controls for identification codes/passwords.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Here are some foundation security requirements for a part 11 compliant system

1 – Unique accounts for each user

2 – Encrypted connection to the system (SSL)

3-  Complex Password required (numbers, symbols, length)

4 – Required to change password every 90 days

5 – Password history no reuse within a year

6 – 3 failed attempts lockout system (send notification to administrator)

7 – synchronize time on all servers

8 – show the username, name, and last logged in date on the screen at all times

9 – after 20 minutes log out account

10 – only allow one login at a time per an account

11 – log all activity in an audit log

12 – display version of software on screen (about screen)

13 – encrypt password is hash so it is irreversible and not viewable by anyone

14 – train people on security to thwart attempts at social engineering

With these feature requirements you can see that a part 11 security system has a pretty high level of requirement, but having the features is not enough you need to validation process and training to complete compliance.


Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

%d bloggers like this: