Defending Against Security Threats

By Brian T. Horowitz  |  Posted 2011-01-20

EU's EMA Balances Medication Approvals with Health Care Data Management

The equivalent of the U.S. Food and Drug Administration, the EMA (European Medicines Agency), based in London, is a public health agency in the European Union that approves drugs and provides guidelines for health care providers and pharmaceutical firms for a region spanning from the Arctic Circle to the Mediterranean Sea.

As the head of information and communications technology for the EMA, Hans-Georg Wagner oversees the IT operations of this regulatory agency. "The whole regulatory process of bringing drugs to market needs to be as sufficient as possible and as good-quality as possible so we can be sure that our scientific opinion stands," Wagner said.

Wagner spoke with eWEEK about how the EMA deals with the challenges of handling 100-plus information systems, aligning with worldwide standards, and storing and analyzing 70 terabytes of medical data.

How does the EMA approach health care IT?

We have what we call basic IT-financial and budget systems, human resources, electronic document management, record management, print and file serving, access control systems, etc. So that's standard stuff that anybody would need.

And going further out, there is a group of information systems directly related to the regulatory life cycle of medicinal products. So, for example, making sure that when a new application comes in, it's actually registered and there is a formal reply provided. That the tracking process starts, that we can follow who is doing what.

So everything to do with the internal and external processes that will eventually lead to a scientific opinion. And of course everything to do with the monitoring of risk benefit profiles.

There is a family of information systems and standards and technical specifications called eSubmission, which is everything to do with using information technology to make it possible for applications and sponsors to submit their dossiers electronically in a single-defined format irrespective of the procedure to all the regulators.

For these things to work, we understood not immediately but a few years into the program that to achieve interoperability across Europe, you do have to have a common data model, which in Europe is called the reference data model.

And of course you need what is called controlled terminology.

If you try and book a flight with one of the cheap or not-so-cheap airlines online and want to enter the departure airport and the destination airport, you don't have free text entry. You have to choose from a pick list. And that makes sure that you can't enter an airport that doesn't exist.


EU's EMA Balances Medication Approvals with Health Care Data Management

title=Dealing with Global Pharmaceutical Standards} 

And similarly controlled terminology in medical information systems is there to control the quality of input. If a doctor puts in a reaction that is suspected to have been caused by a drug, the doctor will select the description of this adverse event from a drop-down list he or she has access to.

We have in total now something like 4,000 organizations registered in one of our systems, and we have 8,000 individual users in that system. We have 21,000 users of our systems, of which 20,000 are external users.

Historical developments have actually led to de facto technology standards.

The European institution selected many years ago following an open call for tender Oracle as the database management system. As a result, we have Oracle as the database standard. There are a few exceptions, but mostly it's Oracle.

This is one of these interesting discussions that is being had within the network, how to make sure these various national systems work with the European systems and with the European databases.

What are the leading health care IT issues for the EMA?

The most urgent and challenging one is how to go outside the EU today. Pharmaceutical really is global. It is necessary but not sufficient to have EU-wide standards. We need to have our standards aligned with worldwide standards. And we're working very closely with colleagues at the FDA and within ISO and HL7 to create worldwide technical standards-for example, to describe a medicinal product, to describe the minimal information and the way it's structured about an adverse drug reaction so that we can understand, for example, if the FDA sends us information about something that happened to a drug which is also sold in Europe.

And they tell us about some real insufficiency or reaction so that a patient or a specialist here in Europe can actually see that information and understand it, and also use it in his or her data analysis. So that's by far the biggest challenge ... to align ourselves with worldwide standards.

Changing a standard has a massive impact on the existing information systems. You have to change processing logic, and this causes big problems through Europe because people don't have the money to do that.

Managing Code, Database and Storage Expansion

I have some visions: I'm working with some of my colleagues in Europe about offering a common portal for all applications and sponsors, not just with intelligent forms but also with software service providers. So that depending on the size of the pharmaceutical company, they can go there to get whatever they need so they can have quality good submission of dossiers to the regulators. And, of course, we also need to do this worldwide.

We're entering a period with very severe pressures on budgets. We have very strong pressure to reduce the cost of operation and also the cost of development.

How does the EMA's structural analysis software measure and scrutinize the 70 terabytes of data the agency stores?

We're using a product from a French company called Know and Decide, which allows us to monitor the consumption of actual storage used.

For us, this addresses two important issues: to understand where we have duplicates we can throw out, and the second, which in many ways is more demanding, I find myself at the beginning of every year signing purchase orders for what are large amounts of additional hard disk storage. My people assure me that that will be comfortably enough for the next two years.

What is Cast and how does it work?

Cast is a tool that analyzes source code. It looks at tables that don't have foreign keys.

If you have a source code versioning system, then you try to provision a project team for licenses for Cast and ask them to run against code produced at least once per iteration. And you would look at the results. It reports against a whole number of headlines to do with performance, maintainability, to do with several other issues. There are a total of six or seven headings. It will actually report to myself as the CIO-but more important to the project manager and the software architect-a state of health of that source code.

We are now moving into a better proactive use of the tool. At the moment we have 125 seats licensed for the use of Cast.


Defending Against Security Threats

We use [Cast] for somewhere around 10 to 12 of our applications. Increasingly, project group by project group uses the Cast tool at different levels of granularity. Obviously a project manager and a software architect will look into things in much more detail than I will as the CIO. I have a dashboard, then I just look at the dashboard and if I don't see red, I just concentrate on something else.

You have this information at your fingertip, and you can dig in to lower levels of detail.

Then I can drill down to see where Cast highlights there's a problem. If you use Cast systematically and regularly, the debugging becomes much easier.

What are the plans for Function Points? What does this initiative entail?

Function Point analysis is one of the ways people try to understand initially how much it will cost to build a software package. By doing function point analysis, you can have a measurement of the complexity of the program code.

Cast will tell me whether what I've spent for this Website is reasonable given the amount of complexity, whether I've paid too much or whether I've gotten away with paying little for it. You have the code written, and then you analyze for the number of function points. You have to have specialists that do this manually.

How does the EMA approach the security challenges of storing 70 terabytes of data?

We run standard state-of-the-art IT security. So we have the usual arrangement of cascaded firewalls. So it cannot be a systemic whole. We use specially certified consultants who are cleared at the military levels to check the design of our IT security systems.

We pay a specialized company to try and break into our systems. We have all of the required approaches.

What types of data breaches have you encountered?

We're running intrusion detection systems. Just before Christmas we spoke with the FDA on systems and what we do. Maybe because intrusion detection is not good enough, we have at the moment a very low number of attempted attacks-not aware of any successful attack. These breaches have all been passive insider threats. If you analyze the difficult IT threats, you can divide them into passive versus active.

I consider based on my own experience in IT, which now goes back 25 years, that by far the most dangerous threat is the active insider threat who you haven't promoted-a passive insider member of staff or insider getting code [or] information.


Rocket Fuel