The use of password managers to create, store, and reuse passwords across different systems and applications has gained popularity in our personal and professional lives. There are several benefits associated with the use of password managers. They enable users to establish strong passwords that are not easily hacked, copied, or guessed. Additionally, they keep the user from having to memorize a multitude of passwords, thereby creating efficient user access and eliminating any disruption in workflow. However, there are also challenges associated with mitigating risk and ensuring password manager compliance for the life science industry.

The biggest risk is if the password manager becomes compromised, as it then provides an easy mechanism for unauthorized use and raises concerns regarding the security of access into applications and systems. In the pharma and life sciences industries, this creates regulatory concerns for achieving compliance with Annex 11 and 21 CFR Part 11 requirements for limiting access to authorized individuals.    

Steps to Minimize Security Risks with Password Managers 

To minimize risk and take advantage of some of the benefits associated with the use of password managers, users should implement applicable IT general controls (ITGC), such as two-factor authentication, timed inactivity auto log off, and physical security. At a minimum, when using a password manager, you should consider taking the following actions: 

• Conduct system security and data integrity assessments of the affected system(s) through CFR Part 11 and other federal or local regulatory measures. 
• Adjust your browser settings to not remember or autofill passwords. This greatly reduces the potential for compromising password or data integrity and can be done at the enterprise level. 
• Establish and implement a written policy on data integrity including password management. 
• Implement two- or multi-factor authentication for systems (at minimum those that have quality impact). 
• Move to a single sign-on solution to reduce the password burden on employees 
• Determine enterprise-level controls and approaches for the use of password managers, whether browser- or app-based, and the limits on applications that users can install. 
• Train user community on updated or newly implemented security and data integrity policies. 
• Build a set of questions to ask yourself regarding the use of password managers in a GxP environment and how that may impact business processes and compliance with Part 11. 

Password Manager Compliance

The good news is the FDA understands that advances in technologies have the potential to reduce sources of error, optimize resources and processes, and reduce risk. Pharma and life sciences companies may consider using password managers and take advantage of the FDA’s current thinking regarding risk-based approach and the use of emerging technologies to improve efficiencies and effective utilization of resources. However, companies must also keep regulatory compliance and security top-of-mind.   

Clarkston has a long history of successfully supporting pharma and life sciences organizations in their efforts to comply with regulatory requirements. This includes the implementation of 21 CFR Part 11 compliant solutions across a multitude of enterprise ERPs, LIMS, and QMS applications as well as interfacing instruments or bidirectional system to system integrations.  

To learn more about our quality and compliance services, connect with our team today. 

Contributions from Charles Webb and Eric Borries