Partially Cloudy With a Chance of Value...run non-core applications in a public cloud, while maintaining core apps and sensitive data in a private cloud. Private cloud An offering

1

Partially Cloudy

With a Chance of Value

Dan Ringenbach Sr. Enterprise Architect, R&D Information, AstraZeneca

-Worked at AstraZeneca for 15 years in IT and clinical development.

- Enterprise Architecture

- Information Strategy

2

Agenda

Challenge

New Business Model

New business challenges

Turning to the Cloud in a Solution

Considerations

Security, Privacy

AZ Neuro Cloud Based Clinical Repository

Benefits / Value

Future

3

THE CHALLENGE

4

Dan Ringenbach, Sr. Enterprise Architect, R&D Information

March 6, 2014

5

Before New

Like it or Not, There is a New Business Model


March 6, 2014

The Old Scenario


March 6, 2014

The New Scenario


March 6, 2014

Information Exchange in a Trial


March 6, 2014

Information Explosion

• Electronic Health Records

• Real World Evidence Databases

• Social Networking / Blogs

• Patient Groups

9


March 6, 2014

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=UL2Hp9h2g6yNwM&tbnid=hWa1a-lhV6qPxM:&ved=0CAUQjRw&url=https://www.iconfinder.com/icons/54511/blue_button_dark_blue_facebook_icon_icons_key_knob_navy_blue_pin_sapphirine_snap_symbol_tack_icon&ei=haFeUpL1BdGz4APR2YHQAg&bvm=bv.54176721,d.eW0&psig=AFQjCNGqHzuy-aHrnt5mYcttxuYU9TU9_Q&ust=1382019835633119

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=Jcd1-bR0xtgjkM&tbnid=TN4vauwxEOyeaM:&ved=0CAUQjRw&url=http://technorati.com/business/article/why-small-businesses-cannot-be-scared/&ei=vaFeUveJFeTh4APVvYHwAg&bvm=bv.54176721,d.eW0&psig=AFQjCNGceEDwqTTAHIUMFoNpwkae28Qvtw&ust=1382019899215453

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=ExUz1jaLqdq-kM&tbnid=GH8pUu8ZIXj-TM:&ved=0CAUQjRw&url=http://www.webseoanalytics.com/blog/10-tips-for-developing-a-successful-blog/&ei=V6JeUvTqMbT_4APd24DwCA&bvm=bv.54176721,d.eW0&psig=AFQjCNGG_ri-ZqGAsBel6LZ1t4IfvPSplw&ust=1382020050427813

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=kRrpGt3QwXplqM&tbnid=9bjFektGSNsyXM:&ved=0CAUQjRw&url=http://2011.ucbannualreport.com/patient-centricity/Solutions/epilepsy&ei=jKJeUszbCJT64AOWyYDQBQ&bvm=bv.54176721,d.eW0&psig=AFQjCNHf8w_6G_jUaf3jL-FNhvYaUFfM3w&ust=1382020097804966

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=FwbTBAoNgeZO6M&tbnid=UMjYCF-ZyGweNM:&ved=0CAUQjRw&url=http://www.wyomingincentive.com/&ei=BaNeUsqRLZGo4AOqnID4Aw&bvm=bv.54176721,d.eW0&psig=AFQjCNF4iF50WRGXAbJxtYdXsAefl7nviA&ust=1382020213067749

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=XXmlhNc95zbJ9M&tbnid=OSZnh_YqC3Gi-M:&ved=0CAUQjRw&url=http://weill.cornell.edu/globalhealth/education/project_map_database/&ei=x6NeUp6xF8-44APO2oDIBQ&bvm=bv.54176721,d.eW0&psig=AFQjCNES_y3ErcCXDe69vjovZm1xjasIIA&ust=1382020378272497

10

Cloud solutions enable a distributed business model

…the question is “why would you not leverage the cloud?”

Before New

Like it or Not, There is a New Business Model


March 6, 2014

TURNING TO CLOUDS AS A SOLUTION

11


March 6, 2014

Cloud Acronyms & Definitions

SaaS Software-as-a-service is a model of software

deployment whereby a provider licenses an

application to customers for use as a service.

IaaS Infrastructure-as-a-service is the delivery of

computer infrastructure as a service.

IDaaS Identity-as-a-service refers to the practice of

delivering identity management as a service.

PaaS Platform-as-a-service refers to delivering a

platform or entire environment as a service.

(operating system, programming language,

database, and web server)

Public Cloud A cloud service that is hosted, operated,

and managed by a third-party vendor from

one or multiple data centers, and offered to

multiple customers.

Hybrid cloud An environment of internal or

external providers where an organization

run non-core applications in a public cloud,

while maintaining core apps and sensitive

data in a private cloud.

Private cloud An offering that emulates public cloud

computing, but on a private network.

OpenID An open, decentralized, free framework

for a user-centric digital identity. OpenID

eliminates the need for multiple usernames

across different websites,

simplifying your online experience.

SAML Security Assertion Markup Language is an

XML-based standard for exchanging

authentication and authorization data

between security domains—that is, between

an identity provider (a producer

of assertions) and a service provider (a

consumer of assertions).

Two-factor Authentication Two different factors are used in conjunction

to authenticate individuals.

IdP An identity provider is a service provider

that creates, maintains, and manages

identity information and asserts identities to

other service providers within a federation.

HIPAA The Health Insurance Portability and

Accountability Act was enacted by the U.S.

Congress in 1996 and requires entities that

process protected health information to

comply with security and privacy

requirements.

OAuth An open authorization protocol standard

lets users give third-party websites

limited access to data without giving away

passwords. The protocol enables websites or

applications (consumers) to access

protected resources from web services (SP)

via an API, without requiring users to

disclose their SP credentials to those

consumers.

SAFE HARBOR A policy agreement between the U.S. Dept of

Commerce and the European Union (E.U.) in

Nov. 2000 to regulate the way that U.S.

companies export and handle the personal

data of European citizens.

PII Personally identifiable information


March 6, 2014

Cloud Examples

SalesForce.com

Google Apps

iCloud

Microsoft (365,

Dynamic CRM)

Heroku

CloudFoundry

Amazon

Rackspace Microsoft Azure Google App

Engine

LongJump

Product/Application

as a Service

Infrastructure/Compute

as a Service

Network availability BT

Platform/Component

as a Service

Verizon AT&T


March 6, 2014

Why/when not to use the cloud?

Replacing an Existing system with a complex integration scheme (e.g. poor de-coupling)

• Although a cloud solution can be the path to cleaning up the application landscape moving one application at a time with the use of proper de-coupling technologies (e.g. SOA)

Total Cost of Ownership – is it economically viable • Total cost of a private cloud for regulatory system is more costly than total cost of ownership

(if internal managed & hosted)

• Consistent need for a given level of compute power (e.g. HPC) and total cost of cloud solution is more costly than TCO

Content or software license prohibits the cloud

There are simply no cloud offering in the space

Risk vs benefit of move is not worth it


March 6, 2014

CONSIDERATIONS PRIVACY & SECURITY

15


March 6, 2014

What is privacy?

The concept varies widely among (and sometimes within) countries, cultures, and jurisdictions.

Privacy rights or obligations are related to the collection, use, disclosure, storage, and destruction of personal data (or personally identifiable information—PII).

Organizations are accountable to data subjects, as well as the transparency to an organization’s practice around personal information.


March 6, 2014

Same physical or virtual instance


Satisfying PII transfer principle

e.g USA e.g EU

US PII EU PII

Integrated or

aggregated

Blinding

process

Analytics &

Navigation

Blinding

process


March 6, 2014

Data Security

When it comes to the security of data stored in a public cloud, you have two potential concerns:

1. What access control exists to protect the data? • Solution: Access control consists of both authentication and authorization.

2. How is the data that is stored in the cloud actually protected? • For all practical purposes, protection of data stored in the cloud involves the use of

encryption.

• The data should be encrypted at rest and in transit


March 6, 2014


Satisfying PII Security

US PII (encrypted)

Integrated or aggregated

(encrypted at rest)

Analytics & Navigation

Secured & encrypted transfer

PII = personally identifiable information

Secured access via authentication (e.g. 2

factor auth) with auditable logs

Data gathered under consent


March 6, 2014

Security and Privacy Controls

Infrastructure

Physical/Data Center Security

Firewall – Limited Port Access

Data Encryption at Rest

Application Security

Role based access

Federated User Authentication

System Use SOP

User Access Governance

Information Sharing Policies

Data De-identification Policies

PII – Informed Consent

Determination

Secure Backup,

DR

Data Encryption in Transit

Business Controls

System Controls

Private Cloud (IaaS, SaaS)

Single Tenant

Primary Use Guidelines

Secondary Use Guidelines

HIPAA Guidelines

Safe Harbor Policies

Validated

Environment

Corporate Privacy Policy

Training


March 6, 2014

AZ NEURO CLOUD BASED CLINICAL REPOSITORY

21

AZ Neuro

Clinical

Repository

Analysis Data & Models

Cloud Based

Repository

AZ Neuro

Clinical

Single Sign-on

Anywhere Web

Access

Maintain Data

Privacy

Store Data &

Documents

Validated - Part 11 Compliant

Use of Industry

Data Standards

Quick Delivery

Low Cost

Performance &

Scalability

Off-the Shelf

Software

SDTM, eTMF,

MedDRA AZDD

Trial Documents

CSP, ICF etc

Multiple Projects &

CRO’s

On-going Trial Data (blinded)

Encrypted At rest & In-flight

Ad Hoc Reports

Complex Custom Reports

Export Data To AZ

Search Data &

Documents

Use with SAS,

Spotfire

Cohorts & Datamarts

Cross-Trial Data

Pooling

Role Based Access

Enforce Data Sharing

Policies

Access & Share Data

Visualize Data

Legacy Trial Data

IT Support Services

Clinical Data

Services

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=Q9229zM_sid1MM&tbnid=3Iy1DFNWNp8NSM:&ved=0CAUQjRw&url=http://www.gerd-neugebauer.de/software/TeX/BibTool/&ei=lid9Uq6fPI2hsATmg4Fw&bvm=bv.56146854,d.cWc&psig=AFQjCNFjNOsKAP1QscGq1h-KI4fkcmANUA&ust=1384020199108386

Solution Selection

• MAXISIT Partnering

• Global organization with 10 plus years experience in delivering integrated solutions for pharmaceutical and life sciences industry companies

• Strong partnership with strong involvement for business specification

• CTRenaissance® eXchange

• Industry leading Integrated Clinical Data Management Platform with required functionalities available out-of-the-box

• Flexible delivery models and global strength to support scalable needs

Security and Privacy Controls

Infrastructure

Physical/Data Center Security

Firewall – Limited Port Access


Application Security

Role based access

Federated User Authentication

System Use SOP

User Access Governance

Information Sharing Policies

Data De-identification Policies

PII – Informed Consent

Determination

Secure Backup,

DR


Business Controls

System Controls

Private Cloud (IaaS, SaaS)

Single Tenant

Primary Use Guidelines

Secondary Use Guidelines

HIPAA Guidelines

Safe Harbor Policies

Validated

Environment

AZ Privacy Policy

Training

RACKSPACE

MAXISIT

MAXISIT

RACKSPACE

AZ NEURO

AZ, PING, EXOSTAR


• AZ Neuro CDR application is secured and enables access to only authenticated and authorized users.

• Accessible only over https.

• High-grade encryption used (TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 256 bit keys)

• All the pages which users are able to view are encrypted before being transmitted over the internet.

• This will secure the encryption in transit from application to client browser.


March 6, 2014

Data Encryption in Rest

• Application is deployed in a secured hosting environment and behind the firewall with only port 443 (https) being enabled.

• Internal communications are originated and ended in a secure zone and no information is encrypted from one service to another service.

• For data storage, the application uses a MySQL database to store the transactional and asset related data and an Oracle database to store the clinical and analytical data

• The data is not encrypted at the database level.

• The content which is stored into the Repository will be encrypted by default and therefore can't be accessed directly by any user.


March 6, 2014


• For all the data backups Data Hosting includes AES256-GCM encryption to all (Linear Tape Open); LTO-based tape media to be shipped to offsite media vaults.

• Data Hosting ensures that all media sent offsite is shipped in locked, water-resistant and impact-resistant containers in order to protect the media from tampering, dropping or exposure to extreme environmental elements.

• Offsite vendor representatives do not have direct access to individual media containing customer data at any point or any time during the transport container’s offsite period.


March 6, 2014

BENEFITS - VALUE

28


March 6, 2014

29

Potential Benefits of Cloud

• Cost

• Reduced software license cost

• Reduced hardware hosting costs

• Speed

• Reduced hardware procurement and qualification time

• Reduced trial startup time

• Quality

• Increase in data quality

• Supports decoupled systems, API’s, web services


March 6, 2014

30

Potential Benefits of Cloud

• Maintenance

• Less customized technology and legacy systems

• Low footprint or no footprint applications

• Scalability

• Add additional storage or compute power as demand increases

• Virtualization enabled by cloud

• Ease of migration from one server to another

• Increased usage of resources

• Location Independence

• Access from anywhere


March 6, 2014

FUTURE

31


March 6, 2014

Clinical Cloud Platform Future Vision

• Facilitate a federated environment of interchangeable components where clinical information is easily and readily exchanged and is semantically interoperable both internally and externally with partners in a system-independent format that meets regulatory requirements for electronic data handling and archiving.


March 6, 2014

Study

Management

Component

Data

Management

Component

Lab Data

Component

ECG, MRI etc

Component

Data Store

Component

Analysis

Component

Patient Safety

Component

IVR

Component

Role Based Dashboard

Data Access & Visualization

Multiple Clouds in the Landscape

eTMF

Component

Trial

Transparency

Component

Trial Drug

Supply

Component

Sample

Management

Component

Trial

Transparency eTMF IVRS CTMS EDC

Document

Management

ECG Labs Safety Analysis &

Reporting

Data

Archive

Standards

Repository

Federated

Identity

Drug Supply

UI

Sample

Management

UI UI UI UI UI

UI UI UI UI UI UI

Protocol

Design

UI UI

UI UI


March 6, 2014

The Cloud is Growing

Process/Execute

Collaboration/Engage

Orchestration/Plan

Device (App Store)/Deliver

Analytics/Predict

Storage Content/Results

MS365

Innovation/Find

Big Data

Space

Identity

Google Docs

BPM

Clinical Apps

iOS, Android

Hadoop Watson Netezza

SaaS

NoSQL Cloud Backup & Storage

MongoDB Box AWS S3/Glacier

Teradata

Conferencing

Semantic Search

Identity as a Service


March 6, 2014

MDM

Component

Study

Mgmt

Component

Data Mgmt

Component

Lab Data

Component

ECG, MRI etc

Component

Data Store

Component

Analysis

Component

Patient Safety

Component

IVR

Component

Role Based Dashboard

Data Access & Visualization

Future Conceptual Landscape

eTMF

Component

Trial

Transparency

Component

Trial Drug

Supply

Component

Sample Mgmt

Component

Stats Programmer Safety Scientist

Informatics Scientist

GEL

Monitor Study Manager Investigator Data Manager Safety Case Handler

Regulator

Medical Writer

Program Designer

Reg Doc

Mgmt

Component

Program

Design

Component

Identity

Mgmt

Component

Enterprise Web Services

Identity

Management

Component

MDM

Component


March 6, 2014

36

Challenges

• Speed of Technology Change faster than business project cycles

• Outdated before implemented

• Speed of Regulatory Guidance leaves risk in adopting new technologies

• Assessing Risks in Privacy & Security

• Return on Investment – Does all this technology actually translate into better decisions, faster development?

• Data retention, control and access

• Mergers & Acquisitions


March 6, 2014

37

Dan Ringenbach

[email protected]

Questions?


March 6, 2014

38

Confidentiality Notice

This file is private and may contain confidential and proprietary information. If you have received this file in error, please notify us and

remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or

disclosure of the contents of this file is not permitted and may be unlawful. AstraZeneca PLC, 2 Kingdom Street, London, W2 6BD, UK,

T: +44(0)20 7604 8000, F: +44 (0)20 7604 8151, www.astrazeneca.com