Skip to main content

Healthcare & Life Sciences

  • Overview
Healthcare & Life Sciences

Life Sciences Compliance in the Cloud

Enhance your security and compliance posture while automating GxP compliance with AWS.

GxP Systems on AWS

This whitepaper provides information on how AWS approaches GxP-related compliance and security and provides customers guidance on using AWS Products in the context of GxP.
Read the whitepaper

At AWS, security and privacy is the top priority

Gain greater agility, improve security of sensitive and personal health information, and automate GxP compliance with AWS.

GxP regulation includes the underlying international pharmaceutical requirements, such as those set forth in the US FD&C Act (Food, Drug, and Cosmetic Act), US Public Health Service Act (PHS Act), FDA regulations, EU Directives, UK MHRA regulations, Japanese regulations, or other applicable national legislation or regulations under which a company operates.  These include but not are not limited to:  Good Manufacturing Practice (GMP), Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Quality Practice (GQP), Good Pharmacovigilance Practice (GVP), Medical Device Regulations, Prescription Drug Marketing Act (PDMA). 

Acquire the most comprehensive compliance controls with AWS, including the ability to encrypt at-scale to comply with local data privacy laws such as PCI DSS, SOC, FedRAMP, NIST, ISO, HIPAA, and HITRUST. AWS supports more security standards and compliance certifications than any other offering, providing life sciences organizations with the tools, services, and visibility to move faster while remaining secure and compliant.

Building GxP systems on AWS allows for improved control over your IT environment, gives enhanced testing and traceability, and helps respond to audits.

Learn more about why leading life sciences organizations like Moderna and Bristol Myers Squibb choose AWS to run their regulated workloads.  

AWS & GxP Compliance

With access to purpose-built solutions, technical resources, and a team of GxP experts, AWS makes it easier for life sciences organizations to migrate existing and build new regulated workloads in the cloud. Designed to expedite the migration of regulated workloads, The GxP Compliance on AWS solution helps organizations establish a GxP-alignment environment that reduces costs, improves security, and enhances agility.

How AWS supports GxP compliance:

  • Automate the GxP compliance process: AWS provides the tools and guidance needed to automate the GxP compliant process so that you can move fast while staying compliant. Learn more 

  • Develop a consistent and controllable infrastructure: By leveraging AWS to enable your GxP environment, you can create templates that allow you to use your infrastructure throughout your organization with a high degree of consistency. AWS also gives you deep control over who can affect elements of your infrastructure software and when, where, and how they do it. See how Merck has set up GxP System Assurance in the AWS Cloud.

  • Automatic traceability: use AWS tools to automatically log a wide range of activities in your environment, including how the infrastructure is deployed and how the infrastructure is accessed and configured. This improves traceability in your environment, making it easier to support audit requests. Learn more

AWS & Data Privacy

Earning customer trust is the foundation of our business at AWS. We earn this trust by working to meet our customers’ privacy needs and by being transparent in our privacy commitments.

Customers always manage access to their services and content. We do not access or use customer content for any purpose without the customer’s consent. With access to the most extensive global infrastructure, life sciences organizations can choose the region(s) in which their content will be stored. We will not move or replicate customer content outside of the customer’s chosen region(s) without the customer’s consent.

Learn more
An icon illustrating data privacy in the shared responsibility model, featuring a laptop with connected lines and a central lock symbol, representing security and data protection on AWS.

Shared Responsibility

Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Customers are still responsible for other aspects of security, such as the security measures used to protect your applications - which is no different than if your application was running in a traditional data center.

Learn more
Diagram icon representing shared responsibility in cloud security, featuring shield, cloud, globe, database, server, and document elements.

Shared Responsibility Model

AWS Life Science Compliance Alignments / Frameworks

AWS Compliance Certifications:

  • The AWS compliance certifications demonstrate the “security of the cloud” and the operating effectiveness of AWS controls.  Customers are responsible for the security in the cloud. 
  • Customers inherit these compliance certifications and can use them to demonstrate part of their compliance to auditor and regulators.

    • Certifications / Attestations:

    Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.

    Laws / Regulations / Privacy:

    AWS customers remain responsible for complying with applicable compliance laws and regulations. In some cases, AWS offers functionality (such as security features), enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Addendum) to support customer compliance.

    Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function. AWS provides functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers) for these types of programs.

    It is important to mention the shared responsibility model while discussing regulatory compliance. AWS bring in state of the art technologies, goes through the industry standard certifications and attestations both globally and regionally where possible and align to industry frameworks to help facilitate the compliant implementation of AWS services for healthcare compliance.  Under the aegis of shared responsibility model, customers can inherit the compliant controls and capabilities to meet the needs of healthcare compliance in that region. 

    Frameworks

    The information below provides representative certifications, healthcare laws and relevant frameworks.

    Key Certifications & Attestations

    ISO 9001

    ISO 27001, 27017, 27018

    SOC 1, 2, 3

    PCI DSS Level 1

    FedRAMP

    Key Alignment & Frameworks

    CSA (Cloud Security Alliance)

    EU-US Privacy Shield

    NIST

    BioPhorum IT Controls

    GxP

    Compliance by Country

    United States (Key Regulator: FDA)

    US Food and Drug Administration (FDA) established 21CFRPart 11 - regulations on electronic records and electronic signatures. 21CFRPart11 applies to life science industries that fall under Federal Food, Drug, and Cosmetic Act, Public Health Service Act, or any FDA regulation other than Part 11. Collectively those are identified as “Predicate Rules”. In essence, Part 11 applies when the record in question is predicated. 

    Read more:

    Data Integrity & United States FDA:

    The regulators around the world continue to look at the data integrity issues/concerns at life science industries. FDA published guidance on data integrity to provide clarity to life science organizations so that the issues/concerns can be proactively addressed.

    Learn more
    A solid blue silhouette of the map of the United States of America on a white background.

    United Kingdom (Key Regulator: MHRA)

    MHRA continues to give greater focus on data integrity. The increasing use of electronic data capture, automation of systems, and use of remote technologies have increased the complexity of supply chains and ways of working – which includes use of third party suppliers. MHRA published the Data Integrity guidance specifically to provide greater clarity and setting expectations to the Life Science Industries to ensure data integrity compliance.  
    Learn more
    A simple, solid teal silhouette illustration representing the map outline of the United Kingdom.

    Europe (Key Regulator: EMA) – applies to member states of the European Union

    The European Union Annex 11 – applies to all forms of computerized systems used as part of GMP (Good Manufacturing Practice) regulated activities.  

    Learn more »

    Data Integrity & EMA:

    Data Integrity continues to be an important topic worldwide. EMA- European Medicines Agency have published a new Manufacturing guidance (GMP) to ensure data integrity that covers the data related to the data generated in the process of testing, manufacturing, packaging, distribution and monitoring of medicines. 

    Read more:  

    Learn more
    A teal silhouette icon depicting the map of Europe, commonly used to represent the Europe region in AWS-related contexts.

    Get started

    Contact our experts and start your AWS journey today.
    Get started