February 2011
© Healthcare Information and Management Systems (HIMSS)
Good Informatics Practice
(GIP) Chapter 1 -
Executive Summary A framework for trusted information systems
Ford Winslow, Anette Asher, Steven Fouskarinis, Gabor
Fulop, Damian Gomez, Oscar Ghopeh, Andrew Jacobson,
John Kim, Linda Speake, Mark Vilicich, Howard Asher
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 2 of 24
Preface
The Life Sciences Organizations, Health Care providers, Food Processing and Cosmetic Industries are governed and regulated by domestic and international government agencies and ministries whose prime purpose is to protect public health. These regulating bodies often issue various ‘Guidances’ suggesting various areas of recommended “Good Practice.” These Good Practices Guidances frequently refer to associated functional areas and relevant standards and regulations. They provide a means to adopt these guidances in order to safeguard the public health and safety and minimize the risk associated with specific products or services. Today most of the business services employed by these regulated companies and institutions are facilitated by information technologies (IT). As IT business services gain wider and deeper adoption by these regulated firms, so does the IT complexity. Currently, the government agencies and ministries that routinely inspect these regulated firms don’t have the tools necessary to be able to inspect objectively all of the complex IT systems that are at the core of critical business services and functions. The Life Sciences Information Technology (LSIT) Global Institute was founded in May 2004 with its first public announcement in the same month on a local San Diego news channel 1The genesis of LSIT occurred during a meeting of Federal Drug Administration’s (FDA) IT management and Sun Microsystems celebrating the successful conclusion of a Cooperative Research & Development Agreement (CRADA). During this meeting the FDA’s IT management was asked to speak about its greatest concern with IT rapidly converging into the life and health sciences industry. Their response: “Of the top 100 life sciences companies we regulate, they do the exact same thing with IT systems, 99 different ways – tell us which one we should trust?” The LSIT Founding Committee2 was formed to determine if ‘we’, the industry, could develop an IT guidance called Good Informatics Practice (GIP) that eventually the US FDA and other international regulatory public health bodies could trust. LSIT Global Institute’s founding was modeled after the International Committee on Harmonizing ( ICH)3 The ICH set about the process of organizing world experts to develop what is called today Good Clinical Practice (GCP) and spent a number of years globally socializing, redrafting and obtaining international acceptance of GCP. Good Informatics Practices (GIP) are methods and processes of aligning IT Governances with Corporate or Institutional Objectives, Regulations and Industry Best Practices. GIP leverages a risk-based framework, scaled in direct proportion to risk to health and public safety, that enables companies, regulatory agencies and the public to trust IT business services that may impact Food, Cosmetic or Medical product quality or public safety.
Howard Asher
Founder, LSIT
1 LSIT public debut video link http://www.scivee.tv/node/12332 2 www.lsit.org/about/foundingcommittee.php 3 www.iCH.org
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 3 of 24
Preface .................................................................................................................. 2
1. Executive Summary ...................................................................................... 5
1.1. Introduction............................................................................................................................... 5
1.2. Intended Audience of GIP ......................................................................................................... 6
1.2.1. Life and Health Sciences Industry Technology Practitioners ............................................. 6
1.2.2. Auditors and Regulators ................................................................................................... 6
1.2.3. Internal Quality Organizations ......................................................................................... 6
1.3. Examples of Successful GIP Outcomes ..................................................................................... 6
1.3.1. Audit ............................................................................................................................... 7
1.3.2. IT Quality ........................................................................................................................ 7
1.3.3. Vendor Management ........................................................................................................ 7
1.3.4. Trusted Data Interchange ................................................................................................. 8
1.3.5. Certification ..................................................................................................................... 8
1.3.6. Validation and Verification .............................................................................................. 8
1.3.7. Trusted Modeling ............................................................................................................. 8
1.4. Framework Organization and Layout ......................................................................................... 9
1.4.1. Technology Governance GIPs ........................................................................................ 10
1.4.2. People GIPs ................................................................................................................... 11
1.4.3. Process GIPs .................................................................................................................. 12
1.4.4. Technology GIPs ........................................................................................................... 12
1.4.5. Data GIPs ...................................................................................................................... 13
1.5. The GIP Body of Knowledge .................................................................................................. 14
1.5.1. IT Governance and Corporate IT Policy Management .................................................... 14
1.5.2. Risk Management .......................................................................................................... 15
1.5.3. Training and Practices .................................................................................................... 15
1.5.4. Process Management...................................................................................................... 16
1.5.5. Architecture ................................................................................................................... 16
1.5.6. Infrastructure / Cloud ..................................................................................................... 18
1.5.7. Application Management ............................................................................................... 18
1.5.8. Data Management .......................................................................................................... 18
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 4 of 24
1.5.9. Validation and Verification ............................................................................................ 19
1.5.10. Security ......................................................................................................................... 20
1.5.11. Program and Project Management .................................................................................. 20
1.5.12. Electronic Submissions .................................................................................................. 20
1.5.13. Computerized Machines and Instruments ....................................................................... 21
1.5.14. IT Strategy ..................................................................................................................... 22
Appendix A - Glossary .................................................................................................................. 22
Appendix B - Index ....................................................................................................................... 22
Acknowledgements ........................................................................................................................... 24
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 5 of 24
1. Executive Summary
1.1. Introduction
This guidance document is intended to assist Life and Health Science organizations by
describing a model for demonstrating trust in the governance, people, processes, technology
and data used across the lifecycle of health delivery from molecule to population.
Good Informatics Practice (GIP) describes one comprehensive model for aligning the IT and
Informatics functions that support Life and Health Science organizations with the strategic,
commercial and regulatory goals of the business. Information Technology supports all business
and scientific functions within life and health science organizations. GIP is a model by which an
organization’s IT function may support business, scientific, medical and other functions
concurrently and be trusted to comply with all applicable regulations. GIP is not intended to
create new regulation or replace existing standards. Rather, GIP is intended to be guidance for
the Life and Health Sciences community that refers to applicable regulations, best practices and
industry standards so that the industry and regulators alike may have a common framework
and language.
Successful adoption of GIP represents industry and regulatory joint support of an effective
framework for trust in the data generated, stored, manipulated and used in the Life and Health
Sciences community. Trusted data and information systems are the basis for all discovery and
delivery of safe and effective therapies. GIP is designed to facilitate technical innovation and
continual improvement in informatics while maintaining trust in the data these systems
produce, store, transmit, modify and retrieve.
The HIMSS Life Sciences Information Technology Committee (LSIT) recognizes that each
organization’s circumstance is unique. This guidance document does not establish enforceable
standards or responsibilities for industry. Instead, GIP demonstrates practical strategies,
approaches and tools that organizations may adopt and use to achieve the optimal outcome
for each unique circumstance.
In order to support industry innovation and continual improvement, the GIP has been designed
in an open, flexible architecture that references other relevant standards where possible. LSIT
realizes new technologies and regulatory strategies are constantly being developed. To help
facilitate adoption of new technologies and innovative practices, GIP has been designed to
evolve with the scientific and technical landscape to capture current best practice and leave
space for future innovation.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 6 of 24
1.2. Intended Audience of GIP GIP is intended for any person or company managing or using IT while performing business
services within organizations governed and regulated by domestic and international
government agencies and ministries whose prime purpose is to protect public health.
1.2.1. Life and Health Sciences Industry Technology Practitioners
GIP is intended to provide guidance for those who implement, maintain, validate, use or
otherwise are concerned with information systems. GIP is built around general best
practices and specific examples with guidance on how to scale activities relative to an
organization’s risk and maturity. GIP provides qualified technology practitioners with Life
and Health Sciences specific knowledge necessary for their jobs.
1.2.2. Auditors and Regulators
GIP is intended to provide a common framework around which internal and external
auditors may gauge the applicability and compliance of common best practices.
Scalability is built into GIP in all areas so that organizations and auditors alike may
objectively determine which best practices should be implemented based on product risk
and maturity.
1.2.3. Internal Quality Organizations
GIP is intended to provide a “lingua franca” among IT and Quality staff and organizations.
By leveraging quality-driven best practices for people, processes, technology and data, IT
organizations begin to speak the language of Quality and can thus partner with those
parts of the organization for optimal outcomes that will ultimately benefit all medical
products.
1.3. Examples of Successful GIP Outcomes Multiple positive impacts are achieved as GIP is deployed within the Life and Health Sciences
community. The overarching result is trust, by all stakeholders, of the IT business services and
infrastructure systems within the entire ecosystem.
An important paradigm shift is considered to be the optimal outcome once a GIP process is
fully deployed to the “GIP Certified” state. The IT staff places much higher contribution and
applied skills to IT centric business initiatives and thereby grows and strengthens the business
core values.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 7 of 24
1.3.1. Audit
Auditors must have unambiguous standards against which to audit. Today it is up to each
organization individually to determine the standards with which it will align. Having a
common reference framework for auditors and organizations is an optimal outcome of
GIP.
1.3.2. IT Quality
IT departments and staff must have the tools they need to be innovative and support
complex, regulated technologies in a cost-effective, timely manner. By providing a
Quality-by-Design framework for IT, organizations will have the tools necessary to provide
high-quality, efficient services that are of appropriate quality to meet the needs of the
business and regulations. Examples of Quality-driven IT practices and processes are an
optimal outcome of GIP.
1.3.3. Vendor Management
Manufacturers and Vendors must provide products and services to a wide array of clients
in many different industries. In order for those vendors to also serve the Life and Health
Sciences community, they must understand the unique regulatory, business and
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 8 of 24
operational challenges that face this community. Providing guidance to manufacturers
and vendors on information systems for how to provide high-quality service to the Life
and Health Sciences industries is an optimal outcome of GIP.
1.3.4. Trusted Data Interchange
In order to enable a wide array of optimal outcomes for patients, there must be a
framework for trusted data interchange among all the parties in the Life and Health
Sciences community. Translational medicine and public health policy decision-making are
made much more efficient and robust by leveraging common standards for data
management and interchange. Data de-identification and other security and privacy
issues must also be solved in order to facilitate trusted data exchange. Providing trusted
guidance for Life and Health Science organizations to manage and exchange data for the
benefit of patients and the public is an optimal outcome of GIP.
1.3.5. Certification
Professionals and organizations benefit from certification that is based on a trusted
framework and body of knowledge. Certification provides a basis for trust that can lead to
time and cost efficiency and simplicity at the time of audit. Providing the basis for
certification in Good Informatics Practice is an optimal outcome of GIP.
1.3.6. Validation and Verification
Organizations spend vast amounts of money and time validating information systems for
use in regulated environments. Often each organization must determine its own
validation strategy and make best effort judgments on the scale and scope of validation.
Providing organizations and auditors with common guidance on efficient, appropriate
validation and verification is an optimal outcome of GIP.
1.3.7. Trusted Modeling
The global Life and Health Sciences community and the patients this community serves
require trusted computational modeling of disease states, injuries and disorders as well as
the therapies required to restore health or improve quality of life. The complexity of
disease identification and therapy choices requires computational resources to be able to
efficiently and confidently treat patients with minimal risk. The skyrocketing costs of
therapy development along with the explosion of research data also require
computational modeling to be able to confidently develop innovative therapies with
minimal risk. Providing the guidance within which Trusted Modeling can occur is an
optimal outcome of GIP.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 9 of 24
1.4. Framework Organization and Layout
GIP applies to all information and computerized systems used by an organization. LSIT realizes
that organizations use shared infrastructure for regulated and non-regulated functions. In
support of this, the GIP focuses on identifying where computer systems are used for regulated
business functions and appropriately applying control to those systems based on risk.
GIP applies to the governance and regulations, people, processes, technology and data that
make up the Information Ecosystem.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 10 of 24
Figure 1: GIP Alignment
1.4.1. Technology Governance GIPs
Most, if not all, organizations have a business function dedicated to Information
Technology. This function may be in-sourced, out-sourced or co-sourced and can vary in
size from one part-time individual to a staff of hundreds or thousands. In all cases, some
level of governance is required to enable optimal outcomes over the life of the
organization and comply with applicable regulations.
Governance usually occurs at multiple levels. The organization as a whole may have some
rules around decision-making. Financial limits are common, but organizations may or may
not choose to formally govern initiatives, risk management and other key governance
factors. Organizations may also group hardware, software, configurations, procedures
and data into systems and govern those systems. Application governance or data
governance for specific functions are common. Technology Governance can take many
forms and may be implemented many ways. No matter the tools and methods used for
governance, the outcome of effective governance is a trusted IT Ecosystem.
This diagram is an example of the breadth of the scope of the IT Ecosystem by function.
Figure 2: Example IT Ecosystem Functional Diagram
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 11 of 24
An organization may choose to implement these IT Functions as an organizational format
as depicted by figure 3.
Figure 3: Example Organization IT Ecosystem
Each organization must choose how to design, build and govern its IT Ecosystem based on
the organization’s specific risk and business circumstances. Governance GIP gives the Life
and Health Science community tools to build an effective governance program.
1.4.2. People GIPs
People are the most critical part of an information system. People purchase, implement,
operate and decommission technology. People perform processes that leverage
technology to achieve business results in their every day work where technology has the
capacity to create, modify, transmit, analyze and delete data that are used in regulated
activities. The people who implement, use and maintain information systems must be
trusted to perform their roles reliably, effectively and must be qualified to do so.
Additionally, the organization must demonstrate that proper care is taken when
recruiting, hiring and managing personnel.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 12 of 24
People are also a critical link in information security. Most security breaches are related to
human causes. Effective practices for managing personnel improve not only the
effectiveness and compliance of the organization, but also the security and quality of the
data and systems in use.
People GIPs provide best practices that organizations can adopt to demonstrate to
regulators, business partners and customers that personnel can be trusted to carry out
responsibilities. This section of GIP does not replace the need for other standards and
bodies of knowledge. These GIPs provide tools and strategies that can be adopted by
organizations as well as references to other, more in-depth standards and best practices.
1.4.3. Process GIPs
Reliable, repeatable processes are how high performing organizations deliver trusted
services to their customers, business partners and regulators alike. Processes link people
with technology. Most frameworks for compliance have some level of process. COBIT,
ISO, ITIL and others all leverage process frameworks to achieve results over a wide array
of technology. IT professionals in the Life and Health Sciences are faced with multiple
process frameworks from which to choose.
Trustworthy processes allow tasks to be performed with a high degree of accuracy and
confidence. They leverage technology in a consistent and reliable way. This consistent
use of technology has many benefits. Systems (and validation) can be simpler, cheaper
and easier to maintain if the regulated use of the system is consistent. Consistency also
allows for better and more focused allocation of IT resources, which drives quality higher
and reduces total cost of ownership (TCO). For the most critical systems, trusted
processes result in decreased risk due to error or mishap and the ability to recover
systems quickly and provide business continuity.
Process GIPs represent a common process framework that can be implemented by an
organization to reduce specific risks. These GIPs leverage these and other existing
standards to implement appropriate processes correctly.
1.4.4. Technology GIPs
Hardware, Software, and Configurations to those hardware and software, make up the
technology in each information system. These systems in turn are leveraged to carry out
business processes. The Technology Ecosystem can be broken down into discreet
elements. These elements or systems each have unique requirements, hardware,
software, configurations and testing needs. Each organization assembles technology to
meet its unique business and compliance needs.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 13 of 24
When these systems are used for regulated business functions, organizations must
demonstrate and “…provide a high degree of assurance that a specific process will
consistently produce a product meeting its pre-determined specifications and quality
attributes4.” That means organizations must “establish by objective evidence that all
software requirements have been implemented correctly and completely and are
traceable to system requirements.5”
This section of GIPs provides organizations with strategies and tools they can adopt that
will help them correctly purchase, configure, implement and maintain the hardware and
software used by industry. They contain requirements for manufacturers, integrators,
providers, resellers and purchasers of technology. These GIPs also provide specific
guidance, where possible, on key configurations or activities that lead to trusted
technology. Also provided are testing recommendations to demonstrate that the
requirements have been met and the hardware, software and configurations
implemented correctly.
1.4.5. Data GIPs
Data are the core to all regulated activity. Regulations, best practices and standards are
created to ensure data can be trusted throughout its lifecycle. Data are used in all manner
of regulated processes from product development to clinical trials, to manufacturing and
testing, to healthcare delivery and reimbursement. Trusted data are critical to enabling
trusted decisions.
Development and delivery of therapies are increasingly dependent upon electronic data.
Data sets are becoming so voluminous that warehouses are incapable of storing all the
necessary data. Search and retrieval would require a small army. For these reasons,
paperless development and delivery is a reality today and increasingly will be adopted by
the Life and Health Sciences community. Paper “safety nets” will not be viable. Electronic
data must be trusted to be the definitive source record for the Life Science and Healthcare
industries.
Organizations are increasingly obligated to maintain trusted data. The consequences for
not maintaining trusted data can range from embarrassment to financial penalty to felony
4 http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM070336.pdf 5 http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm085281.htm
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 14 of 24
charges. Having a framework for maintaining trusted data is becoming a requirement in
Life and Health Sciences.
Trusted data enables decisions that can be relied upon to save lives and positively impact
public health. When trusted data interchange becomes a reality, data can be shared in
ways that are impossible today. Organizations pay immense sums of money to generate
data sets, which in some cases, might otherwise be mined from existing data. Modeling
and other visualization technologies could replace invasive studies and the resulting data
sets trusted by scientists.
This type of GIPs provides organizations tools and best practices that will enable their data
to be trusted as appropriate for their situation. These GIPs can be adopted by an
organization based on business need and Risk.
1.5. The GIP Body of Knowledge
Figure B: Topical Structure of GIP Guidance
1.5.1. IT Governance and Corporate IT Policy Management
The Life and Health Sciences business functions, services and processes are rapidly
becoming codependent upon information and communications technologies (ICT). These
ICT Life and Health Sciences systems must be as trustworthy as the former paper based
systems. All stakeholders must trust ICT healthcare and life sciences systems and
successfully withstand any third party independent governance audit.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 15 of 24
Stakeholders who will benefit from this chapter include those in leadership roles in the
“C” Suite, and IT Managers and Quality Managers who are responsible for strategic
alignment, quality controls and assurances, compliance and efficient IT ecosystem
workflows.
This chapter will address the institutional and corporate governances of ICT systems
throughout the entire IT and corporate ecosystem. It includes associate functional and
clear ICT policy, procedures and specifications that engender successful unburdened
business functions, services and processes while reducing barriers and silos for
interoperability and data exchange. The GIP guidance is designed to be a global ICT
reference tool with risk-based consideration, quality by design, and practicality at the
forefront.
1.5.2. Risk Management
Risk Management is a set of good practices and guidelines to ensure that the things that
can potentially harm an organization’s business are identified and managed. The risks
addressed are not simply those pertaining to the lifecycle of the products and services
offered by that organization (most often limited to regulatory compliance considerations),
but the entire spectrum of risks inherent in the broader environment in which that
organization conducts business. Risk management is applied to the people, process,
technology and data in use in the Life and Health Science community today.
The Risk Management chapter provides a framework of best practices, along with tools,
example standard operating procedures (SOPs) and sample use cases to assist Life and
Health Science organizations in identifying applicable risks. Included in the best practices
framework are recommendations of key elements of an effective risk governance
structure.
At the conclusion of this chapter, IT professionals who serve and support the Life and
Health Sciences Community will be able to incorporate the recommendations, best
practices, SOPs and tools into their organization’s governance structure and overall risk
management program.
It is important to note that this chapter does not tell the reader which risks are important
or which risks to address. However, this chapter guides organizations in making informed
decisions to manage their unique circumstances.
1.5.3. Training and Practices
The Training and Practices GIP chapter contains the suggested guidance for designing,
delivering, evaluating and documenting training critical to deploy GIP practices. This
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 16 of 24
chapter details how to ensure and demonstrate that all individuals (employees, temporary
staff, contract workers, and consultants, etc.) are qualified to perform their respective
duties in accordance with GIP practices.
Documenting requirements for training and the best practices for designing, delivering,
evaluating and documenting each individual’s training is a compliance requirement.
Management is responsible for confirming that all staff have the necessary knowledge and
skills. They must additionally prove individuals’ abilities to perform their jobs and that
their positions are aligned with specific job and functional role descriptions. Qualifications
and records attesting to proficiency when following a standard operating procedure must
be proven. This is often referred to as Training Records Management certifications.
Training is a dynamic process that must be continually evaluated to ensure the training
programs and associated materials keep pace with job requirements and performance
expectations. This chapter will provide the Life and Health Sciences community specific
guidance for creating, implementing and maintaining an effective, compliant training
program that is risk- appropriate and aligned with the needs of the business and GIP
practices.
1.5.4. Process Management
People run the processes and processes run the business. In parts of the organization that
manage IT, this is particularly true. System lifecycles, change control service management,
delivery and support are all examples of processes that manage technology.
These processes have traditionally been hard to adopt for IT organizations. One of the
reasons for this is that the IT Organization’s traditional role has been seen as reactive and
non-value added. In today’s environment where systems must be reliable and robust, the
undocumented (i.e., SOP) knowledge of one IT employee about a critical process that runs
the business creates risk that is unacceptable in the Life and Health Sciences community.
The Process Management chapter provides IT Organizations and practitioners with
consistent, reliable guidance on how to implement quality-driven processes that make
sense to IT and are effective. Included in this chapter will be examples of processes that
enable IT organizations to be innovative, cost effective and compliant.
1.5.5. Architecture Architecture is the conceptual design and fundamental operational structure of a computer
system.
This chapter discusses Architecture as a discipline for Good Informatics Practices. In Life
and Health Sciences, architecture is applied both internally to the corporate IT Ecosystem
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 17 of 24
as well to how the IT Ecosystem interacts with its external environment within and across
organizations.
Architecture operates on a variety of levels in Information Management, from business
strategy and industry standards, through operational processes and infrastructure design,
to the smallest components of internal hardware and software systems.
The use of Architecture as a principle in Life and Health Sciences IT/Informatics is essential
to achieve strategic as well as operational and tactical goals, and in many ways underlies
the core concept of best practices in Information Technology. Architectural processes
address high level organizational and IT goals in tuning technology designs, prioritization
and organizational capabilities to align to and meet the changing needs of the business
throughout the organization’s lifecycle. On an operational level, use of quality
architectures greatly increases the effectiveness of the technology organization by
reducing the difficulty of design, installation, and maintenance of systems and data.
Examples of architecture include:
Business Architecture (Enterprise Architecture): business process and plans are
identified, and technology underpinnings and strategic planning aligned to them. In
organizations where Enterprise Architecture is used as a discipline, proactive
technology solutions are designed to meet existing and planned business, industry
and regulatory requirements.
Systems architecture: technology platforms and business processes that contain
information are designed in a structured, layered fashion to ease development and
allow robust operation, interfacing and administration. Goals typically include
standardization of platforms and integration points to facilitate common
compatibility, economies of scale and reduction in risk and cost. Examples in
technology platforms include the selection of equipment standards, design of network
topologies, and the concepts of multi-tiered architectures, such as in web applications
and lab systems. Examples in information-centric processes include manufacturing
disciples used in medical products, such as ISA-S95 and S88, where business scopes
are hierarchical and coupled for maximum throughput and flexibility.
Software architecture (internal systems architecture): a best practice serving the
technical design of systems within a software or system development lifecycle (SDLC).
Architecture in this context includes the selection of languages, design of interfaces,
and use of design patterns in initial and ongoing development iterations.
Data architectures: include design and development of the logical and physical
mapping of data in databases, use of metadata in driving logic, and adoption of
standardized terminologies. Key outcomes of software and data architectures include
speed and quality of development, ease of analyzing, testing and addressing risk in
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 18 of 24
complex systems, the matching of systems to business domain, and the longevity and
robustness of interfaces between components and systems.
1.5.6. Infrastructure / Cloud
Infrastructure is defined as the supporting technologies and operating environments that
enable business information systems to operate successfully. Trusted infrastructure is the
basis for trusted information systems. In today’s evolving technology landscape, costly
infrastructure purchases are being deferred or augmented with “Cloud” resources.
While these solutions are often quite effective and affordable, issues arise when the
systems must be trusted to perform Life and Health Science functions and pass audit.
Vendors, auditors and clients must have a common framework upon which to leverage
trusted “Cloud” and on-premise resources. This common framework must account for the
flexible nature of Cloud computing and the strenuous quality requirements of validated
systems while maintaining continuity with traditional on-premise solutions.
The Infrastructure / Cloud chapter provides organizations with the guidance necessary to
be confident that the infrastructure in use is appropriate and correctly qualified for its
intended use. This chapter will address infrastructure purchased and installed by
organizations (on-premise), cloud (collocated, hosted, IAAS, PAAS) and hybrid (on-
premise/cloud) models and provide effective guidance for organizations, service providers
and auditors to architect and operate trusted infrastructure.
1.5.7. Application Management
The alignment of an organization’s application portfolio with the organization’s
prioritizations is a rapidly evolving area of IT. The IT landscape is expanding with
companies adopting one or more of the application development and hosting strategies of
outsourcing, off shoring, in-sourcing, consolidating, etc. A means of rationalizing the
portfolio and its value proposition becomes even more complex when compliance and
other Life and Health Science specific considerations are incorporated.
The Application Management GIP addresses an organization's lifecycle management for
software applications and provides a knowledge framework for the IT professionals who
serve and support the Life and Health Science community. Industry best practices are
presented for managing the Total Cost of Ownership (TCO) as well as the business value of
the applications portfolio for the Life and Health Science community.
1.5.8. Data Management
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 19 of 24
Data Management in Life and Health Sciences is truly a matter of life and death. From
molecule to population, a wide range of stakeholders has interest in data: researchers
discovering new products and methods, physicians prescribing treatment for their
patients, and of course, patients and their families, regulators, hospitals, insurance
companies, and many more. Information technology evolutions provide new capabilities
while also creating new challenges. Mergers, acquisitions, divestitures and partnerships
result in further data requirements and complexities.
Today there is a lack of consistency in data standards and practices across companies and
industries within Life and Health Science. Further there are competing forces, such as
protection of intellectual property, accessibility, privacy, and regulatory compliance that
can make the data manager’s job in this field an extremely challenging one. Until now,
there hasn’t been one place for interested parties to quickly and effectively identify best
practices and standards related to this industry.
Some of the areas this chapter addresses are current data management standards, best
practices and methodologies for metadata, storage, retention, structured and
unstructured data, interoperability and data exchange. By having a good understanding
and methodology for addressing these areas, the stakeholders will gain more useful data,
find and access it quickly, and trust its accuracy to be able to make better decisions and
get actionable information useful to their work.
1.5.9. Validation and Verification
Validation and Verification (V&V) GIPs are a set of good practices and guidelines to
ensure that the people, processes, technology and data used to support medical
products throughout the product lifecycle, maintain pre-determined specifications for
quality and applicable regulations based on the intended use.
The V&V chapter will provide an understanding of best practices, along with tools and
example standard operating procedures to assist Life and Health Science organizations
to comply with their regulatory compliance requirements.
The V&V chapter provides concepts and methods for organizations to scale the rigor
and level of detail based on their business, regulatory and safety risks. Organizations
whose business scope is within the molecule-to-patient lifecycle will be able to make
use of these V&V best practices and concept materials and to incorporate them as part
of their overall quality program and processes.
The V&V chapter also lends itself as a knowledge framework for the IT professionals
who serve and support the Life and Health Science industry and need to expand their
skills to meet the customers’ regulatory expectations.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 20 of 24
1.5.10. Security
Security GIP applies to all aspects of the people, processes, technology and data in the
Life and Health Science community. The security GIP will address the risks,
confidentiality, integrity and availability of the pertinent data and systems related to
medical products and services. The stakeholders for this chapter include corporate IT
organizations responsible for addressing such data and systems. They will use the
security GIP content to determine how to appropriately secure data and systems in
concert with applicable regulatory standards to protect the integrity and confidentiality
of subject matter data for patients.
The application of the security GIP can identify deficiencies in transformation of the
products, services and data. They will be able to guide the stakeholders to proactively
anticipate similar scenarios and apply the appropriate controls to benefit the target
cases with precautionary measures to avoid risks.
1.5.11. Program and Project Management
The project management best practice has proven to be more effective and has yielded
greater documented results in recent years. It is also evident that this methodology
when applied in Life and Health Science does not run in the same linear time cycles as
Information Technology. We do have the responsibility to synchronize the development
process beyond production and into patient related care activities and results.
It is important to understand as the ultimate stakeholder that we own the responsibility
for the discovery or invention of the product or device through the development
process and beyond. An efficient management of all phases of Life and Health Science
can significantly impact the viability of medical products or devices.
The role of demonstrated program and project management methodologies is an
important one. In fact, this responsibility can even continue long after the product or
device has received regulatory approval and been marketed – a period of time that
exceeds the lifecycle of practically every IT project. The benefit of the project
management methodologies and processes is realized through an end-to-end
relationship with the Life and Health Science community.
1.5.12. Electronic Submissions
The Life and Health Science industry is encouraged by many public health government
agencies6 7 to utilize electronic submissions of human clinical research and market
6 http://esubmission.emea.europa.eu/ 7 http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm064994.htm
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 21 of 24
approval applications for medical products and even veterinary medicine8. It is clearly in
the best interest of the Life and Health Science industry to strongly support this
efficiency improvement. The US Food and Drug Administration (FDA) are building an
Electronic Submissions Gateway (ESG) as an Agency-wide solution for accepting
electronic regulatory submissions9. HIMSS & LSIT believe a global gateway is on the
horizon and will collaborate with government agencies and industry to assure this
process is expedited and harmonized to bring further efficiency worldwide.
Regulatory Affairs, Privacy and Security Officers, Clinical Development and IT leaders are
some of the stakeholders who are relying on learning best practices for electronic
submissions of medical product applications to the US FDA and international public
health government agencies. This chapter will address the regulatory requirements of
eCTDs in such areas as labeling, patient data management, and clinical study
applications, HIPAA, language and file structure, as well as generally accepted software
applications used by the US FDA and others.
One will have a better understanding of the systems requirements and procedures for
most types of e-Submissions allowing for expedient regulatory review/response and
processing.
Labeling
Clinical Study Applications
Patient Data Management
Product Approval Submission Documents
IND, NDA, SNDA, etc.
Market Approval Applications
Sales Communications
Marketing Communications
Product Problem Management
Recall Management
1.5.13. Computerized Machines and Instruments
This chapter provides an understanding of best practices, along with tools and example
standard operating procedures to assist Life and Health Science organizations to plan
effectively, implement efficiently, and operate computer based or computer related
8 http://www.fda.gov/AnimalVeterinary/DevelopmentApprovalProcess/ElectronicSubmissions/default.htm 9 http://www.fda.gov/ForIndustry/ElectronicSubmissionsGateway/default.htm http://www.fda.gov/downloads/Drugs/DevelopmentApprovalProcess/FormsSubmissionRequirements/ElectronicSubmissions/UCM229728.pdf
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 22 of 24
systems and equipment within regulatory expectations. It will discusses subjects and
topics related to planning, design, implementation, operations and maintenance of
computer based or computer related systems and the equipment utilized. Examples
include computer based lab instruments or manufacturing equipment.
Topics include the effective management and efficient operation of IT infrastructure
systems (network, access control, change control, configuration management, etc.) in
support of regulated and other risk adverse environments.
This chapter is intended for IT professionals who serve and support the Life and Health
Science industry where computer based or computer controlled systems and equipment
are utilized, and for IT professionals who need to expand their skills to meet the
customers’ regulatory expectations.
Business managers (lab, operations, manufacturing, etc.) or others involved in planning,
design, implementation, operations and maintenance of systems where computers
(computer based or computer related systems and equipment) are utilized may also find
this chapter helpful. Examples include clinical laboratory, quality control laboratory,
meteorological laboratory, and manufacturing operations.
1.5.14. IT Strategy
The stakeholder for this chapter is anyone responsible for corporate and IT strategic
planning, budgeting and aligning IT with the organization’s business objectives. IT
Strategy addresses what it means for IT to be an enabler for the overall corporate
strategic plan. Developing strategic objectives for a long term and near term
perspective will help one to be responsive to advanced/leading edge technologies and
future trends and proactive in making good decisions for pursuing that technology or
not. By having an IT strategic plan, one can align with the business and corporate
objectives, deliver good IT governance and stay contemporary. Using the Risk Based
decision-making and Risk-based prioritization approaches will assist the stakeholder to
analyze and evaluate advanced technologies with a practical and quantitative focus as
well as a focus on quality. Some of these leading technologies include RFID, Sensors,
Wireless, Cloud, and other devices. This chapter will prepare one to make purposeful
decisions in planning for the future and identifying systems in an IT architecture
platform that is capable and scalable to refresh and incorporate on these technologies
more proactively.
Appendix A - Glossary Appendix B - Index
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 23 of 24
Together, these GIPs offer a framework that can be leveraged by each organization
based on their specific situation and risks to provide guidance and examples that
illustrate a practical set of best practices that can be implemented.
Good Informatics Practice (GIP) Chapter 1 - Executive Summary
2011
www.himss.org Page 24 of 24
Acknowledgements Special Recognition:
Elaine Wuertz, Elizabeth Kennedy, Anette Asher, Beth Everett Ph.D., Howard Asher
Go Team:
Linda Speake, John Kim, Anette Asher, Steven Fouskarinis, Cathy Francis, Gabor Fulop, Oscar Ghopeh,
Kimberly Green, Summer Harriff, Ph.D., Robert Sturm, Mark Vilicich, Ford Winslow,
Technology Advisory Board:
Andrew Jacobson, Ph.D., Cliff Baker, William J. Branan, Monica Cahilly, Bikash Chatterjee, Leslie Cirillo-
Plante, Jason Cooper, John Kim, Paul Laskin, John McNeil, Richard Siconolfi, Linda Speake, David
Spellmeyer, Ph.D., Mark Vilicich, John F. Murray, Robert D. Tollefsen.
Industry Advisory Board
Ford Winslow, Kyle Brown, Michael J. Doyle, Michael Elliott, Keith Glassford, Greg Horowitt, Donald
Jones, Jeanine Martin, Steve Romeo, Dr. Michael R. Stapelton, Nicholas Ventresca
LSIT Board of Directors
Beth Everett Ph.D., Andrew Jacobson, Ph.D., Paul Allen, Anette Asher, Terry Schmidt DrHA, Andy Spinks,
Greg Caressi, Alan Edwards, Steven Fouskarinis, Charles Jaffe, MD, Ph.D., FACMI, Howard Asher, Paul
Laskin, Gerry Martin, Jonathan Morris, M.D., Geoffrey Odell, Ford Winslow
LSIT Founders
Anette Asher, Alan Edwards, William J. Branan, III CMC, Howard R. Asher, Edward Holmes, M.D., Ward
Fleri, Ph.D., Bart McDermott, Jay Kunin, Ph.D., Paul Laskin, Phil Bourne Ph.D. , Gerry Martin, Jonathan
Morris, M.D., John C. Reed, M.D., Ph.D., Geoffrey Odell, Elaine Wuertz (1959-2009)
Vera Pardee, Jacqueline Townsend, Mark Miller Ph.D. , Greg Horowitt, Benny Chien, Dr. Michael R.
Stapleton
Corporate Sponsors
Pfizer, Novartis, Amylin, Abnology, Salient Networks, Frost & Sullivan, Nodality, UniConnect,
Mission3, Biocom, DBM.