Compliance in the Cloud–and why you should care

This morning at the Drug Information Association Annual Meeting in Boston, Microsoft and our partners took the wraps off some whitepapers that at first glance would seem only applicable to techies at pharmaceutical companies.  And to some degree that is correct.  But this is important for patients as well.  So, it begs the question: why should you care?

Let’s deal with that question for patients first.

Microsoft is a provider of cloud services – services that can be provisioned quickly to users without a lot of up front costs.  Think of Outlook/Hotmail, Skype and SkyDrive which you use at home, but for companies.  Exchange, Lync and SharePoint.  Perhaps the same applications you use in your workplace.

But in the pharmaceutical world – as in the rest of healthcare – it takes on a bit of an edge.  Regulations.  Compliance.  Patient Privacy.  Data Security.  Making sure the data surrounding a new drug is secure, valid.

Think of every patient who has participated in a clinical trial to see if a new drug will work.  All that information surrounding every patient in every clinical trial should be protected to the degree that regulators decide.

So to help pharmaceutical companies do that – to help them comply with FDA and EU regulations – Microsoft has worked with third-party reviewers (Montrium) to show how our cloud environments, namely Windows Azure &  Office 365, especially SharePoint Online, can be GxP qualified.  We’ve worked with systems integrators (Paragon Solutions) to show how SharePoint can be configured to comply with FDA 21 CFR Part 11.

And that’s why Microsoft works with pharmaceutical companies and what it means for patients: we provide pharma companies with software and services that help them comply with those regulations from the FDA, to help them bring drugs to market faster, cheaper and safer.

And here is the kicker: We’re the only major public cloud vendor – combined across all the cloud varieties – to have their cloud GxP qualified!


Now since this is a blog about Microsoft architecture and compliance, we do need to get a little technical and talk about regulatory issues and we’ll start with a statement:

Microsoft Qualifies, the Pharma Company Validates.image

What that means is quite simple: the vendor (Microsoft) is responsible for providing documentation on how the given system is tested, how it can be compliant with specific regulations, providing documentation of all the processes and procedures used to provide a quality system (i.e. qualification), while the implementing party is responsible for testing the system against their requirements, against their needs, against the regulations (i.e. validation).

To make it easier for Life Science companies who want to qualify the Microsoft cloud environment and use it for validated applications, we’ve worked with a third-party reviewer to draw up qualification guidelines.  They can be found at our DIA SkyDrive site.




The practical (architectural) implications of this are pretty cool – now that we have a qualified environment we can host validated applications across a wide variety of services and the validated applications that they make available:

Cloud Service Type Infrastructure as a Service Platform as a Service Software as a Service
Microsoft Environment Windows Azure IaaS Windows Azure PaaS Office 365
Applications Types Virtualized Applications
Virtualized Databases
Virtualized Servers
Cross Platform Virtualized Support
* Windows
* SQL Server
* Oracle
* Linux
Adverse Event Reporting
Patient Engagement
Drug Research
High Performance Computing
Virtual Clinical Trials
Chronic Condition Management
Medication Adherence Management
Clinical Trials Management
Regulated Document Management


Part 2 of this announcement is something we’ll go into greater detail in the next blog post: that not only have we qualified the environment, but we also provide guidance on how to configure SharePoint 2013 for 21 CFR Part 11 compliance.  For more information on that – see the next blog post – or check out the Whitepaper itself at


On Premises compliance with SharePoint 2013

Qualification in the Cloud

Pretty cool!

As always, comments appreciated!

Comments (2)

  1. Bill Mincey says:

    I see reference to FDA regulations, but no mention of HIPAA. Are our cloud services now HIPAA compliant as well?

  2. Bill Mincey says:

    Not seeing any mention of HIPAA here. Does this relate?

Skip to main content