Introduction
Electronic records, forms, and digital signatures have become part of almost every Western company. The digital revolution is providing more and more companies with solutions to meet quality management and regulatory affairs compliance – digital solutions are paperless, easy to organize and maintain, and require fewer human resources.
However, digital products and signatures are more complicated to trace than paper systems, complicating things during safety issues or audits.
The US Food and Drug Administration (FDA) has implemented requirements for computer systems and traceability records as part of the 21 CFR Part 11. With the GDRP (General Data Protection Regulation, implemented in May 2018) in Europe, the EU market now also requires full traceability and the ability to create audit trails.
What is an Audit Trail?
Audit trails provide a record of all activities in a digital system so that any events can be reconstructed if necessary. The FDA describes an audit trail in their guidance on computerized systems used in clinical trials:
"A secure, computer-generated, time-stamped electronic record that allows reconstruction of the course of events relating to the creation, modification, and deletion of an electronic record."
Essentially, the audit trail is a document's revision history, demonstrating the document's complete history and actions taken. The audit trail describes who, what, when, where, and how, and any other relevant details for the record. Furthermore, detailed time stamps ensure that the accuracy and reliability of the document remain certain.
From a larger perspective, audit trails are a natural extension of Good Documentation Practices (GDP) commonly found in the pharmaceutical world.
Why are Audit Trails important?
Medical devices that incorporate electronic records and digital systems hold a lot of private and confidential information by their very nature. In clinical settings, any device that implements clinical data management systems or diagnostics aids retains a variety of patient information to provide appropriate patient care and healthcare.
Data access security is paramount as more and more companies outsource their digital systems and patient data management to third-party organizations. Even the largest and most profitable medical device companies do not make their own entire data management systems, they buy data and software solutions from specialized companies.
Likewise, the rise in health apps and collecting health data through electronic devices means electronic health data is collected at never-before-seen rates.
The audit trail exists to ensure the integrity of patient data from the get-go and to ensure any breach in data security can be adequately investigated.
Audit Trail Requirements
There are a few things to be aware of to ensure appropriate audit trails. In general, medical device manufacturers should consider the following points for their audit trail document collection and system:
Ensure audit trail security
It is only possible to establish and maintain an audit trail if it cannot be accessed and changed by anyone. Only authorized personnel should be able to access the audit trail system, make changes, and sign off on documents. Access should be limited to a few trustworthy members of the team.
Part of the aspect of controlling access is assigning digital signatures to any authorized personnel. The signature should be traceable through any document or record and include the signature type, i.e., whether the person is a reviewer, author, approver, or all three.
Implement a computer-generated audit trail
If people create the audit trail manually, the error margin is too high for it to be dependable. Therefore, the electronic system must automatically generate and store the audit trail.
Automate time-stamping
Every action/event performed in the electronic record should be time-stamped, including creating and modifying events, approvals, retirements, etc. The system should also allow free choice of the standard time zone, including UTC.
Verify user identity
Any users performing actions or events in the system should be identified and checked against authorized individuals to avoid unauthorized personnel accessing and modifying records.
Track performed actions/events
All changes and actions/events must be tracked. Every time a document is edited, revised, reviewed, approved, or retired, the action should be logged and stored in the audit trail. The audit trail record should also log the identity of the person performing the action and the date and time.
Furthermore, the audit trail should provide a complete revision history, i.e., a list of all document versions and a way to compare them.
Preserve previously recorded information
The audit trail shouldn't hide, overwrite, or obscure previously recorded information. Prohibiting users from overwriting or deleting records ensures the integrity of the record. Archiving or retiring records should be the only available options.
Retain audit trail documentation
Your audit trail info is useless if it is deleted every two weeks. You must store it for an appropriate period based on the information it stores and its purpose. This also means ensuring your data with backups and disaster recovery plans.
Ensure the audit trail is available for inspection
Probably the most critical point of all, your audit trail and all its records should be easily accessible, easily retrieved, and easily copied. Providing audit trail histories, as well as copy and export options, is non-negotiable.
Hot tip: your audit trail document collection can also be used to prepare for audits with your team before any audits have even been scheduled!
Privacy
In the EU, user privacy must be protected, and in practice, users should be pseudonymized in the system to ensure compliance with the GDPR minimization requirement. Data cannot be used to identify patients.
Challenges with digital audit trails
The main challenge to digital audit trails is maintaining cybersecurity. Most digital systems today are open or cloud-based, i.e., connected to a more extensive network. Especially larger multinational companies face the need to work across borders in their digital strategies. Cybersecurity attacks are becoming more frequent, and hackers are becoming more skilled at gaining data access. Once a system is breached, it stops complying with data integrity requirements. Any audit trail software or system must be protected against hacking and cybersecurity attacks.
Similarly, employees also pose a risk to audit trail systems. Sharing passwords and login credentials are more common than you would think, especially in staff needing a vacation or being out sick. A common way to combat credential sharing is by providing community system access. However, staff must still be individually recognized within the system – otherwise, the traceability of the individual actions is lost.
The third most common challenge of audit trails is failure to review the audit trail frequently enough. Any audit trail system should be reviewed to ensure records are accurate and error-free. The review should happen frequently enough to ensure the system is always maintained adequately and by the right people to ensure errors and gaps are correctly identified.
