Rules Navigator

Celito Tech’s Ravi Monangi and Ethan Grammer on compliant growth in life science

Ravi Monangi and Ethan Grammer
Ravi Monangi and Ethan Grammer. Photo: Private

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

We explored how small and mid-sized pharmaceutical and biotech companies can avoid costly early compliance mistakes and minimize risk as they scale.

As costs mount in the life sciences industries, regulatory compliance can often be a second thought for companies breaking into the industry.

But sidelining these functions early on can be a critical mistake. Failure to conduct early due diligence can lead to major setbacks at critical stages of a pharmaceutical company’s development, from clinical trials to IPOs.

To explore these issues further, GRIP spoke with Ravi Monangi (Founder & CTO) and Ethan Grammer (Senior Manager, Strategic Cybersecurity & Infrastructure Initiatives) of Celito Tech, a growth partner that provides strategic cybersecurity, compliance, and quality assurance functions to small and mid-sized biotech and life sciences companies. Founded by veteran biotech IT leaders, Celito specializes in providing fractional services that might not be cost-efficient to conduct in-house.

We discussed how industry participants should manage sensitive data transfers effectively and bolster cybersecurity protections. These issues were made even more salient by emerging policy changes expected to reduce regulation, prevailing uncertainty surrounding biotech investment, and the rise of sophisticated cyberattacks.

The focus of the discussion was how to uphold effective, cost-efficient standards that minimize risk and prevent early compliance mistakes in a company’s growth cycle.

Managing the data continuum

Monangi and Grammer noted the complex challenge posed by keeping sensitive data safe as it is maintained and transferred between institutions.

These can create significant issues at the IPO stage, with the SEC becoming increasingly vigilant that companies accurately report cyber risks and security breaches.

“Sensitive data moves through a continuum of organizational systems, where it can be transformed,” Monangi said. “For example, if someone is participating in a clinical trial, they are likely visiting a hospital or doctor who either recommends or administers the trial medication. From there, the data is transferred from the point of care to outsourced research organizations hired by the sponsor companies to manage the trial.

“The sponsor company receives the data, which may include aggregated results, and ultimately, the data is submitted to health authorities. In that continuum, companies might raise funds and become public companies. If there is any breach or security incident that triggers the [SEC’s] security materiality [requirement], they would have to deal with SEC reporting.

“And when companies reach the commercial stage, they are usually going to be gathering a lot more protected health information from things like adverse events, from the patient services teams who are dealing with the patients directly, and with healthcare providers who are providing that patient’s information to help the company do more research on whether their drug is having a potential issue. So, throughout the entire life cycle, there’s a lot of points in time where the data needs to be secure.”

Grammer added: “As part of the SEC 10K filings that companies must submit, the cybersecurity section focuses on what the company’s risks are, how the company evaluates risk, and what procedures and individuals they have in place, whether they are insourced or outsourced.

And when companies do quarterly and annual auditing, there are sections dedicated to cybersecurity. We saw at the end of 2023 that the SEC expanded those cybersecurity requirements to be more consistently reported than what they were previously.”

What regulators want

Grammer said: “At a higher level, ‘good’ to auditors and authorities means you have a process that’s defined, that’s documented, and that can be audited. Those are really the three big areas. And that process, because so many of these companies work with third parties, needs to be documented from the start of the relationship to the end, where both sides will have the ability to provide trails to the audits.”

Monangi added: “It’s important there is no misrepresentation and no fudging of information, and no fraud or waste in these processes. The FDA cares about whether there is any compromise on human safety. At the same time, regulators care if the company is making those health claims accurately.

“Regulators want to make sure about the chain of custody or the integrity of the data origin, the transformations it went through, the storage it went through, and what was submitted,” he said.

Monangi noted that life sciences industry participants often engage in off-channel communications and unintentional sharing of sensitive information. To counteract this, compliance teams need to be given visibility into these communications to make sure they adhere to regulatory requirements.

“Casual methods of transferring data are relatively common, especially among early-stage companies. Companies go with simplistic approaches instead of creating policies that ensure the system’s configuration is such that only the right people can access it. Celito often works with companies to ensure that data is stored and transferred in a secure and compliant manner while maintaining cost-effectiveness,” Monangi said.

Off-channel comms

“From the DOJ’s perspective, they’re clear that off-channel communications, if they’re a part of an organization’s policies, must be archived and audited. In the life sciences area, we see this primarily when businesses reach that point of having a sales force where they’re out kind of knocking the doors of healthcare providers. They are communicating a lot internally, but also externally. So, making sure that they’re not transmitting protected health information in a way that isn’t secure and that isn’t approved by the company is important.

“And from the FDA’s perspective and the HIPAA compliance perspective, it’s important that internal compliance teams have visibility over what’s happening in the organization, no matter the form of communication,” he said.

Monangi also noted the problem of decentralized internal policymaking, which can become increasingly problematic as the company grows. “In early-stage companies, I’ve noticed that governance rules are not always centralized. Often, business teams take control of the process and manage it in isolation. These siloed relationships within the organization mean there’s a lack of standardization when it comes to gathering data from all the Contract Research Organizations in a unified way and applying consistent security and privacy measures. This level of maturity in thinking typically doesn’t emerge until the company reaches a later stage.

“We advise that it’s much easier to implement good practices from the start. It’s best to design security measures early on rather than waiting until later stages by assuming there won’t be audits or that the odds of reaching phase three with their drug are low. Companies often think this way because they’re focused on keeping costs down and simplifying processes, but this just ends up bottlenecking those processes later.”

Managing third parties

Vendors can be a key point of risk for data security, and it is critical to manage them correctly, Monangi said. Vendors can create risks related to data accessibility and integrity, and maintaining explicit contractual agreements highlighting compliance standards is of critical importance.

Monangi said: “At times, companies need to enforce standards with their vendors, as many of these companies rely on outsourced services. This can be achieved by incorporating clear expectations into the service agreements. Vendors are typically prepared to meet these standards; they just need to be explicitly requested or included in the contract to ensure compliance. If you address these needs after the fact, however, you may face additional charges.

“We’ve seen many cases where, once we get involved, companies reach out to their vendors, only for those vendors to claim it wasn’t part of the original contract and demand higher fees. This makes it harder to justify the cost and navigate business use cases. By doing it right from the start, you can avoid these issues and keep costs manageable.

“Engaging with us early allows us to help design the necessary policies and configurations for ingress and egress systems, ensuring a smoother, more cost-effective process.”

EU privacy regulations

Monangi and Grammer noted that American biotech and pharmaceutical companies are turning an eye towards Europe, known for its strong privacy and data protection laws.

Getting ahead of managing patient data to make sure it is compatible with the EU General Data Protection Regulation (GDPR) before the decision is made to enter the European market is therefore a prudent undertaking.

“In the life sciences world, companies are expanding their clinical trials to Europe or global countries. They might usually start in the US if it’s a US-based company, they start the clinical trial in US, but then they expand the clinical trial to European countries. That’s where regulations such as the GDPR kick in,” Monangi said.

Grammer added: “GDPR [compliance services] have become more and more popular as companies expand clinical trials to the EU more quickly than they have in the past. To [Monangi’s] point earlier, they may start in the US for a phase one trial, but for phase two or later phases, they may be moving to the EU or to Australia or Japan which have completely different privacy regulations around data. Those are some of the main trending questions that we’re getting.”

Monangi added: “That’s where the informed consent forms are going to become important. Subject rights management is going to become important, data breach notifications: all these things will become relevant at that time.”

Room for improvement

The biotech sector is characterized by excessive physical documentation, Monangi said, and this can slow down processes and inhibit technological advancement. Many companies are still heavily reliant on manual workflows, which can divert focus from security risks.

“This is inefficient,” Monangi said, “which may be rendering them less able to focus on risk because they are held up by document-centric workflows or human-centric workflows, which require a lot of manual touch points. These methods are also not cost-effective. Change is happening, but it is very slow compared to other industries.”

Deregulation and the future

While deregulation may be occurring, the threat landscape remains strong, particularly for data protection, Monangi said. But regulatory changes should be expected in emerging areas like AI.

The COVID-19 pandemic accelerated the move towards decentralized clinical trials, and companies are designing trials with contingency plans to ensure resilience and continuity during disruptions, he said. Plus, companies should stay vigilant of protecting data from malicious actors.

“We might be seeing regulation loosening, but we’re not seeing a drop in the number of adversaries that are wanting to take advantage of companies’ data. That is a very real threat that still exists and is becoming increasingly popular. The need to protect intellectual property, patient data, internal employee data, will remain very real regardless of whatever regulation exists in the industry.

There’s been a significant emergence of use cases, spanning from drug discovery, synthetic clinical trials, digital twins, agent therapy, and software as a medical device. While there are guidelines from health authorities, true regulations haven’t fully evolved yet. I was reviewing an article that highlighted the exponential growth in AI-enabled clinical trials, with a sharp increase in submissions from 2019 to now. The industry is actively leveraging cutting-edge technologies, and in this context, transparency is key.

Industry participants want to tap into wearables and sensors to be able to run the trials more efficiently through decentralization. For a clinical trial, a patient can go to the nearest lab, or they may wear a device and communicate their outcomes. But these processes haven’t reached a stage where they are fully regulated. “The US created a draft guidance based on the Europe’s AI Act, but more is still yet to come,” Monangi said.

Grammer added: “In the financial sector, for example, we’ve seen firms hit with large fines because they didn’t protect or audit their generative AI use. It’s feasible to think that we may see the same thing in the life sciences industry in a matter of time because to [Monangi’s] point, it’s becoming more and more desirable to use all these cutting-edge technologies.”

, , , , , , , ,

You may also like