SaaS vendor’s responsibilities
Extent of qualification
The vendor should perform an Installation Qualification (IQ) and an Operational Qualification (OQ) and these documents must be shared with the user. Based on the coverage of testing and a suitable package, the user would be able to understand the extent of qualification already performed.
The procedures followed, along with the evidences must be made available for an audit. Specifically, the software development life cycle, change control process for upgrades, and cases where there might be automated deployment of configurations in the cloud should be presented for a customer audit.
SaaS products are like ice-cream cones. Each user might want custom-built add-ons and integrations to suit their taste or, in all probability, their purpose. These could be API extensions, or any suitable solution offered by the vendor. Do you think these should be qualified by the vendor or the user?
Provision of multiple instances for end user
To support end user’s validation and exclusive cloud environment needs for any customizations or configurational changes, the vendor must provide separate development, validation and production instances.
The vendor would see how the application performs on the cloud in terms of how quickly it can be accessed, used and queried. A combination of timed and automated tests is usually done for this, to verify the performance of the application.
Among the many apprehensions of an end user, cloud security is one of the biggest. A solution that comes with a security feature will be preferred over one that does not. Providing visibility in terms of stats, metrics and insights into the services used would be of great help for an end user. For instance, AWS Security Hub is a collection of CloudTrail (a compliance-governing service), CloudWatch (a performance monitoring tool), Firewall Manager, etc. This way, Security Hub monitors and manages the overall cloud security aspects.
Based on a couple of recent consulting exercises, our cloud qualification and validation team assessed the above key aspects and interestingly, in several discussions, the end users were happy ticking away these parameters, until it came to one more KEY aspect.
While evaluating to purchase a suitable cloud-based solution, is it enough if a vendor checks all the above boxes? Can a simple checklist decide whether you are going to go all in?
End user’s responsibilities
Validation! Despite a qualification exercise performed by the vendor, the product must be verified for its intended use. From drafting User Requirements, Validation Plan to closing out a Validation Summary Report, with documented qualification for the end user configurations and a re-assuring traceability matrix, the end user needs to validate the cloud-based solution.
The healthcare space has been a vast field with regulations laying down impermeable boundaries. With remarkable innovations changing global businesses, responsible use of systems may also require adopting an innovative strategy, without compromising on regulatory standards.