Upload
adam-halbridge
View
159
Download
0
Embed Size (px)
Citation preview
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
Parallel 6 INC Corporate Data Sheet
Parallel 6, is a Software as a Service provider of mobile enrollment, engagement, and eCOA
solutions for clinical research, health, and public sector organizations. Clinical Reach, the patented
flagship product, is an multi-language multi-country end-to-end solution that empowers clinical trial
participants to digitally qualify, consent, enroll, and engage in a clinical trial from the palm of their
hand and in the privacy of their own home when needed. Using any Internet enabled device, Clinical
Reach eliminates delays, errors, and the myriad of issues presented from data dispersed across
voluminous emails, reports, spreadsheets, and reams of paper documents. Government Reach, the
Federal rebranded product to Clinical Reach, has been successfully deployed in several high profile
government programs and initiatives.
“Clinical Reach transforms conventional clinical trial engagement into truly virtual, hybrid, and site-
based clinical studies in multi-language, multi-country configurations anywhere in the world.” said
President and CTO | Founder of Parallel 6, David Turner.
Key Technical Specifications:
The Clinical Reach platform is a Cloud Deployed SaaS Platform that is an end to end patient centric
solution for patient enrollment, engagement, data capture, and reporting using a ‘Bring your own
Device’ philosophy. Deployments of the solution have been primarily in the Amazon AWS HIPAA
cloud as well as the secured Federal cloud. Locations of deployment in AWS include Virginia,
Oregon, Ireland, and Germany.
As a summary to the security posture of the solution, the Clinical Reach platform complies with and
has been audited for the following:
• CFR Part 11 • EU Annex 11 • Safe Harbor • DHS Initiated Security Scans • Cleanroom and Code Audit Process • AES Encryption Standards • Encrypted data at rest and in motion • Multi-Level access controls • Multi-factor authentication • Multiple security zones • Backup and Recovery systems • Auditable and validated SDLC and systems
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
Financial Summary:
Parallel 6 is achieving rapid growth in both revenues and contract backlog. Top line revenue doubled
from 2014 to 2015 and is expected to triple in 2016. Total contract value in 2015 was ~$8mm going
to ~ $30mm in 2016 with projected 280% growth in 2017.
Audited financials are available for 2014 and 2015 with an audited look back into 2013. Squar Milner
is the 3rd party auditor executing the audits.
Patent Portfolio:
The Parallel 6 patent portfolio below is projected to grow to 10 by the end of 2016. The patent
portfolio is managed in partnership with the law firm Procopio, Cory, Hargreaves & Savitch, LLP.
United States Patent US Application Number 8,856,031 B1 Oct. 7, 2014
SYSTEMS AND METHODS FOR OBTAINING AND USING TARGETED INSIGHTS WITHIN A DIGITAL CONTENT AND INFORMATION SHARING SYSTEM Applicant: Parallel 6, Inc., San Diego, CA (US) | Inventor: David Wayne Turner, Jr., San Diego, CA (US)\
United States Patent Pending US Application Number 13/373,856 Dec 02, 2011
SYSTEM OF INCENTIVE-BASED DIGITAL CONTENT AND INFORMATION SHARING PLATFORM THROUGH MOBILE TECHNOLOGY Applicant: Parallel 6, Inc., San Diego, CA (US) | Inventor: David Wayne Turner, Jr., San Diego, CA (US)
United States Patent Pending US Application Number 14738766 Jun 12, 2015
SYSTEMS AND METHODS FOR MANAGING AND CONDUCTING CLINICAL OR OTHER RESEARCH USING A DIGITAL CONTENT AND INFORMATION SHARING SYSTEM Applicant: Parallel 6, Inc., San Diego, CA (US) | Inventor: David Wayne Turner, Jr., San Diego, CA (US)
United States Patent Pending US Application Number 14/214,653 October 23, 2014
SYSTEMS AND METHODS FOR RECRUITING AND MATCHING PATIENTS FOR CLINICAL TRIALS Applicant: Brad Pruitt San Diego, CA (US) | Inventor: Brad Pruitt , San Diego, CA (US)
United States Patent Pending US Application Number 13/487,155 June 1, 2012
SYSTEMS AND METHODS FOR AUTOMATED INFORMED CONSENT Applicant: Brad Pruitt San Diego, CA (US) | Inventor: Brad Pruitt , San Diego, CA (US)
Corporate Statistics:
Legal Name: Parallel 6, Inc.
State of Incorporation: DE
Date of Incorporation: 10/29/2009
Type of Corporation: C-Corporation
CA SOS File #: C3299664
Tax ID #: 27-1283146
DUNS: 05-116-8604
Legal Corporate Address: 3655 Noble Drive, Suite 650, San Diego, CA 92122
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
Fiscal Year End: December 31
Officers:
Chief Executive Officer: Allan Camaisa
President & CTO | Founder: David Turner
Chief Financial Officer: Alan Stewart
Secretary: Adam Blejski
Special Characteristics:
Small Business: Yes
Veteran Owned SB: Yes
Primary Partners:
Corporate Counsel: Procopio, Cory, Hargreaves & Savitch, LLP
Auditors: Squar Milner
Banking Relationship: Wells Fargo, Comerica
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
Parallel 6 INC – Quality Management System (POL-QA-001-1.0)
1. Purpose
The purpose of this document is to describe the Quality Management System (QMS) for
Parallel 6 (P6). The QMS is established and maintained and includes the scope of the quality
management system, and a description of the interaction between elements of the quality
management system.
2. Scope
The Parallel 6 QMS describes the Quality System of P6 located at 3655 Nobel Drive, Suite
650, San Diego, California 92122.
The P6 QMS is applicable to all levels of personnel, and all functions. This policy applies to all
personnel associated with the design, development, distribution, marketing and post-market
surveillance of any product produced by, or bearing a company name, trade name, or trademark
belonging to P6. P6 is responsible for the quality of, and meeting the applicable requirements for,
the products that it develops.
Organization charts that show the relationship of the organization to the corporate
management structure and the relationship of the various functions to each other are maintained
by P6. The corporate organization chart is posted on the P6 Google Drive.
3. Background
A quality management system is a formalized system that documents processes, procedures,
and responsibilities for achieving quality policies and objectives. A QMS helps coordinate and
direct an organization’s activities to meet customer and regulatory requirements and improve its
effectiveness and efficiency on a continuous basis.
4. Responsibilities
4.1. Executive Management
4.1.1. Ensures the establishment of quality management strategies by supporting the
implementation and maintenance of quality management systems, guaranteeing the
continual maintenance of their suitability and effectiveness.
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
4.1.2. Communicates to all employees the importance of meeting all requirements, including
customer, statutory and regulatory. The communication methods may include executive
management meetings, employee meetings, formal training, job descriptions,
performance reviews, bulletin board postings, memoranda, email notices and verbal
communication.
4.1.3. Ensures that the organization will identify resource requirements and provide resources,
infrastructure, and qualified personnel to establish and maintain the elements of the
Quality System. This includes internal or contracted personnel resources and those for
the performance of work and assessment and verification activities.
4.1.4. Communicates to the organization and maintains awareness of the importance of
meeting customer requirements, as well as regulatory and legal requirements.
4.1.5. Sets expectations, tone and visibility for quality and compliance, as well as effective
implementation of the Quality Policy.
4.1.6. Conducts management reviews.
4.2. Quality Representative
4.2.1. Ensures that the quality policy is appropriate for the organization and P6 customers.
4.2.2. Commits to comply with requirements and to maintain the effectiveness of the quality
management system.
4.2.3. Provides a framework for establishing and reviewing quality objectives.
4.2.4. Ensures quality objectives are communicated and understood within the organization.
4.2.5. Ensures quality objectives are reviewed for continuing suitability.
4.2.6. Reports to Management on the overall performance of the QMS and the need for
improvement on an annual basis.
5. Policy
5.1. Training
5.1.1. Documented procedures for identifying training needs and providing for the training of
all personnel performing activities affecting conformity to product requirements have
been established and maintained.
5.1.2. Personnel performing specific assigned tasks are qualified based on appropriate
education, training, and/or experience as required.
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
5.1.3. If employees do not have the required education and/or experience, the necessary
training is provided to ensure employees are competent to perform the assigned tasks.
5.1.4. The training provided is periodically assessed to determine its effectiveness.
5.1.5. Records of training and appropriate education or experience are maintained.
5.1.6. Employees within the organization have a clear understanding of their roles and
responsibilities within the company through training and as defined in specific work
instructions.
5.1.7. Job descriptions define each employee's general job requirements and are maintained
within training files for each employee.
5.2. Documentation
5.2.1. Quality management systems have been established, documented, and maintained as
a means of ensuring conformity to specified requirements. This includes the preparation
and effective implementation of documented quality management system procedures
and instructions, as required.
5.2.2. Quality System policies, procedures, forms, and template instructions have been
formally documented and maintained as defined in procedures.
5.3. Document Control
5.3.1. Documented procedures have been established and maintained to control documents
that relate to the requirements of the QMS.
5.3.2. Documents are in electronic media.
5.3.3. Documents and data are reviewed and approved for adequacy by authorized personnel
prior to issue.
5.3.4. Current revisions of appropriate documents are available on the P6 QA Controlled
Drive.
5.3.5. Invalid and/or obsolete documents are promptly removed from current directories.
Obsolete documents are identified to prevent unintended use.
5.3.6. Documents are reviewed as required, changes made when necessary by means of
Document Change Request Forms.
5.3.7. Changes to documents are reviewed and approved either by the original approving
function or by another designated function that has access to pertinent background
information upon which to base its decisions related to review and approval.
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
5.3.8. Altered or new text shall be identified in the appropriate attachments.
5.3.9. Procedures shall be established to describe how changes in documents maintained in
computerized systems are made and controlled.
5.3.10. P6 shall define the period for which obsolete copies of documents are retained.
5.4. Purchasing
5.4.1. Suppliers/subcontractors have been evaluated and selected based on their ability to
meet product and quality requirements including quality system and any specific quality
assurance requirements.
5.4.2. Suppliers/subcontractors are periodically assessed and product quality reviewed as a
means of controlling suppliers and subcontractors.
5.4.3. Control is dependent upon the type of product, the impact of the supplied
product/service on the quality of the final product and where applicable on quality audit
reports and/or quality records of the performance of suppliers/subcontractors.
5.4.4. Lists of acceptable suppliers and subcontractors are maintained.
5.4.5. Purchasing documents contain information that clearly describes the product to be
ordered.
5.4.6. This information includes (where applicable) type, class, grade, or other precise
identification, title or other positive identification and applicable issues of specifications,
drawings, process requirements, inspection instructions and other relevant technical
data, including requirements for approval or qualification of product, procedures,
process equipment and personnel, and title, number, and issue of any quality system
standard to be applied.
5.4.7. When it has been determined to verify purchased product/services at the
supplier/subcontractor, the purchasing documents specify these verification
arrangements and the method for release of product.
5.4.8. When specified in a customer contract, the customer or his representative may verify at
the supplier/subcontractor or upon receipt at P6 that product conforms to specified
requirements.
5.4.9. Verification by the customer does not absolve P6 of its responsibility to provide
acceptable product nor does it preclude subsequent rejection by the customer.
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
5.4.10. When customer or his designated representative elects to perform verification at the
supplier/subcontractor's facility, such verification is not used as evidence of effective
control.
5.5. Control of Nonconforming Product
5.5.1. Documented procedures have been established and maintained to ensure that product
that does not conform to specified requirements is prevented from unintended use and
the individuals who have the responsibility and authority for the disposition of the
product is specified.
5.5.2. Control is provided for identification, documentation, evaluation, segregation (when
practical), disposition, and for notification to the functions concerned.
5.5.3. Documented procedures have been established, implemented and maintained for
dealing with actual or potential nonconformities.
5.5.4. The procedure defines the process for identifying and correcting the nonconformity and
action(s) taken to mitigate its impacts, investigating nonconformities, determining their
causes and taking actions in order to avoid recurrences.
5.6. Corrective Action and Preventive Action
5.6.1. Documented procedures for implementing corrective and preventive action have been
established and maintained.
5.6.2. Corrective actions are taken when corrective action requests are received from
customers, when problems occur in process, with product, process, or quality system.
5.6.3. The nonconformity identified is corrected, an investigation conducted to determine the
root cause, and an action implemented to prevent the recurrence of the nonconformity.
5.6.4. Results of the investigation and the corrective action taken are documented and
records maintained.
5.6.5. Follow-up is performed on corrective action responses to ensure that the corrective
action was implemented and effective in correcting the nonconformity.
5.6.6. Appropriate sources of information such as processes and work operations that affect
product quality, waivers, audit results, quality records, and customer complaints are
periodically reviewed to detect, analyze, and eliminate potential causes of
nonconformities.
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
5.6.7. The records maintained include the analysis performed in determining the preventive
action identified, the steps needed to be performed for implementation, the controls to
be applied to ensure it is effective, and the review to determine effectiveness of the
preventive action implemented.
5.7. Internal Audits
5.7.1. Documented procedures for planning and implementing internal quality and
environmental system audits to verify whether the QMS and related activities and
results comply with planned arrangements and to determine the effectiveness and
implementation of the quality management system have been established and
maintained.
5.7.2. Internal quality management system audits are scheduled on the basis of the status
and importance of the activity to be audited and are carried out by personnel
independent of those having direct responsibility for the activity being audited.
5.7.3. Results of audits are recorded and are brought to the attention of the personnel having
responsibility for the area audited.
5.7.4. Management personnel responsible for the area audited shall ensure that corrective
actions and necessary corrections on deficiencies found during the audit to eliminate
detected nonconformities and their causes are taken without undue delay.
5.7.5. Follow-up audit activities to determine implementation and effectiveness of the
corrective action taken are verified and recorded.
5.7.6. The results of internal quality audits are reported to the management representative for
inclusion in the management review.
5.8. Risk Management
5.8.1. P6 has established, implemented, and maintains a process for managing risk to the
achievement of applicable requirements that includes, as appropriate to the
organization and the product
5.8.1.1. Assignment of responsibilities for risk management,
5.8.1.2. Definition of risk criteria (e.g., likelihood, consequences, risk acceptance),
5.8.1.3. Identification, assessment, and communication of risks throughout product
realization,
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
5.8.1.4. Identification, implementation and management of actions to mitigate risks
that exceed the defined risk acceptance criteria,
5.8.1.5. Acceptance of risks remaining after implementation of mitigating actions.
5.9. Continuous Improvement
5.9.1. Continuous improvement of the effectiveness of the QMS is evaluated through the use
of the quality policies, quality objectives, audit results, analysis of data, corrective and
preventive actions and management review.
5.10. Management Review
5.10.1. Management review is performed on an annual basis at a minimum to ensure the
QMS continues to be suitable, adequate, and effective.
5.10.2. The review shall include assessing opportunities for improvement and the need for
changes to the Quality Management System including the quality policy and quality
objectives.
5.10.3. Records from management reviews shall be maintained.
5.10.4. The input to management review shall include information on
5.10.4.1. Results of audits, including assessments by external bodies,
5.10.4.2. Customer feedback, including customer complaints,
5.10.4.3. Process performance and product conformance,
5.10.4.4. Suppliers’ quality performance,
5.10.4.5. Status of preventive and corrective actions,
5.10.4.6. Follow-up actions from previous management reviews,
5.10.4.7. Changes that could affect the quality management system,
5.10.4.8. New or revised regulatory requirements,
5.10.4.9. Other relevant factors such as quality control activities, resources and staff
training,
5.10.4.10. Suitability of policies and procedures.
5.10.5. Review output
5.10.5.1. The output from the management review shall include any decisions and
actions related to information on
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
a) Improvement of product related to customer requirements,
b) Resource needs.
5.10.6. Findings from management reviews and the actions that arise from them shall be
recorded.
5.10.7. Management shall ensure that these actions are carried out within an appropriate
and agreed timescale.
5.10.8. Management review results should feed into planning including the goals, objectives,
and action plans for the coming year.
5.11. Management Representative
5.11.1. A Quality Assurance Representative shall be appointed to ensure that the QMS is
established, implemented, and maintained.
5.11.2. The Representative is responsible for reporting to Management on the overall
performance of the QMS and the need for improvement on an annual basis.
6. References
N/A
7. Attachments
N/A
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
Parallel 6 | Clinical Reach | Information Security Posture Proprietary and Confidential - Patents Issued and Pending
May 2016 The Clinical Reach platform is a Cloud Deployed SaaS Platform that is an end to end patient centric
solution for patient enrollment, engagement, data capture, and reporting using a ‘Bring your own
Device’ philosophy. Deployments of the solution have been primarily in the Amazon AWS HIPAA
cloud as well as the secured Federal cloud. Locations of deployment in AWS include Virginia,
Oregon, Ireland, and Germany.
As a summary to the security posture of the solution, the Clinical Reach platform complies with and has been audited for the following:
• CFR Part 11 • EU Annex 11 • Safe Harbor • DHS Initiated Security Scans • Cleanroom and Code Audit Process • AES Encryption Standards • Encrypted data at rest and in motion • Multi-Level access controls • Multi-factor authentication • Multiple security zones • Backup and Recovery systems • Auditable and validated SDLC and systems
The following set of questions outline the Security Posture of the Clinical Reach platform. These
questions were compiled from multiple security audits by different organizations including both
Sponsors and CRO’s in the Clinical Trial sector.
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
Sponsor and CRO Security Audit Questions
SYSTEM SECURITY POLICY POL-IT-001
1. Does your company have documented information security policies in place?
a. Yes - Covered in P6 policies: POL-IT-001 System Security Policy and POL-IT-002
System Access Policy.
2. How frequently are your security policies updated to ensure the policies address new
threats and trends?
a. At a minimum every 6 months although updates can happen more frequently if
needed.
3. Have you designated an individual responsible for information security (herein after
referred to as Information Security Officer) within your organization?
a. Yes - Amit Chakradeo - Chief System Architect and Security Architect
20. Are all areas within company facilities that contain Sponsor Information locked when
not attended?
a. Yes - It is not foreseen that there will be any Sponsor Information stored or otherwise
available in the P6 facility. Data will be stored in the AWS HIPAA Cloud dedicated to
the Sponsor instance of the Clinical Reach Platform. The P6 facility is locked during
non-business hours.
29. Do you have documented acceptance criteria for Systems and Network Devices
before they are put into production?
a. Yes - P6 IT manager performs the configuration and testing of newly added system
and network devices.
30. Do you have documented hardening processes for Systems and Network Devices
that must be completed before they are put into production?
a. Yes - Deployed server instances are built using previously established P6 server
images from production systems. Customized Clinical Reach platform applications
are tested an installed on the deployed server instances and made available to end-
users.
31. Do all laptops, desktops and servers have properly configured commercial anti-
malware software installed and running at all times?
a. Yes - The P6 System Security policy (POL-IT-001 - System Security Policy) requires
this.
48. Are all systems that store, process, or transmit Sponsor information capturing
security relevant events in audit logs? (e.g., Databases, Firewalls, Directories, Servers,
Applications, etc.)
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
a. Yes
49. How long are the audit logs retained?
a. No minimum retention - The Audit Logs are retained forever unless otherwise noted
by the client.
84. Do you have a documented policy that sets minimum cryptographic standards which
must be followed by all applications as well as networking and computing resources?
a. Yes - Data may be temporarily at rest on mobile devices and is encrypted using AES 256 encryption algorithms. All data in transit is encrypted via SSL
89. Do you have established processes and controls in place to ensure symmetric
encryption keys and asymmetric private keys are encrypted in transmission and storage and
are protected from unauthorized access?
a. Yes - These keys are kept in a restricted-access account in P6’s platform and mobile device software development repository.
94. Does all software installed on workstations, laptops and server systems undergo a
risk assessment and approval by your Information Security Officer (or delegate)?
a. Yes
SYSTEM ACCESS POLICY POL-IT-002
1. Does your company have documented information security policies in place?
a. Yes - Covered in P6 policies: POL-IT-001 System Security Policy and POL-IT-002 System Access Policy
6. Does your company have a process to ensure security requirements are adhered to
by all Related Parties before sharing Sponsor Information with them and before providing
access to your internal networks which store, process or transmit Sponsor Information?
a. Yes - Our process includes not only vendor audits, but security audits and all the artifacts required such as CDA’s etc., followed by training.
17. Do you immediately terminate personnel access to computing and network
resources, facilities, and secure areas when an individual is no longer an employee,
contractor or subcontractor, or when they no longer need access?
a. Yes - Defined in P6 POL-IT-002 System Access Policy.
51. Do you have a policy which ensures only authorized individuals have access to
facilities, secure areas, and computing and networking resources?
a. Yes - P6 follows our System Access Policy (POL-IT-002)
52. Is management required to approve individual’s access to all facilities, secure areas
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
and Computing and Network Resources?
a. Yes - Requests for access to Parallel 6 systems and applications are made formally to the COO or designee per our System Access Policy (POL-IT-002).
53. Do you restrict each user’s access privileges to the minimum set required for the
performance of their job and only for the duration of the need of that privilege?
a. Yes - The level of security assigned to a user in P6’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.
54. Does Management review and approve all requests for administrative or other
elevated privilege?
a. Yes - Any Parallel 6 workforce member can request change of access. Review of such requests are the same as initial assignments; by the COO or designee. (System Access Policy - POL-IT-002)
55. Are elevated privileges reviewed periodically and revoked when no longer needed?
a. Yes - Review is performed by the COO or designee. (System Access Policy - POL-IT- 002)
56. Are passwords, PINs, shared secrets, and other authentication information always
encrypted (or hashed) in storage and transmission?
a. Yes - Passwords are never in the clear anywhere in the system. All data at rest is encrypted using AES 256. All data in transit is encrypted via SSL.
57. Are passwords and PINs delivered in a confidential manner that requires the recipient
to prove his or her identity before receiving the password or PIN?
a. Yes - Each workforce member has and uses a unique user ID and password that identifies him/her as the user of the information system. Each Customer and Partner has and uses a unique user ID and password that identifies him/her as the user of the information system.
58. Are temporary passwords and initial passwords and PINs required to be changed
upon first use?
a. Yes - This is standard operating procedure for best practice implementation.
59. Are all default passwords changed during or immediately following the completion of
hardware or software installation?
a. Yes - Default accounts on all production systems, including root, are disabled.
60. Consider all authentication credentials under the control of an individual (passwords
and PINs to user accounts, shared accounts, and service accounts). How soon after
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
resignation or termination are these authentication credentials changed or disabled?
a. Immediately - A terminated user’s account will be users’ access rights terminated immediately upon notification.
61. Do you limit the use of your network to only those individuals (employees, contractors
and other users) who have business need for access?
a. Yes - The level of security assigned to a user to the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out their job duties. All access requests are treated on a “least-access principle”.
70. Is access to applications or systems that store, process, or transmit Sponsor
information disabled after 180 days of non-use?
a. Yes, through a manual process - The Systems Engineer audits and will terminate access of users that have not logged into organization’s information systems/applications for an extended period of time (configurable). (System Access Policy - POL-IT-002)
71. Choose the closest representation to your minimum requirements for user password
length and complexity.
a. On all production systems and applications in the Parallel 6 environment, password configurations are set to require that passwords are a minimum of 8-character length, 90-day password expiration, account lockout after 5 invalid attempts, password history of last 4 passwords remembered, and account lockout after 15 minutes of inactivity. (System Access Policy - POL-IT-002)
73. Do mobile devices require passwords/PINs with a length of a least 6 characters
before allowing access to Sponsor information?
a. Yes - Access to systems is controlled using centralized user management and authentication. All authentication requests utilize two-factor authentication using mobile devices as the second factor. On all production systems and applications in the Parallel 6 environment, password configurations are set to require that passwords are a minimum of 8-character length. (System Access Policy - POL-IT-002)
74. Are individual PINs and passwords set to expire after no longer than 90 days?
a. Yes - 90-day password expiration (System Access Policy - POL-IT- 002)
75. When can the same individual password be reused?
a. After 5 changes - Password history of last 4 passwords is remembered. (System Access Policy - POL-IT-002)
76. Are accounts temporarily disabled for at least 15 minutes when five consecutive
attempts to authenticate fail within a 15-minute window?
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
a. Yes - Account lockout after 5 invalid attempts and account logout after 15 minutes of inactivity. (System Access Policy - POL-IT-002)
77. Are passwords and PINs suppressed from being displayed in readable form at any
time during entry (including those used for portable computing devices)?
a. Yes
78. Are passwords and PINs required to be changed at any indication of compromise?
a. Yes
79. Are passwords and PINs prevented from being cached at all times?
a. Yes
SOFTWARE UPDATE POLICY POL-IT-003
100. Do you have a policy which governs the maximum amount of time that may elapse
between the time a vendor supplies a critical security patch and the time it is applied to your
network and computing resources?
a. Yes - Patches are installed as soon as they are evaluated for relevance and need.
101. What is your maximum timeframe for applying vendor-supplied critical security
patches to User Systems?
a. Within 30 days or sooner based on threat evaluation.
102. What is your maximum timeframe for applying vendor-supplied critical security
patches to Internet-Facing Server Systems?
a. Within 30 days or sooner based on threat evaluation.
103. What is your maximum timeframe for applying vendor-supplied critical security
patches to Other Server Systems?
a. Within 30 days or sooner based on threat evaluation.
104. What is your maximum timeframe for applying vendor-supplied critical security
patches to Applications that store, process, or transmit Sponsor information?
a. Within 30 days or sooner based on threat evaluation.
105. What is your maximum timeframe for applying vendor-supplied critical security
patches to Network Devices?
a. Within 30 days or sooner based on threat evaluation.
106. Do you have a policy which governs the maximum amount of time that may elapse
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
between the time a vendor supplies a non-critical security patch and the time it is applied to
your network and computing resources?
a. Yes
107. What is your maximum timeframe for applying vendor-supplied non-critical security
patches to User Systems?
a. Within 30 days or sooner based on threat evaluation.
108. What is your maximum timeframe for applying vendor-supplied non-critical security
patches to Internet-Facing Server Systems?
a. Within 30 days or sooner based on threat evaluation.
109. What is your maximum timeframe for applying vendor-supplied non-critical security
patches to Other Server Systems?
a. Within 30 days or sooner based on threat evaluation.
110. What is your maximum timeframe for applying vendor-supplied non-critical security
patches to Applications that store, process, or transmit Sponsor information?
b. Within 30 days or sooner based on threat evaluation.
GETHUB, CHEF
8. Do you maintain an inventory of hardware and software assets which documents the
identification, ownership, usage, location and configuration of each item?
a. Yes - GitHub is used for configuration and version and ownership of both Clinical Reach platform and mobile device development assets.
9. Are all hardware and software systems and components configured to a known
baseline configuration?
a. Yes – GitHub is used for configuration and version and ownership of both Clinical Reach platform and mobile device development assets. Chef is our configuration management tool focusing on deployment and disaster recovery in some cases, and ensures cloning capability as well as automated build preparation.
10. Do you maintain records of the baseline configuration of each system?
a. Yes - Baseline configurations are maintained using a combination of GitHub and Chef
11. Do you maintain documentation of configuration changes to each system?
a. Yes - Configuration reports can be generated from GitHub and Chef.
95. Are software updates and patches researched, tested and verified by appropriate
personnel before deployment?
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
a. Yes - The fixes for Critical and Major are applied immediately and deployed automatically using our Chef Operations Infrastructure to all of the servers within minutes of updating the software code. Minor issues are typically fixed and scheduled for deployment in the next release cycle.
TRAINING MANAGEMENT SOP-QA-002
14. Have you established training programs to ensure that personnel understand their
responsibilities regarding information security?
a. Yes - Defined in P6’s Training Management Policy (SOP-QA-002)
15. How often is information security training performed and refreshed?
a. Performed within 90 days of Hire, Refreshed Annually - Training starts on employee’s first day at P6
BUILDING SECURITY SOP-OPS-001
18. Does your company implement physical access control mechanisms to ensure only
authorized individuals can access facilities?
a. Yes - Defined in P6 Building Security SOP (SOP-OPS-001).
19. Are data centers, equipment rooms, telecommunications closets, and utilities
physically protected so that only authorized individuals can access them?
a. Yes - P6 employs Amazon Web Services to support all deployable server configurations. Other access to equipment rooms, telecommunications closets, and utilities physically protected by the mechanisms documented in the P6 Building Security Policy (SOP-OPS-001).
20. Are all areas within company facilities that contain Sponsor Information locked when
not attended?
a. Yes - It is not foreseen that there will be any Sponsor Information stored or otherwise available in the P6 facility. Data will be stored in the AWS HIPAA Cloud dedicated to the Sponsor instance of the Clinical Reach Platform. The P6 facility is locked during non-business hours.
21. How often does your company conduct inspections of the perimeter and all access
control mechanisms to provide assurance that all physical access control methods cannot be
bypassed?
a. Annually - Facilities are locked at the end of the business day or anytime when the suite is empty. We are located in a locked building on the 6th floor through an additional double locked door.
23. Do you use a badging system or any other approach to ensure that everyone within
your facilities can be immediately identified?
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
a. Yes - Personnel are stationed at the entrance to the P6 Suite. Visitors also sign in a visitor log at the front desk.
CHANGE CONTROL SOP-EN-004
26. Do you have a documented Change Management process and supporting
procedures in place to control all changes to Computing and Network Resources?
a. Yes - P6 has a change control policy, SOP-EN-004 Software Change Control, which can be extended to our network and AWS changes.
BACKUP & RECOVERY SOP-EN-005
33. Do you log data backup and recovery events?
a. Yes
32. Do you perform regular data backups on systems processing or storing Sponsor
Information?
a. Yes - All Clinical Reach client databases have full daily backups scheduled (See P6 procedure Backup and Recovery SOP-EN-005). Incremental restores are facilitated by AWS RDS point-in-time (PIT) restores. The AWS RDS PIT functions provide instantaneous restoration of data for any period within a sliding predefined time window.
34. Do you perform data backups immediately prior to any system upgrade or
maintenance activity?
a. Yes
35. If encrypted information is backed up, does it remain encrypted throughout the data
backup process?
a. Yes
36. Are data backups stored in a geographically separate, physically secure facility?
a. Yes - For customer data, Parallel 6 implements MySQL cluster for live replication and redundancy between two availability zones. One full daily backup is taken and placed on the backup server. The backup is shipped over VPN to DR region (Rsync over VPN). The DR site is restored with the latest backup as soon as transfer is completed.
37. How often is the ability to restore data backups tested?
a. Annually - For customer data backup, Parallel 6 implements MySQL cluster for live replication and redundancy between two availability zones. One full daily back is taken and placed to the backup server. The backup is shipped over VPN to DR region (Rsync over VPN). The DR site is restored with the latest backup as soon as transfer is completed.
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
VENDOR QUALIFICATION SOP-QA-004
47. Do you have documented policies and procedures to protect Sponsor information
when shared with external entities?
a. Yes - This is covered in the Vendor Qualification and Management procedure SOP-QA-004.
SYSTEMS DEVELOPMENT LIFE CYCLE - SDLC SOP-EN-003
96. Do you have a documented System Development Lifecycle (SDLC) which governs
the development and deployment of systems and applications?
a. Yes - P6 System Development Life Cycle policy document (SOP-EN-003).
97. Does your SDLC incorporate activities and deliverables to ensure security
requirements are met?
a. Yes - HIPAA requirements are included in the platforms requirement set and are tracked throughout development to testing.
98. Do such activities include testing of interfaces among systems and systems
components?
a. Yes - New Interfaces are tested as part unit and system tests with existing (previously developed) interfaces validated (regression testing) using automated test scripts.
CORRECTIVE ACTION PREVENTIVE ACTION - CAPA SOP-QA-005
119. Do you have a formal security incident monitoring, reporting and response process to
identify, report, and appropriately respond to known or suspected security incidents?
a. Yes - Corrective and Preventive Action Management - SOP-QA-005 CAPA Management.
120. Does your security incident reporting process include providing notification to
Sponsor within 24 hours of any known or suspected compromise of Sponsor information (or
applications hosting Sponsor information)?
a. Yes - Client notification is called out in P6’s Corrective and Preventive Action Management procedure. (SOP-QA-005 CAPA Management)
121. Is the theft or loss of user systems (such as workstations or laptops) considered
security incidents and follow your incident reporting process?
a. Yes
RISK ASSESSMENT SOP-QA-007
12. Do you have formally defined policies and practices for performing risk assessments
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
of software and systems?
a. Yes - See results of the risk assessment for Clinical Reach—Clinical Reach Risk Assessment.docx. Also P6 procedure Risk Assessment and Management (SOP-QA-007)
BUSINESS CONTINUITY SOP-OPS-003
122. Do you maintain an Information Systems Continuity of Business and Disaster
Recovery Plan (CoB/DR Plan) that will prevent catastrophic data loss and ensure timely
restoration of network and computing services in the event of system failure, damage or
destruction?
a. Yes – Business Continuity Plan SOP-OPS-003
3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750
PARALLEL 6 CONTROLLED DOCUMENTS
DOCUMENT # TITLE F-CO-001-01 Compliance Incident Reporting Form F-EN-004-01 Software Change Control Request Form F-IT-002-01 System Access Request Form F-QA-001-01 Document Change Request Form F-QA-002-01 Read and Understand Training Record F-QA-002-02 Instructor Led Training Record F-QA-005-01 CAPA Report Form F-QA-008-01 Non-Conformance Report Form POL-CO-001 HIPAA POL-CO-002 Privacy Rule POL-CO-003 Hotline Policy POL-CO-004 Complaint Handling POL-CORP-001 Code of Business Conduct and Ethics POL-CORP-003 Conflict of Interest POL-CORP-004 Computer Fraud and Abuse POL-CORP-005 Electronic Signatures POL-CORP-006 Online Copyright Infringement POL-IT-001 System Security Policy POL-IT-002 System Access Policy POL-IT-003 Software Update Policy POL-OPS-001 Record Retention POL-PM-001 Program-Project Management Policy POL-QA-001 Quality Management System SOP-CO-001 Compliance Incident Reporting SOP-EN-003 Software Development Lifecycle (SDLC) SOP-EN-004 Software Change Control SOP-EN-005 Backup and Recovery SOP-OPS-001 Building Security SOP-OPS-003 Business Continuity Plan SOP-QA-001 Controlled Documents SOP-QA-002 Training Management SOP-QA-003 Internal Audit SOP-QA-004 Vendor Qualification and Management SOP-QA-005 CAPA Management SOP-QA-006 Creating and Using Electronic Signatures SOP-QA-007 Risk Assessment and Management SOP-QA-008 Non-Conformance Reporting N/A Notice of Privacy Practices
| | JULY 201412CIOReview
PHARMATECHOUTLOOK.COMMARCH - 2016
Top 10 eClinical Trial Management Solution Providers 2016
Company:CLINICAL REACH BY PARALLEL6
Description:An innovative software as a service provider of mobile enrollment & engagement solutions for clinical research, health, and public sector organizations
Key Person:Allan CamaisaCEO & Chairman
Website:parallel6.com
Clinical Reach by Parallel6
An Annual Listing of 10 Companies that are at the forefront of providing eClinical Trial Management solutions for the Pharma & Life Science
Industry and impacting the marketplace
recognized by magazine asTECH OUTLOOK
eClinicalTrial Management
The progressive course of technology and digitization has left no stone unturned in the clinical trial industry. Clinical trials must comply with several regulatory mandates, are confined to strict timelines, and are
often performed on large data sets of varying complexity. With legacy systems, there is always a risk of data inconsistency and delay in dispatch of information that will lead to wrong trials. Dictating innovation and efficiency, many companies have risen up in the recent decades to underpin the eClinical trial management arena.
The advent of modern trial management solutions have greatly enhanced patient recruitment and monitoring processes. These comprehensive solutions start at the bottom of the clinical trial cycle from dynamic data capture to trial migration, centralized data hosting to historical data repositories and go all
the way up to drug approval. To complement these solutions, there is an array of turnkey solutions surfacing in the market, including remote radiology, portable research kits, and mobile suites, which is paving way for accuracy and rapid delivery of results.
In an effort to help clinical scientists set the stage towards a digital trial management system, a panel of prominent CEOs, CIOs, VCs, analysts, along with the Pharma Tech Outlook’s editorial board has assessed scores of eClinical trial management solution providers and picked out a list of prime choices.
We have considered the vendor’s ability in building solutions that can effectively and efficiently manage clinical trials, and at the same time deliver consistent information.
We present to you Pharma Tech Outlook’s Top 10 eClinical Trial Management Solution Providers 2016.
TECH OUTLOOK
| | JULY 201413CIOReview 37TECH OUTLOOK
March 2016
The pharmaceutical and life sciences industry is undergoing a transformative shift triggered by the
wide-spread adoption of digital health, mobile medical devices and technology platforms that are bringing improvements to medical and clinical research practices. However, the clinical research process for market approval of new treatments and devices is encumbered by complex long-term trials and strict regulations that have resulted in a shortage of qualified physician investigators and willing participants. To address these impediments, pharma and research companies seek befitting software solutions for clinical trial management to improve trial efficiencies, cut costs and critical errors, disseminate necessary data to the stakeholders, and increase the number of volunteers in clinical research. The California based firm, Parallel 6, is a provider of enterprise cloud and mobile technologies that works to enhance and support clinical research by harnessing the ongoing digital health revolution with its Clinical Reach platform.“Our solution reduces the burden of all stakeholders, and offers real-time operational metrics to drive trial efficiencies,” says Allan Camaisa, CEO and Chairman of Parallel 6.
Clinical Reach is a mClinical (mobile clinical) platform for patient enrollment, engagement and retention in clinical trials. “Over the course of a clinical trial many participants forget to take their scheduled medication or physician appointments, the Clinical Reach mobile application connects the patient with their physician or care team,” asserts Camaisa, “this empowers the patient to stay in control of their own tasks and remain
in compliance with the clinical trial protocol.” As most of the users prefer personalization in the trial processes, the Clinical Reach platform helps participants to communicate with the physicians throughout the duration of the study on their preferred mobiles devices – iOS, Android or Windows phones.The platform also allows a virtual clinical operations team to manage and monitor the entire trial with multi-site, multi-language, and multi-country capabilities—identifying areas of risk in real-time.
As clinical trials are becoming more virtual, the need to improve the patient experience and empowerment in the clinical trial has increased drastically. To serve this need, the Clinical Reach platform has made additions to it's suite of products with a new companion app, which drives clinical trial compliance by empowering the patient’s invited family or friends to receive reminders for patient medication adherence, and appointments. The platform also reduces the time and cost of patient recruitment for clinical trial sponsors and contract research organizations (CROs) through the nPruv recruitment module. The nPruv solution securely matches patient-to-trial and
engages them both at the point of care and online, thereby improving patient recruitment and enrollment workflow.
The Clinical Reach platform is HIPAA compliant and designed to encrypt data from the patient’s internet enabled device to the platform ensuring secure data transport at every stage of the qualification and enrollment process. “Aside from all the capabilities and benefits delivered to the users, our solution helps clinical trial stakeholders to digitally recruit, qualify, consent, engage, record, and manage clinical trial participants through our patented platform,” comments Camaisa.
Apart from the above, the Clinical Reach platform connects to all mobile technologies including medical devices, mHealth wearables, smart phones, smart watches, and other patient centric sensors and devices. “We are excited to see the momentum behind Clinical Reach, some of the largest pharma companies see that our platform gives clinical trial stakeholders the ability to securely view trial specific information, medication adherence reports, and eCOA in real-time. This means they have immediate access to the data they need to make informed decisions, faster, and empower patient experience at a reduced cost to the trial sponsor,” concludes Camaisa.
Our solution offers real-time operational metrics to drive clinical trial efficiencies
CLINICAL REACH BY PARALLEL6Unleashing Clinical Trial Efficiencies
Allan Camaisa
eClinicalTrial Management