January 6, 2022

Why an integrated, digital cell and gene therapy (CGT) ecosystem protects patients and their privacy

Cell and gene therapies (CGTs) are modern, technologically advanced therapies that rely on a complex value chain for manufacturing and patient treatment. Patients are at the center of the CGT ecosystem, and protecting their safety and privacy is the number one priority. Digitally connected systems along the entire value chain provide the system security and data privacy required to inspire confidence in patients, regulators, and healthcare providers (HCPs), accelerating adoption and patient access.

Data is integral to every step in the CGT process, often in high volumes. Critical types of data include Chain of Identity (COI), Chain of Custody (COC), and protected health information (PHI). A digitally connected ecosystem closes the gaps in the processes and workflows, improving data integrity and controlling access to this valuable data. Patients are further protected when systems are integrated and provide secure, real-time monitoring and orchestration of patient and product journeys, ensuring delivery of the right therapy to the right patient, on time.

Title: Security and privacy are paramount for digital systems
Subtitle: CGTs require system and data security — and data privacy — to protect patients.

(For more insight on data and data management in the CGT value chain, see Patient Data and Integrations – the unique role in CGTs and From Complex to Controlled: Proven data management strategies for greater speed and simplicity in cell and gene therapy operations and filings)

The current state of digital systems in CGT varies. There are a large number of heterogeneous digital systems — largely stand-alone and varying in sophistication. A high proportion of activities are still manual and paper-based, and in many cases these activities exist due to lack of connection between digital systems. The result is an inefficient value chain with opportunities for errors and unauthorized access to PHI, jeopardizing patient privacy and safety. 

Title: A complex value chain has complex systems and data flows
Subtitle: Many specialized stakeholders and systems play a role in the CGT value chain, sharing data and information with varying levels of security and privacy safeguards.

Why are integrated digital systems more secure?

Purpose-built systems for CGT that utilize modern “Secure by Design” (SbD) development approaches and best-in-class Application Programming Interface (API) technologies can digitally connect the CGT ecosystem and improve security, patient privacy, and patient safety. 

Title: Traceability is critical for patient safety in CGTs
Subtitle: The FDA and EMA both require rock-solid traceability from the outset. A digitized value chain built on modern integrations provides the foundation for compliance and patient safety.
  • Moving from manual, email, and paper-based processes to integrated, digitized workflows eliminates the error-prone, redundant processes that are widely used today. Data can be validated by electronic systems, and PHI is available only to authorized users.
  • Pharmaceutical regulatory compliance is an essential baseline criterion for any digital system supporting a CGT. Regulatory bodies such as the FDA and EMA require that digital systems be built to standards such as 21 CFR Part 111 and EUDRALEX Annex 112 and validated according to the GAMP 5 framework.  In addition, there are special traceability requirements for CGT raw materials and drug products3,4 that are best met with digital solutions. 
  • Patient data and PHI are protected by regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and the General Data Protection Regulation (GDPR) in the EU. Digital systems and the utilization of the data they contain must comply with these regulations. One way system providers can provide assurance to their partners that they demonstrate sufficiency in managing patient data is by passing a SOC 2® audit. Based on standards of the American Institute of CPAs (AICPA), a SOC 2® audit is performed by an external auditing firm and examines a system’s performance in the five “trust service principles” — security, availability, processing integrity, confidentiality, and privacy.5  Digital systems provide built-in compliance and a controlled storage and processing environment.
  • Configurable integrations designed for specific CGT use cases are built with security and patient privacy in mind and are pre-validated out-of-the box. This approach ensures regulatory compliance and security while providing the flexibility to meet a therapy’s unique processes today and in the future.
  • Best-in-class API technologies enable integrations that are secure, precise, and efficient. Only the required data, nothing extra, is shared between systems during data calls, limiting the transmission and exposure of data and PHI to only what is needed. Information is exchanged over secure transports using an intricate system of encryption and authentication.
  • User roles and authorization levels in integrated digital systems control access to data in general, and enforce careful control of user visibility to PHI. 
  • Integrity of COI and COC is established upon initiation of a patient journey and is securely maintained and verified throughout the value chain when it is digitally integrated.
  • Enterprise-grade, cloud-based applications, developed with an SbD approach, have security built-in as the system is developed and are easily maintained in a compliant state. Best-in-class systems are based on industry standards from the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, and the Open Web Application Security Project (OWASP). Cloud-based applications enable system-wide compliance and regulatory updates, which are critical in a sector that crosses many regulatory jurisdictions and has an evolving regulatory landscape. Infrastructure redundancy and data backups provide business continuity. 

(For more on SbD, see Cybersecurity success in advanced therapies starts by prioritizing security as a “Way of working”)

(To learn more about regulations and standards for digital systems, see Key industry and government regulations provide a cybersecurity foundation in advanced therapies)

Meeting the needs of CGT 3.0 requires secure, modern solutions that protect patient safety and privacy. A key piece is a digitized CGT value chain. An integrated, interoperable value chain — based on best-in-class technologies and built with an SbD approach — provides the infrastructure needed to grow and scale the industry while protecting patients’ safety and privacy.

For a more comprehensive view of the importance of an integrated CGT value chain, see the previous two blogs in this series, How integrated digital systems solve key challenges with cell and gene therapies (CGTs) and Why CGT 3.0 success depends on interoperability)


  1. Title 21–Food and Drugs, Chapter I–Food and Drug Administration, Department of Health and Human Services, Subchapter A–General, Part 11 – ELECTRONIC RECORDS; ELECTRONIC SIGNATURES. Silver Spring, MD. April 2020:
  2. EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Guidelines for Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Annex 11: Computerised Systems., European Commission Health and Consumers Directorate-General. Brussels, SANCO/C8/AM/sl/ares(2010)1064599. 2010:
  3. U.S. Department of Health and Human Services, Food and Drug Administration, Center for Biologics Evaluation and Research. Chemistry, Manufacturing, and Control (CMC) Information for Human Gene Therapy Investigational New Drug Applications (INDs): Guidance for Industry. Silver Spring, MD. The FDA. January 2020:
  4. European Commission, EudraLex. The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice: Guidelines on Good Manufacturing Practice Specific to Advanced Therapy Medicinal Products. London, UK. The European Commission. November 2017:
  5. TSP Section 100: 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. American Institute of Certified Public Accountants (AICPA). March 2020: