Ensuring data integrity in the long term

Despite the importance of the topic, there is no general consensus on the definition of data integrity. Nevertheless, it is crucial for companies to ensure the integrity of electronic data during its lifetime or retention period. In industries such as pharmaceuticals and healthcare, strict data integrity rules apply. Here, maintaining data integrity is an essential aspect of compliance requirements.

 

Thus, it becomes apparent that data integrity is dependent on legal requirements and industry-specific regulations, and its definition is tied to the context in which data is stored.

Legal definitions of data integrity

Definition from the GDPR:

The General Data Protection Regulation (article 5/1f) in relation to the storage of personal data: "Personal data must be processed in a manner which ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage by appropriate technical and organizational measures ("integrity and confidentiality")."

Industry-specific definitions of data integrity

Data integrity in pharma & life sciences:

US FDA definition (21 CFR Part 11, Electronic Records): "Data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be assignable, legible, original or copy recorded simultaneously, and accurate."

 

The FDA (Food and Drug Administration) uses the ALCOA principle to define a standard for data integrity. ALCOA Plus (ALCOA+) extends these conditions to include Complete, Consistent, Enduring, and Available.

 

As regulators become more stringent in their inspections, it is critical to be able to demonstrate compliance. The parameters of the ALCOA principle create a benchmark for holistic documentation here, which other industries also follow.

Data integrity in healthcare:

U.S. Department of Health and Human Services (HIPAA) definition: "Data integrity means that data or information is not altered or destroyed in an unauthorized manner."

Data integrity in the financial sector:

Payment Card Industry Data Security Standard (PCI DSS) definition: "Changes which disrupt data integrity are unauthorized, including alterations, additions, and deletions."

 

The PCI Security Standards Council uses the term "file integrity" instead of data integrity. The definition of file integrity can be found in the definition of "file integrity monitoring". It states that file integrity is a technique or technology under which specific files or logs are monitored to determine if they are modified. Further, PCI specifies that changes, additions, and deletions are classified as unauthorized changes which may interfere with file integrity.

The integrity of data can be impacted by a variety of threats. These include:

• User error: People can accidentally or unintentionally delete data and make mistakes when manually entering or managing data. This increases the likelihood of errors, duplicates, or deletions. Errors due to manual entry can extend to the execution of processes, and thus distort results.

 

• Transfer errors: Within retention periods, data often needs to be migrated multiple times. This involves transferring data from one system to another. This moving can result in transfer errors, which can lead to damage or loss of sensitive or critical data. For example, content-related and important meta-information such as retention period, timestamps, or IDs can be lost.

 

• Cyber-attacks: Cyber-attacks can allow malware to enter IT systems and manipulate, delete, or encrypt data records. In addition, hardware can be compromised. This often happens unnoticed until malware is activated on the system by the attacker or a ransom demand is made.

• Validate data: Use checksums to keep track of record consistency. So-called hash values, which are attached to files, can be used to identify modified or damaged data. An archiving system should be able to check and guarantee the integrity of the stored data. A Self-healing function automate the detection and repair of inconsistent data.

• Back up data: Data backup is one of the most important security measures for successful data integrity, as it protects against permanent data loss. Backups protect your business from data loss and ransomware attacks. In doing so, backups should be performed as frequently as possible, especially for mission-critical data.

• Access controls: Unauthorized access and unauthorized changes can be prevented by access controls. Here, it makes sense to proceed according to the "least privilege principle": Only authorized persons can access the data belonging to their area of responsibility.

• Finding sources of errors: If an error or manipulation of data does occur, it is important to locate the source and be able to prove changes. This is where documenting your data handling processes plays a critical role. An audit trail can effectively minimize data integrity risks. An audit trail logs the various stages of the data lifecycle. All processes, from creation, through retention, maintenance, usage, to deletion are recorded here. It also records what change and work was done, when, and by which user. This information can ensure compliance with regulations and be used as a basis for legal evidence.

An audit trail should have the following characteristics:

• Logs must be generated automatically.
• Users should not have access to audit trails.
• Each event (create, read, modify, delete) is logged with a timestamp.
• In addition, each event is assigned to a single user.