Regulations FDA
- Last Updated: January 31, 2023
- 2 minute read
- MOVEit Transfer
- Version 2024.1
- Version 2024
- Documentation
MOVEit is fully compliant with Food and Drug Administration (FDA) standards for timestamps as related to the auditing of medical information which may be transmitted via or placed at rest on MOVEit Transfer.
The MOVEit Transfer complete compliance statement follows.
Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records; Electronic Signatures
(Maintained online here: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application )
| Requirement | MOVEit Transfer Capability |
|---|---|
| (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. |
|
| (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. |
|
| (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. |
MOVEit Transfer provides retention options for audit/access logs. Customer uploaded file retention is controlled by the customer. |
| (d) Limiting system access to authorized individuals. |
MOVEit Transfer supports restricted access and all files are encrypted at rest and in transit. See Progress PCI-DSS and SOC2 Type 2 Compliance Reports |
| (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
Modifying data within a file that has been uploaded to MOVEit Transfer is not supported. All file upload, download, move, copy, delete actions are stored in tamper evident audit logs. File Overwrite is an option configurable by the customer. |
| (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. |
Note: It is the responsibility of the customer to enforce any
required procedural rules regarding file access, upload or
download actions using MOVEit Transfer.
|
| (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. |
|
| (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. | (Not applicable) MOVEit Transfer does not inspect, modify or validate data within encrypted files transferred to or from MOVEit. Data validation is the responsibility of the customer. |
| (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. | (Not applicable)Proper use of MOVEit Transfer by the customer's users is the responsibility of the customer. |
| (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. | Electronic signatures are not applicable for MOVEit Transfer. |
(k) Use of appropriate controls over systems
documentation including:
|
(Not applicable)Proper training and use of MOVEit
Transfer by the customer's users is the responsibility of the
customer. Customer is responsible for development, control and audit of any procedures for their users of MOVEit Transfer. |
11.30 Controls for Open Systems
| Requirement | |
|---|---|
| Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in § 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. |
Timestamp Draft Sections 5.1-5.2
N/A (MOVEit Transfer is not responsible for administrator/auditor training or the operating-system level synchronization of machine clocks.)
Timestamp Draft Section 5.3
"You should implement time stamps with a clear understanding of what time zone reference you use. Systems documentation should explain time zone references as well as zone acronyms or other naming conventions. For example, the time zone reference might be a central point like Greenwich Mean Time, a point local to the computer where the activity linked to the time stamp occurs, or a point where the time stamp clock (e.g., a time stamp server) is located."
If enabled, MOVEit Transfer displays the difference between the server's time and Greenwich Mean Time (commonly expressed as GMT +/- HH:MM). This field is visible on the LOWER LEFT side of the screen in the web interface and as a "welcome banner" when signing onto the web server.
Timestamp Draft Section 5.4
"You should take steps to ensure that date and time expressions are clearly understood throughout an organization."
MOVEit Transfer uses AM/PM to designate times and uses a date format of "MM/DD/YYYY"
Timestamp Draft Section 5.5
"Audit trail and signature time stamps should be precise to the hour and minute."
MOVEit Transfer is accurate to the second in its audit trail.