Making DevOps work for highly regulated industries

DevOps done well brings a range of benefits, but some industries have been slow to embrace it. Concerns about issues such as complexity and security have deterred players in regulated sectors including medical devices and pharma from adopting the approach, which prioritises close collaboration between development and operations teams to accelerate the deployment of new software and features.

With careful attention to adopting best practices in the process from the outset, however, even the most highly regulated industries can reap the benefits of DevOps. In fact, without DevOps, health & life sciences (HLS) organisations in particular will find it increasingly difficult to comply with regulations and remain commercially viable.

The promise of DevOps is that it breaks down development and operations silos, with the ultimate aim of satisfying customer demand through the early and continuous delivery of consistently good-quality software. By capturing individual elements of functionality in user stories, development and deployment into production take days rather than months.

In some industries, IT departments with many product teams can manage hundreds of releases of related pieces of software into production each week. Regulated industries often require additional gate-keeping steps such as sign-offs before a release, but even with these more complex compliance mechanisms, DevOps can still reduce the time between releases from months to weeks.

The potential for faster deployment, more streamlined processes and enhanced cross-team communication has persuaded many industries to embrace DevOps. It is now generally accepted as a key driver of speed, cost savings, improved quality and faster time to market — all of which make it attractive to companies pursuing digital transformation.

The Covid-19 pandemic has turned what were digital ambitions into digital imperatives, intensifying demand and competitiveness for modern digital experiences and ways of working. This new urgency is driving businesses even within highly regulated industries to compress the timeline for approving new software features so that deployment happens faster.

Regulatory compliance and security concerns are paramount among businesses in highly regulated industries such as pharmaceutical, banking, healthcare and medical device manufacture. These businesses must meet strict quality standards to ensure their products/services are safe for public use.

Regulations in the banking and financial sectors include Sarbanes-Oxley, Basel II, SCI, MiFiD and GDPR, for example. Depending on the markets they serve, pharmaceutical businesses must comply with FDA 21 regulation and various other national and regional medical agency directives. Pharma enterprises must also comply with GxP guidelines to ensure safety and quality during manufacturing, control, storage and distribution, but it can take weeks to approve a two-hour code fix. A 2020 report highlighting the healthcare sector’s concerns and hopes for DevOps did reveal growing interest in adopting DevOps, but it also indicated fundamental questions relating to its implementation. Some 41% of respondents reported that their organisation had advanced from a proof of concept for DevOps.

However, 24% cited disruption to existing workflows as the main obstacle to implementing DevOps. Other key reasons preventing healthcare businesses from harnessing DevOps included a lack of internal skills, siloed development and operations teams and a lack of awareness of the possible business benefits.

Although businesses in highly regulated industries need to be vigilant about the potential for rushing features that may breach regulations, they also need to recognise that delaying deployment may be even more problematic. Here are some reasons why:

Regulations designed to reinforce user protections put pressure on businesses to ensure security gaps are bridged without delay. In 2016, the U.S. Food and Drug Administration (FDA) published a cybersecurity regulation stipulating that security vulnerabilities identified in any medical care product must be fixed within 60 days of identification.

Given that fixes and releases of new product versions can take months in this industry, the logical solution is to shorten the release time to under 60 days. This can be achieved by adopting DevOps practices and automating such release tasks as approvals, infrastructure provisioning and validation and release documentation.

In any industry, the ability to rapidly deploy technology that either enhances operational efficiencies or directly fills a user need leads to improved customer satisfaction. Combining the DevOps best practices of a microservices architecture with continuous integration (CI) and continuous delivery (CD) means solutions and features most sought after by customers can be released at speed without compromising safety or quality.

Time to market is a major challenge for many highly regulated industries. The twin burdens of regulation and security requirements can delay new solutions and features. In the healthcare industry, the need to demonstrate improved patient outcomes to attract the substantial investment required for new initiatives can also slow the development of new products.

However, decreasing time to market is imperative in industries where rival offerings are converging and becoming increasingly difficult to differentiate. By releasing new solutions more quickly than before, businesses can gain a competitive edge.

DevOps can deliver that competitive advantage by shortening the software development cycle through automated infrastructure management and testing. New products and features are released faster, and bugs are fixed more promptly. The increased flexibility and efficiency that a microservices architecture facilitates also mean that solutions can be delivered faster.

With healthcare organisations in particular increasingly adopting DevOps , even the most highly regulated industries are beginning to realise its value for meeting the challenges of regulatory compliance, ever-shifting customer demands and accelerating time to market. However, implementing DevOps successfully is not simply a question of buying the latest tools and technology:

A key DevOps best practice is automation, which really streamlines the digital experience for software development in highly regulated industries — particularly when applied to documentation. Attempting to introduce new tech while working with paper-based methods of documentation to meet standards and regulations is fraught with difficulty.

The answer is to work on both the innovation and compliance sides of development simultaneously, rather than documenting and then developing. By maximising the amount of electronic digital integrations and tooling within the product development life cycle, paper-based documentation becomes redundant.

The risk of continuing with the traditional paper documentation mind-set is that even the smallest compliance gaps can become major issues. For example, if the FDA finds an issue during an audit of a medical device company and the appropriate documentation cannot be reproduced, systems may have to be shut down.

However, if the company had moved to a fully digital quality management system with appropriate design controls and fully integrated processes for designing, developing, releasing and maintaining the software, the automated documentation would detail the most up-to-date modifications and capabilities. Any code change would be fully traceable to why it was changed, who changed it and how it was tested. This would make mistakes easy to identify and eliminate human error.

Integrating security as part of DevOps (DevSecOps) involves combining processes and tools that enable security integration in DevOps workflows. Automation, early and ongoing security scanning, testing across multiple layers (host operating systems, container runtimes, etc.) are all part of DevSecOps best practices.

Equally important is embedding a security mind-set in the people who control the pipeline. Development and operations need to buy into the importance of security, and they also need to work together to ensure logging and monitoring are in place. Logging and log management are often overlooked, but they are key aspects of DevSecOps. You need to get your operations and applications teams working with security to create and follow an effective logging strategy.

For successful DevOps, technology is secondary to culture. In functionally siloed organisations, operations and development teams can view each with mutual resentment for increasing each other’s workloads.

This culture needs to shift so that teams are aligned with a common purpose. Individuals should feel that their voices are heard and that their contribution is important. By establishing buy-in from the bottom up rather than imposing structural change from upper management, team members will feel invested in the new culture, integrating the approach organically.

Even when organisations understand the potential for positive business impacts, a lack of expertise in DevOps can deter them from making the leap. The solution is to engage an expert external partner to implement DevOps best practices that the business can leverage into the future.

At NearForm, we recently worked with a global pharmaceutical company to help progress their digital transformation with a platform to create and manage a study tracker application for lab testing. Our work also included building a complimentary Azure-based DevOps platform, which will also be used on future projects.

This was a highly complex project with challenging requirements and timelines, but its completion has fast-tracked the company’s digital transformation, drastically reducing release cycles and encoding DevOps best practices that can be employed for future products and new features.

For companies in highly regulated industries wondering how to make the transition to DevOps, engaging an external partner to conduct a proof of concept or complete a lighthouse project is a relatively quick and low-risk way to experience the speed, efficiency and other benefits that DevOps can bring.