Updated: 16 Apr 2026
The FDA inspector arrives at the clinical operations office in Hyderabad. The trial master file is complete. The electronic data capture system is validated. The audit trail is intact.
Then the inspector asks for the authentication log for the EDC system covering the last 90 days. Not the audit trail inside the system. The log showing who logged in, when, and with what credentials.
The room goes quiet.
CDSCO and FDA inspectors examining clinical trial data integrity now specifically request evidence of individual authentication controls: who accessed each electronic record, when, and with what credentials. The question is not whether the data was modified without authorisation. The question is whether the system can prove the person who accessed it was who they claimed to be.
In a research environment, that question has a complicated answer.
The clinical data manager uses an individual account in the EDC system. The bioinformatics team shares a single account on the genomics platform because the vendor provisioned it that way. The CRO managing data collection for three active studies holds access credentials issued when the first study began. Two of those studies have closed. The access remains.
In Proactive's Cisco Duo deployments across pharmaceutical research environments in Hyderabad and Pune, credential audits consistently find CRO and contract research site accounts with access to live trial data from studies that completed months or years earlier. The access was never scoped down. The individuals named on the credentials may no longer work for the CRO.
CERT-In's mandatory audit framework requires MFA for all remote access and individual accountability for every access event. For Indian pharmaceutical research organisations, this sits alongside 21 CFR Part 11 and CDSCO's own inspection framework. Three regulatory expectations. One authentication surface.
Cisco Duo, Cisco's identity security platform, enforces named individual MFA across EDC systems, laboratory information management systems, bioinformatics platforms, and CRO remote access without requiring those systems to be revalidated from scratch. Named individual accounts replace shared credentials. Time-limited credentials for CROs auto-expire when study access periods end.
The authentication logs, individually attributed, timestamped, and exportable, satisfy both 21 CFR Part 11 audit trail requirements and CERT-In 180-day retention obligations from a single platform.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo across pharmaceutical research and life sciences environments in Hyderabad and Pune. The credential audit is the first step. It finds the CRO accounts nobody deactivated and the shared lab credentials the regulator is about to ask about.
The regulator is starting to notice.
So should you.
Talk to a Proactive Cisco Duo specialist. Write to [email protected].
We'll get back to you shortly.
