Why quality matters

Our commitment to quality

We at IBM Watson Health strive to strengthen our client-centric culture and bring value to our customers. Our commitment to our customers is to provide outstanding industry-specific and innovative software products and services that are built to the highest software development standards around privacy, security and compliance.

We know that software quality is important and security by design is paramount to patient safety, product quality, and data integrity. Our products are tested extensively to identify flaws or defects prior to their release to a production environment in order to strengthen the trust our clients have in our products and services.

How we focus on quality

Defining quality

As we work to address the business challenges our clients face, here is how we define quality, quality standards and regulations:

What is quality?

Quality involves listening to our clients to design products and services that meet their needs.

What are quality standards?

Quality standards provide a shared vision for creating a high quality solution, plus procedures and vocabulary for meeting quality expectations.

What are regulations?

Regulations are rules made by entities, governmental agencies and executive departments.

Watson Health regulations and standards

The following are the regulations and standards that our teams strive to follow as we deliver software solutions and services to our clients.

Types of regulations

Industry regulations

Industry regulations

GxP refers to a collective set of globally accepted good practices with respect to quality. This includes good manufacturing practices (GMPs), good clinical practices (GCPs), good laboratory practices (GLPs), good pharmacovigilance practices (GPVPs), good engineering practices (GEPs) and other quality.

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established data security and privacy requirements for the storing and processing of protected health information (PHI and e-PHI). Entities that are subject to HIPAA must implement a set of technical, administrative and physical controls that are designed to secure this protected health information.

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework, which is a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent, streamlined manner.

Regional regulations

Regional regulations

As part of the European Union's General Data Protection Regulation (GDPR), IBM is enhancing its ongoing commitment to privacy by design. IBM is working to embed data protection principles even more deeply into its business processes. This work also strengthens existing controls to limit access to personal data, including mobile applications that rely on default settings to prevent sharing of personal data.

The LGPD (Lei Geral de Proteção de Dados Pessoais) comes into effect in August 2020 and is a statutory law on data protection and privacy in the Federative Republic of Brazil. The law's primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data.

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.

IBM works with local, state, national and international regulations based on the customer’s requirements. Please contact the Compliance Department for other regions that are covered.

Global regulations

Global regulations

The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based and market relevant. The goal is to ensure that products and services are safe, reliable and of good quality.

ISO 9001
An international standard dedicated to Quality Management Systems (QMS). It outlines a framework for improving quality and provide products and services that consistently meet the requirements and expectations of customers. The QMS is a combination of all the processes, resources, assets, and cultural values that support the goal of customer satisfaction and organizational efficiency.

ISO 13485
This standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements.

ISO 27001
This standard defines the best practices for information security management processes. The ISO 27001:2013 standard specifies the requirements for establishing, implementing and documenting Information Security Management Systems (ISMS) controls.

ISO 27017
This standard provides guidelines for information-security controls applicable to the provisioning and use of cloud services as well as implementation guidance for both cloud service providers and cloud service customers.

ISO 27018
This standard establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified public accountants (CPAs) audit cloud service providers (CSPs), which results in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.

US federal government regulations

US federal government regulations

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

Title 21 CFR Part 820 outlines the current good manufacturing practice (CGMP) guidelines for developing medical devices. It governs the methods, facilities and controls used for medical device design, manufacture, packaging, labeling, storage, installation and service.

A standard for the design, conduct, performance, monitoring, auditing, recording, analyses, and reporting of clinical trials that provides assurance that the data and reported results are credible and accurate as well as that the rights, integrity, and confidentiality of trial subjects are protected.


Is business resiliency part of the quality management system?

IBM establishes and manages an organizational structure to ensure business continuity and the availability of those resources to respond in the case of an event.

Does IBM Watson Health have established quality procedures?

Yes. IBM Watson Health has a full QMS with procedures that describe the key process steps that govern the solution lifecycle, including change management, data privacy and data security.

How does IBM Watson Health ensure business-critical technologies are restored after a disaster?

IBM Watson Health has disaster recovery plans in place to protect and restore business critical technologies after a disaster to enable a quick recovery of services.

How does IBM Watson Health handle defect management?

Software-related issues are handled through IBM’s defect management processes. Controls are in place for the handling of defect identification through resolution. Customer complaints are investigated appropriately according to established procedures.

What are the practices around record retention at IBM Watson Health?

IBM Watson Health will retain and control all records or documents to provide evidence of conformity with requirements and retention time periods. The retention of records is based on the customer records retention requirements or the procedure, which ever timeframe is longer.

What is IBM Watson Health’s validation philosophy?

IBM Watson Health’s ISO 9001:2015 QMS adopts related healthcare validation standards, such as the FDA’s General Principles of Software Validation.

Does IBM Watson Health get regularly inspected?

The IBM WH ISO 9001:2015 quality management system gets regularly inspected by a body that is accredited by the ANSI National Accreditation Board.