Critical Infrastructure Security, Security Strategy, Plan, Budget

Cover story: The SAFE standard makes signing documents via a computer a reality

But, as science marches on and the problems clinical researchers face become increasingly difficult to solve, the need for alliances arises daily. Science, after all, is a collaborative effort.

In the case of pharmaceutical companies, there are compelling reasons to form alliances, namely, the need to partner with clinical researchers and doctors to make drugs safe; with regulators to get drugs out to the public; and even with competitors to make advancements.

And there are technologies being developed, or already available, to make life easier for doctors and administrators encumbered with the drudgery of paperwork and countless forms to be filled out. These also can help maintain the many partnerships being established with companies and government agencies.

"The science is complex, the partnerships are complex, so there was a real need to provide efficiencies to make these collaborations more productive and more efficient," says Mollie Shields-Uehling, president and CEO of the SAFE-BioPharma Association, a nonprofit collaborative group comprised of technology and security experts from all corners of the pharmaceutical industry.

And, though these forays into working together can sometimes stall out, in some cases, even failure can breed success.

"They looked into shared infrastructures — that project did not really move forward," she says. "But what did move forward came out of that look at a shared infrastructure. That was the need for a digital identity and a digital signature and accompanying enabling technology."

Going digital

Developing new drugs involves years of research — and up until now, millions of pieces of paper. An extremely regulated process, drug development and approval requires documentation at every step, and most importantly, signed verification of the data contained within that documentation. Until that signature hits the document, it isn't legal.

Which is why until now pharmaceutical companies and clinical researchers have had to resort to paper in spite of an increasingly digitized workflow in the lab.

"The pharmas have been working for a long time on converting a lot of the information to electronic — they capture data electronically, they keep data electronically," says R. "Doc" Vaidhyanathan, vice president of product management for Arcot Systems. "The last mile of the solution has been to take the final document and have it available in a signed format for submission to the Food and Drug Administration (FDA). Technologically, the process of applying a digital signature has been known for a long time. The complexity was to have it done in a way that there was no room for dispute."

In February, AstraZeneca announced that it became the first pharmaceutical company to walk that last mile by carrying out a completely electronic and digitally signed submission to the FDA. The company used a digital signature solution from Arcot, but even Arcot experts will tell you that the whole process wouldn't be possible without an up-and-coming standard called Signatures and Authentication For Everyone (SAFE). The standard has created a trust framework for digital signatures within the highly regulated and extremely risk-averse industry.

Developed by the SAFE-BioPharma Association, the SAFE standard makes the process of signing documents digitally secure enough in the eyes of the regulators, pharma lawyers and clinicians to make the process of eliminating paper a possibility.

It is enabling companies such as AstraZeneca to completely revitalize business processes and it very well may be the catalyst to legitimize the use of digital signatures beyond big pharma, in the broader health care community and maybe even other unrelated verticals that have yet to completely abandon wet ink signatures.

Using existing technology

According to most SAFE BioPharma insiders, the problem with developing a secure standard for digital signatures was less about technology and more about business processes.

"The barriers to moving to digital processes were not only the technical standards," says Shields-Uehling.

After all, there already was a technological solution to solve the security challenge of creating a tamper-proof signature, says SAFE BioPharma Chairman Gary Secrest, pointing to public key infrastructures (PKI). As one of the granddaddies of PKI, Secrest was intimately familiar with the possibilities afforded by the technology in regard to signing documents with a computer. As director of worldwide information security for Johnson & Johnson, Secrest had a vested interest in leveraging PKI to make digital signatures work, and talking to his colleagues at competitors he found that others felt the same way.

"It wasn't a technology issue. We all knew about public key aspects of this, and we all knew how digital signatures worked, and we all knew from a technology perspective that it was all very well standardized," Secrest says. "So it wasn't that SAFE needed to standardize a technology, we needed to standardize an approach to a signature, and to meeting the requirements of regulators, and meeting the requirements of a signature that would hold up in court."

The idea behind SAFE is to have an established set of business processes and best practices that could leverage PKI to accomplish that. "It provides the broad legal, regulatory and risk management framework that the industry needs," Shields-Uehling says.

As they decided on technical details and best practices, Secrest and the development team knew that they would need to make the standard flexible. It just wouldn't be practical to make the highly competitive industry rely on the same public key infrastructure.

Fortunately, PKI standards allow for a process of cross-certification; basically, allowing an exisisting infrastructure to bridge with another infrastructure so that the first organization follows the same standards as the second. By using cross-certification, SAFE creates what Secrest calls a chain of trust. Organizations with existing PKI investments can leverage them by cross-certifying with SAFE to create SAFE-compliant signatures. Secrest's Johnson & Johnson is doing this with its own infrastructure.

"They have their own certificate authority and they have cross-certified with the SAFE bridge," Shields-Uehling says. "So that means that essentially all 77,000 J&J employees can make SAFE digital signatures."

Join the chain

According to Secrest, this flexibility creates an opportunity for a wide variety of organizations outside of the immediate circle of pharmaceutical companies to join the chain. This includes the federal government and other regulatory bodies.

"What's happening now, in order to complete that trust chain into our regulators and others within the government who might want to take advantage of a digital signature, we're cross-certifying the SAFE bridge with the federal bridge," he says. "So now there will be this trust chain that goes all the way from a person who's issued a credential inside the FDA from a federal public key infrastructure all the way back to inside one of the pharma companies."

With the standard created, there also has been one additional non-technical issue that SAFE has needed to face to gain acceptance. Even though the technologists understood the inherent security of SAFE, they would need to be able to convince all of the stakeholders. This includes regulators, lawyers and end-users.

"It is difficult to explain to someone who doesn't have much of a technical background why your signature is not forgeable; in fact, why your digital signature is more secure than your handwritten signature," Secrest says. "It is a very hard concept for people to get a hold of."

This is where SAFE BioPharma as an association kicks in, providing a collaborative organization to help members reach out to regulators, users and others within their own member organizations. Shields-Uehling thinks that all of the work is starting to pay off.

"We're seeing more and more projects and adoptions across the board by our members," she says. "The pharmaceutical industry tends to be very risk averse and conservative. They tend to wait and see what other companies do, and then you start to see lots and lots of companies doing things. We're at that point. We see the AstraZeneca leadership, and there are other companies working on projects just like that."

As the snowball collects momentum heading down the mountain, she and Secrest believe that it could have a positive influence beyond the pharmaceutical companies. For example, Shields-Uehling is currently working with key players in the health care industry to potentially roll out SAFE credentials to organizations under the broader health care umbrella.

"We are communicating with and letting the rest of the world know what we're doing, how it has worked, what our issues have been, and how it might be applicable to the broader health care community," Shields-Uehling says.

Though she and Secrest couldn't speculate beyond health care, others believe that SAFE may have a much larger radius of influence when it comes to catalyzing the use of digital signatures.

"I think it's interesting because I've been talking to analysts about implementing digital signatures and what they've all said is, ‘It's very interesting, it's very cool, but no one does it,'" says Carol Stone, vice president of marketing with Arcot Systems. "Now that an industry has begun critical mass to adopt them, they're starting to say, ‘Let me take a look at this.' Now that an industry is really taking this seriously, it is going to happen and the other industries are going to notice. We hope the ball keeps rolling."


In practice

As an organization, SAFE-BioPharma has aided companies with advice and acted as a collaborative intermediary to help organizations use SAFE signatures in new and exciting ways. Mollie Shields-Uehling, president and CEO of the SAFE-BioPharma Association, says there are several other key projects that have just recently come to fruition.

Proctor and Gamble

Proctor and Gamble has selected SAFE digital signatures to verify information in its eLab notebooks. "This is what the laboratory technicians and the clinical trial investigators use — its like a laptop," Shields-Uehling says. "All the information around a drug you put into an eLab notebook for discovery. That is critical in terms of defending a patent. The notebooks are often evidentiary documents in patent cases."


Pfizer is also using SAFE signatures in eLab notebooks and regulatory filings. It has currently put 22,000 signatures on about 14,000 documents so far. Though it hasn't yet done a completely paperless FDA filing like AstraZeneca, it has committed to going paperless, Shields-Uehling says.

National Cancer Institute (NCI)

SAFE-BioPharma also has a partnership with the National Cancer Institute (NCI) to help develop a database and digitized application process for clinical researchers applying to the FDA for new trials.

Every clinical trial that starts begins by the completion of what is called form 1572 with the FDA.

"It is one of the most voluminous and redundant forms submitted to the FDA each year," Shields-Uehling says. "Often the investigator will be working for several different companies at the same time. They'll work for National Cancer Institute on one trial, for Pfizer on another, Johnson and Johnson on another."

Spearheaded by the National Cancer Institute and using SAFE digital signatures, NCI, five pharmaceutical companies, and a number of leading research institutions are executing a shared trial application.
— Ericka Chickowski


Making it SAFE

From the business process side, any organization that uses SAFE as a certificate authority must undertake some steps to prove the identification of those using the system to digitally sign documents. They must provide several forms of ID and go through a standardized registration process no matter what organization they are from. In addition, all businesses that participate in the SAFE infrastructure must sign legal documents to limit the liability of anyone else using SAFE signatures.

Mollie Shields-Uehling, president and CEO of the SAFE-BioPharma Association, says that this limit of liability paves the way for the traditionally risk-averse pharmaceutical companies, which initially worried about the legal risks of collaborating with SAFE-BioPharma for something so important.

— Ericka Chickowski

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.