Digital signatures have become an essential part of doing business in the drug industry, particularly for the electronic submission of critical regulatory documents. And yet many in the industry still do not know what constitutes a safe and compliant digital signature, much less know what separates digital signatures from “electronic” signatures, says Mollie Shields-Uehling, president and CEO of the standard-setting SAFE-BioPharma Association.
The SAFE-BioPharma standard is used to verify and manage digital identities involved in electronic transactions and to apply digital signatures to electronic documents, Shields-Uehling says. The standard was developed by a non-profit consortium of biopharmaceutical and related companies, with participation from the FDA and EMA. “The SAFE-BioPharma digital signature offers a greater level of protection than other forms of electronic signature,” she adds. “It provides authentication, non-repudiation and data integrity across every single bit of the information to which the signature is applied. In simple terms, this means that if any component of the signed document is ever changed, the signature will be invalidated.
We spoke with Shields-Uehling about current digital signature practices, good and bad.
PhM: Is there still confusion within the drug industry about the critical differences between an electronic and a secure digital signature? If so, why?
M.S-U.: People in many industries lump all electronic signatures together. Digital signatures are sophisticated, fine-tuned, Formula 1 race cars compared to other electronic signatures, which are the go-karts of the industry.
We and others are in the process of educating the industry about these critical differences. We’ve been at it since 2005. Over the coming years we anticipate that appreciation of the differences will grow as more individuals in the private and public sectors acquire digital identities.
PhM: Your standards have the potential to be adopted widely, even in other industries. What's the extent of the acceptance of the standards thus far, and what might be possible?
M.S-U.: SAFE-BioPharma is an identity trust hub—a cyber-community providing participants with a highly secure way to validate, trust and manage identities in Internet transactions. Each SAFE-BioPharma authenticated identity is protected using sophisticated cryptographic technology. Once authenticated, the identity is uniquely linked to a digital certificate, permitting digital signatures.
SAFE-BioPharma was created specifically for use in the global biopharmaceutical industry and in the healthcare arena. The FDA and EMA have been and continue to be active participants in the standard’s development and evolution. SAFE-BioPharma digital identities are recognized and trusted within the SAFE-BioPharma community.
Other industries and the US government have similar identity trust hubs oriented to their specific needs. Many have formalized relationships with each other and assert the identity of their participants across the entire federation. For example, most US Federal agencies participate in a Federal trust hub. Because of the formal relationship between the US government’s trust hub and SAFE-BioPharma, most US government agencies will recognize and accept documents that carry a SAFE-BioPharma digital signature.
A network of identity trust hubs exists under the name of the 4BF (www.the4bf.com) and includes SAFE-BioPharma, CertiPath (aerospace and defense), Federal PKI Architecture (US Government) and HEBCA (higher education sector).
PhM: What's the extent of support that you've had from software and other vendors who must, of course, implement your standards within their solutions?
M.S-U.: The SAFE-BioPharma Vendor Partner Program encourages development of products and services to help SAFE-BioPharma member companies use the SAFE-BioPharma digital identity and signature standard. Vendor Partners whose product or products have completed the SAFE-BioPharma self-certification process are eligible to use the SAFE-BioPharma logo with those certified products. SAFE-BioPharma vendor partners include Microsoft, IBM, Intralinks, Arcot, Hitachi, Safenet, Tricipher, Adobe, SAIC, ARX, Waters, Symyx, idbs, and others. A complete listing can be found at www.safe-biopharma.org.
PhM: Are drug companies themselves, in their need to be compliant, expecting their vendors to have incorporated SAFE standards?
M.S-U.: The big drug companies developed the standard and started SAFE-BioPharma Association to manage its development. Many of them are using the standard in a variety of ways and are encouraging their vendors to adopt it as well. Over the past several months we’ve seen an increase in drug company communications to external partners, encouraging them to use SAFE-BioPharma digital signatures to sign contracts and other documents. They want to eliminate paper and the time lost from sending, handling, storing and retrieving paper. In addition to cost and time savings, reducing paper helps companies meet their environmental goals. Using SAFE-BioPharma digital signatures, lab scientists at one company reduced paper consumption by 3.3 million pages—the equivalent of 16 tons!
PhM: Are FDA and other regulators on board in terms of readily accepting the signatures for drug submissions and other critical documents?
M.S-U.: Yes. The FDA and EMA actively participate in the development of the standard. A few years ago, AstraZeneca became the first company to file a fully paperless submission through the FDA’s eSubmissions Gateway. It was able to achieve this milestone because of SAFE-BioPharma digital signatures. The FDA has since received tens of thousands of submissions signed with SAFE-BioPharma digital signatures.
SAFE-BioPharma digital signatures are accepted by EMA as advanced electronic signatures. We also participated with EMA in a successful pilot in which SAFE-BioPharma members submitted digitally signed documents as part of electronic Common Technical Document (eCTD) formatted submissions. Hitachi, a vendor partner, is working with the Japanese government to build acceptance for digital signatures there. Additionally, a new DEA rule permitting ePrescribing of Controlled Substances using two-factor authentication refers to the SAFE-BioPharma standard as meeting the criteria set in the new rule.
