The biopharmaceutical industry’s identity management community has advanced significantly in the last year, as demonstrated by several member companies of SAFE-BioPharma Association, the non-profit association that manages the Signatures and Authentication For Everyone (SAFE) digital identity and signature standard. The third SAFE Implementation Workshop, held November 8-9 in Chantilly, Virginia, showcased advances in identity management and highlighted the use of the SAFE standard in a broad range of industry applications.
Created specifically for the biopharmaceutical and healthcare industries, the SAFE digital identity is secured by a set of contractual agreements that bind its members to certain operating policies, standards, rules, regulatory, and legal requirements.
On the first day of the workshop, Ken Aull, a distinguished technical fellow of Northrop Grumman (Los Angeles, CA, www.northropgrumman.com), made the case for two-factor authentication and public key infrastructure (PKI) technology for securing data access control, authenticity, and integrity in meeting regulatory requirements. SAFE uses PKI technology—including key pairs, digital certificates, certification authorities, and other registration authorities that use digital signature technology—to streamline authentication and simplify the method of ensuring proper levels of security.
Aull explained that single-factor authentication, such as a password, does not provide sufficient security for sensitive data, because passwords are easily lost or stolen. Nonetheless, there is a fine line, Aull said, between not having enough security and adding too many layers that wind up impeding workflow. “Strengthening security too much can confound business value and make interoperability among different technologies and the parties who use these technologies impossible,” he said.
The US government now requires two-factor authentication for sensitive applications because it meets privacy requirements for healthcare data in both the US and abroad. “No technology supports inter-domain interoperability or extensibility as well as PKI and X.509 digital certificates,” said Aull. Unlike passwords, PKI technology can be used for e-signatures and encryption, in addition to authentication, for a large number of users in broad networks. A growing number of national and international healthcare standards are being built around PKI, including ISO 17090, Integrating the Healthcare Environment (IHE), ASTM–E2084, ASTM–E2212, DICOM–Supplement 41, and DICOM–Supplement 86.
Although support for PKI technology is evident, Aull said three key factors—credential issuance, application enablement, and business process alignment—are slowing PKI adoption. “Any time you make a fundamental change in policy and procedure within a highly regulated environment, you are likely to encounter resistance in getting businesses to recognize and exploit the capabilities that the technology provides,” explained Aull.
One way that SAFE-BioPharma has addressed these factors is by replacing the current financial industry model for issuing credentials to clinical investigators with an automated, online registration system that is more closely aligned with the industry’s process for conducting and managing clinical trials. The association continues to work with vendors to prepare off-the-shelf, SAFE-enabled products and applications. At the same time, the association is working with member companies to ensure appropriate validation programs and audit processes are in place to facilitate acceptance of the standard by regulatory bodies, including the FDA and EMEA.
Day two of the workshop highlighted case studies of how SAFE is being implemented within several member companies. Examples included:
Through the SAFE Community Collaborative Project, SAFE members are planning a collaborative project around clinical investigators in which all members will participate.