SAFE-BioPharma Conference Advances Identity Management and Electronic Submissions

The biopharmaceutical industry’s identity management community has advanced significantly in the last year, as demonstrated by several member companies of SAFE-BioPharma Association, the non-profit association that manages the Signatures and Authentication For Everyone (SAFE) digital identity and signature standard. The third SAFE Implementation Workshop, held November 8-9 in Chantilly, Virginia, showcased advances in identity management and highlighted the use of the SAFE standard in a broad range of industry applications.

Created specifically for the biopharmaceutical and healthcare industries, the SAFE digital identity is secured by a set of contractual agreements that bind its members to certain operating policies, standards, rules, regulatory, and legal requirements.

On the first day of the workshop, Ken Aull, a distinguished technical fellow of Northrop Grumman (Los Angeles, CA, www.northropgrumman.com), made the case for two-factor authentication and public key infrastructure (PKI) technology for securing data access control, authenticity, and integrity in meeting regulatory requirements. SAFE uses PKI technology-including key pairs, digital certificates, certification authorities, and other registration authorities that use digital signature technology-to streamline authentication and simplify the method of ensuring proper levels of security.

Aull explained that single-factor authentication, such as a password, does not provide sufficient security for sensitive data, because passwords are easily lost or stolen. Nonetheless, there is a fine line, Aull said, between not having enough security and adding too many layers that wind up impeding workflow. “Strengthening security too much can confound business value and make interoperability among different technologies and the parties who use these technologies impossible,” he said.

The US government now requires two-factor authentication for sensitive applications because it meets privacy requirements for healthcare data in both the US and abroad. “No technology supports inter-domain interoperability or extensibility as well as PKI and X.509 digital certificates,” said Aull. Unlike passwords, PKI technology can be used for e-signatures and encryption, in addition to authentication, for a large number of users in broad networks. A growing number of national and international healthcare standards are being built around PKI, including ISO 17090, Integrating the Healthcare Environment (IHE), ASTM–E2084, ASTM–E2212, DICOM–Supplement 41, and DICOM–Supplement 86.

Although support for PKI technology is evident, Aull said three key factors-credential issuance, application enablement, and business process alignment-are slowing PKI adoption. “Any time you make a fundamental change in policy and procedure within a highly regulated environment, you are likely to encounter resistance in getting businesses to recognize and exploit the capabilities that the technology provides,” explained Aull.

One way that SAFE-BioPharma has addressed these factors is by replacing the current financial industry model for issuing credentials to clinical investigators with an automated, online registration system that is more closely aligned with the industry’s process for conducting and managing clinical trials. The association continues to work with vendors to prepare off-the-shelf, SAFE-enabled products and applications. At the same time, the association is working with member companies to ensure appropriate validation programs and audit processes are in place to facilitate acceptance of the standard by regulatory bodies, including the FDA and EMEA.

Day two of the workshop highlighted case studies of how SAFE is being implemented within several member companies. Examples included:

• AstraZeneca is submitting SAFE-signed regulatory submissions through the FDA's Electronic Submissions Gateway (ESG), having already submitted 356Hs as part of an eIND submission and 1571s as part of an electronic Central Technical Document (eCTDs) submission.

• Pfizer is also submitting SAFE-signed regulatory submissions through the FDA's ESG and is using SAFE for an eLab Notebook application.

• Procter & Gamble has selected SAFE for its enterprise digital signature implementation and is using SAFE for electronic laboratory notebooks. It also is developing eForms for human resources applications, ePurchasing, and ePatent Submissions (to the US Patent and Trademark Office) using SAFE identities and signatures.

• Merck has launched an eSampling project whereby doctors may order samples on-line and receive them within days rather than weeks.

• Organon is making electronic regulatory submissions to the FDA in collaboration with an alliance partner.

• GSK is developing an eCTD project for regulatory submissions via the ESG.

• Bristol Myers Squibb is testing the use of the SAFE standard to authenticate the identity of external partners.

• Johnson & Johnson (J&J) is cross certified with the SAFE bridge. All 74,000 employees are SAFE-enabled.

• J&J is exploring an electronic master file project using SAFE.

• Five companies (Amgen, Genzyme, Merck, Pfizer, and SanofiAventis) are testing SAFE identities and digital signatures for signing 1572 forms as part of a collaborative project between the National Cancer Institute, FDA, the pharmaceutical industry, and researchers. This project, part of the “Firebird” application, will automate the submission and review of 1572 forms (investigator statements), a voluminous and redundant form filed annually.

Through the SAFE Community Collaborative Project, SAFE members are planning a collaborative project around clinical investigators in which all members will participate.