By Bob Flinton
As Shakespeare might have said, the course of scientific progress never did run smooth. Advances in collaborative research efficiency (e.g. electronic lab notebooks [ELNs] and Internet-based data sharing) have simultaneously introduced fresh concerns over data security and authenticity. Thus far, for biotechnologists and life scientists, the cloud has been two parts panacea, one part pandemic.
Still, one mustn’t understate the benefits of cloud-based research. In the course of traditional collaboration, scientists may spend more time searching for data in dispersed lab notebooks than conducting or analyzing new experiments. In contrast, cloud-based systems empower faster information retrieval and easier knowledge sharing in literally any number of discrete laboratories worldwide.
These efficiency gains are hardly trivial. But as Forbes.com’s Eric Openshaw warns, data integrity assurance in the cloud is just as crucial as hacking or breach protection, and it’s “a matter complicated by the question of who owns the data, which can impact control over assurance and integrity, especially if ownership can change.”
This is particularly problematic among biotechnology organizations, which often hold more than 70% of their competitive assets in scientific intellectual properties. And, recent history has proven that preemptive and predatory litigation is a common offensive strategy among hypercompetitive biotechnology interests vying for priority of invention.
For a while, it looked very much like a zero-sum game; eager scientific researchers would have to choose between the agility of the cloud and the security of their proprietary servers. But what once seemed hopeless was, perhaps, merely a case of complacent problem solving. To succeed, long-standing approaches would have to be recalibrated to work in a new decoupled and distributed environment. Simply put, the industry needed a fundamentally stronger approach to data protection and authentication online — a silver bullet for assuring the authenticity of cloud-based, scientific IP.
The Nature Of The Threat: Chain Of Custody
Time to market is vital to research-based organizations. Yet a single oversight — if properly exploited — can invalidate a decade’s worth of effort or even bankrupt an entire organization.
In the cloud, researchers face the same dilemma, but with the potential for even greater efficiencies and vulnerabilities. Perhaps the stakes have never been higher. In 2009, Johnson & Johnson, AstraZeneca, and Biovail headed the list of prominent biotechnology and pharmaceutical corporations mired in costly intellectual property lawsuits. These disputes typically arise when multiple parties claim ownership of an intellectual asset or when manufacturers of generic health products infringe on a corporation’s patent protections.
In such chain-of-custody cases, the Federal Rules of Evidence (FRE) allow for electronic records, including electronic lab notebooks, to be equally admissible as paper records, provided that they’re kept in the course of regularly conducted business activity and that the method of preparation is trustworthy.
However, when these records leave the perimeter of a research organization and enter the charge of a Web-based third-party, trustworthiness throughout the chain of custody becomes increasingly difficult to verify. During litigation, opposing counsel will almost certainly impugn the processes and systems responsible for the cloud-based data’s safekeeping. And without irrefutable proof of their authenticity, those electronic records can be squarely eliminated as evidence.
These risks are so great as to make most scientific intellectual assets effectively uninsurable. For example, the maximum policy available today ($25 million) would cover only 4% of Merck’s total intangible asset value.
Given the nature of the threat and without a viable insurance option, biotechnology and life sciences organizations have a fiduciary responsibility to implement litigation-ready security controls into their research methodologies.
What’s At Stake: Record Integrity
Most life sciences organizations today implement policies and procedures that require some form of human involvement to protect and ensure the integrity of their records. The problem with these, though, is that they depend on the human factor for implementation, increasing the risk to the integrity of the electronic record.
Simply combining policies and procedures with trusted employees and internal security technologies does little to ensure that business-critical records, files, or other digital content are protected from tampering.
Even organizations that have deployed public key infrastructure (PKI)-based digital signature technologies as a method to protect electronic record integrity are at risk. If the authenticity of the content is questioned, an adversary can argue that signed content could have been altered and re-signed at a later time. Even when PKI-based time stamps are applied to digital signatures, trust issues related to key management, clock management, and general operating practices can still be used to call into question the authenticity of signed records. Furthermore, since digital signature keys expire, reasonable doubt is cast over the viability for proving record integrity over the long term. What’s needed is a way to “lock down” content at the time of creation, so there’s no question as to its authenticity later.
To truly prove trustworthiness of electronic records, it is necessary to remove the manual or human aspect from a record management and archival system. To restore confidence, electronic records must be protected by a higher order of technology that uses quantitative and mathematical proof, as opposed to human accountability.
A critical requirement for any data integrity solution, especially in the life sciences and biotechnology industries, is also the ability to validate information years or even decades into the future. Life sciences companies must have a cryptographically repeatable process that gives them the ability to prove the authenticity of their electronic records to courts and regulators for the lifetime of the electronic content.
The Elements Of Trust
In the cloud, legally defensible data assurance solutions must satisfy three major criteria: they must be long-lasting, independently verifiable, and standards-based.
Because scientific researchers and developers may need to prove the authenticity of an electronic record, years — perhaps decades — after the content’s creation, limited lifespan solutions like PKI are often inadequate. With PKI authentication, the ongoing ability to prove the authenticity of an electronic record depends on the secrecy of multiple private keys. The potential for key compromise is enough to sully the evidentiary quality of any record “sealed” with a PKI-based time stamp. Furthermore, proving the authenticity of signed information depends on one or more public key certificates. Once these certificates expire, the corresponding signatures cannot be reliably verified, weakening their legal defensibility. Conversely, hash-chain, “widely witnessed” time stamping, which uses no PKI-based secret keys, is immune to key compromise and certificate expiration. Furthermore, these time stamps (or “seals”) can be applied to digital signatures to extend their life beyond the time when the corresponding digital certificates expire.
Hash algorithms (or “digital fingerprints”) come in many flavors or strengths. When selecting your data integrity protection solution under this hash-based approach, be sure it’s built using internationally accepted and trusted standards such as the SHA-256 and RIPEMD-160 hash algorithms.
Legally speaking, an admissible electronic record must have its integrity validated by a third party, independent of the owner organization’s people, processes, and systems. Hash-chain, “widely witnessed” time stamps provide independent verifiability through a publication process whereby each record’s authenticity can be verified against a “widely witnessed” value published regularly (e.g. in the New York Times). This process depends on only the underlying secure hash algorithms and not on any organization’s people, processes, or technology. The “widely witnessed” element demonstrates the noncollusion aspect of the approach, similar to how state lotteries do their air-ball lotto picks by being televised in a “widely witnessed” manner.
Digital signatures, for that matter, while legally supportable and can effectively associate an owner (or identity) to an electronic record, are not enough by themselves to protect your content, as they do nothing to legally authenticate a record’s “time of creation.” However, when combined with hash-chain, “widely witnessed” time stamps, they can be an effective way to associate identities with “sealed” records, even for the life of the content.
To be legally defensible, a time-stamping method must be compliant with either international standards, such as ISO standards, or national standards, such as ANSI (American National Standards Institute) standards. Both organizations recognize independent/trusted time-stamping technology, when it’s built on ISO 18014-3 and/or ANSI x9.95 trusted time-stamp standards.
About The Author
Bob Flinton is VP of marketing and product management at Surety. He has over 17 years’ experience in IT, network, and information security marketing and product management working for companies such as NetForensics, Novell, E-Security, Cybertrust, Symantec, and Sterling Software.