By Rob Wright
A Digital Identity And Digital Signature Roundtable
Thanks to the creation of the personal computer and the Internet’s coming of age via the World Wide Web in the early 1990s, the digital revolution has forever changed how we live and conduct business. Transactions which used to require paper documentation and a handwritten signature can now be conducted more economically via digital identity and digital signature technologies.
However, in addition to the benefits reaped from the digital revolution, it has also resulted in new forms of theft. Cybercrimes, such as identity theft, have resulted in boons to digital authentication and verification technologies, which have posed a significant challenge for the pharmaceutical and biopharma industries to manage.
A variety of organizations have developed solutions to assist life sciences organizations in the effort to be compliant with good practice quality (GxP) audits, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), ISO, and FDA regulations, such as the 21 CFR part 11, which requires organizations to guarantee the authenticity, confidentiality, and integrity of electronic records. To gain a better understanding of the digital identity and digital signature conundrum, Life Science Leader contacted the following experts: Peter Loupos, VP, scientific information systems, Sanofi-Aventis; Gary Secrest, recently retired as director, worldwide information security, Johnson & Johnson; and Mollie Shields-Uehling, president and CEO, SAFE-BioPharma Association. They discussed their opinions on digital identities, digital signatures, the need for them to be interoperable, and future trends for these technologies applicable to the life sciences industries.
Why should the industry be interested in using digital identities?
Peter Loupos of Sanofi-Aventis: Advancements in pharmaceutical R&D and enhanced quality of healthcare are predicated on an efficient flow of information amongst all stakeholders. A universally accepted trusted information infrastructure to allow this free flow does not currently exist. This has negative consequences in the timely approval of promising new treatments and costly consequences regarding healthcare delivery.
Gary Secrest, retired from Johnson & Johnson: As the entire healthcare space continues to move to electronic records for enhanced patient care and greater efficiency, the availability of a trusted digital identity to assure proper authentication before granting access to sensitive healthcare information is critical.
Mollie Shields-Uehling of SAFE-BioPharma Association: There are numerous factors that make it essential to know and trust the identities of people on the other side of the screen. The biopharmaceutical industry works with confidential information. It conducts business in a regulated and legally enforceable environment. And, it relies on global collaboration for research, development, sourcing, manufacturing, and other functions.
What is the significance of a digital identity being interoperable?
Loupos: In a perfect world, free flow of information between patients, healthcare providers, payers, researchers, and regulators would result in rapid access to promising new treatments for unmet needs and more efficient and higher quality healthcare. However, information sharing of personal information is a highly sensitive topic. Trusted interoperable digital identities would enable access of information for the benefit of all stakeholders.
Secrest: There will always be many application vendors and associated systems. To meet the goals of better care and efficiency, standardization is critical. It is simply too onerous on users to have multiple credentials with multiple levels of trust in the credential. A single, interoperable, trusted credential provides a way for an authorized user to work across a variety of systems in a seamless manner.
Shields-Uehling: There is a growing system of identity trust hubs across the globe, each containing many identities that can be trusted within its own hub. Interoperability means that an identity asserted by one hub will be trusted within another hub. That process occurs when trust hubs agree to follow a standard set of rules. For example, SAFE-BioPharma Association is a trust hub for the biopharmaceutical and healthcare sectors and follows the rules of the Federal Bridge, the identity trust hub serving U.S. federal agencies. Thus, all U.S. agencies which utilize Federal Bridge identity credentials have agreed to trust the digital signatures as being authentic.
What makes a digital signature different from other electronic signatures, and what makes the differences significant for the life sciences?
Loupos: Many transactions in the life sciences have either legal or regulatory implications. Most existing processes, even with some level of technology support, are still paper-based. This can be error-prone and introduces expensive delays as well as significant material costs. The identity of an electronic signature cannot be ensured. Digital signatures, legally defensible and nonreputable, hold the promise of quality and efficiency improvements through total electronic interoperable processes.
Secrest: There are two major differences — first, a digital signature cryptographically guarantees the integrity (i.e. it has not been violated) of the information which has been signed; what was signed has not been altered in any way, and if it has been altered, it is readily apparent. The second difference is in regard to the standardization of the digital signature. A digital signature made in one application can be verified in another application as long as the digital signature standard was followed.
Shields-Uehling: Digital signatures are more secure and legally binding than simple electronic signatures. Each signature is tightly bound to the individual’s proven identity, and the integrity of the entire document to which the signature is applied is cryptographically guaranteed. Digital signatures are legally enforceable, nonrepudiable (its use cannot be denied by the person who applied the signature), and are instantly auditable. Additionally, any change to a signed document invalidates the signature and graphically shows it is no longer valid. This level of protection is extremely important for the life sciences because it helps prevent fraud and shows the document is compliant with regulatory requirements.
How are digital identities and digital signatures currently being used in the life sciences?
Loupos: Digital identities are used wherever there is a desire to replace inefficient paper processes where legal and regulatory requirements must be met. Specific examples include electronic laboratory notebooks (which could be implicated in patent protection), regulatory filings, and contracts.
Secrest: Trusted digital identities enable strong user authentication processes in addition to enabling the use of digital signatures. These are imperative factors in a highly regulated environment such as life sciences. The integrity of data is a critical element for regulators as provided by a digital signature. So, we see data such as that from electronic lab notebooks or documents such as SOPs being digitally signed by individuals, authorized, and strongly authenticated using the same trusted credential. And, it’s becoming more common to use digital signtatures for signing contracts, clinical protocols, and drug prescriptions — including controlled substance prescriptions.
Shields-Uehling: For several years, digital identities and digital signatures based on agreed-upon standards have been used to sign virtually every form of eDocument, including forms used from discovery through all phases of clinical development (e.g. electronic laboratory notebooks, government forms, electronic submissions, approvals, contracts). Importantly, they also are used to authenticate the digital identities of internal and external collaborators (e.g. CROs, clinicians). Soon we will see clinicians use them to access clinical portals and to sign ePrescriptions. We also will see them used extensively in conjunction with cloud collaboration. Interoperable digital identities will allow a variety of disparate collaborators to access documents and data from the cloud, apply digital signatures to them, and return them to the cloud. The time and cost savings over the current approaches will be enormous. We’re at the threshold of this new era in the use of digital identities and digital signatures. An early indicator of this is the ongoing pilot between industry researchers and their counterparts at the National Cancer Institute, where clinical trials are initiated using interoperable digital identities and signatures.
How do you expect digital signatures to be used in the future?
Loupos: The opportunity exists for digital signatures to be used to replace any process where efficiencies can be realized by evolving from paper to electronic while meeting all legal or regulatory requirements. It can be envisioned that academic researchers, pharma companies, healthcare providers, payers, and regulators would all work together to share data to gain greater insights into diseases, patient needs, and healthcare practices to the benefit of patients everywhere.
Secrest: Strong digital credentials are a key enabler for the continuing drive for paperless systems. Over the past several years it has become clear that simple passwords do not provide strong identification or authentication which is required for sensitive healthcare-related systems. We will see a continuing push to improve processes via electronic systems across the entire space from biopharmaceutical companies developing and selling drugs to doctors in hospitals providing patient care. A single, trusted digital credential will allow disparate users such as providers, payers, and researchers to share information via access to electronic systems instead of paper.
Shields-Uehling: The next big area of use will be expansion in clinical development. CROs already are testing digital identities and digital signatures and recognize their inherent efficiencies and cost savings. In the not too distant future, manufacturing will turn to digital identities and digital signatures as a way to manage and track the supply chain. The old ways of doing things are rapidly changing. Digital identities and digital signatures are in wide use today. We anticipate that over the next few years their use will expand significantly.
What are your thoughts on the use of interoperable digital identities within healthcare?
Loupos: Very simply, this is a requirement to contribute to fundamental change in the way healthcare is delivered. Until the free flow of healthcare information can occur amongst all shareholders, R&D and healthcare delivery will not reach its full potential.
Secrest: Simply put, interoperable digital identities are a vital enabler to improved healthcare at lower costs. Interoperable systems which provide for the free flow of healthcare-related information are the future.
Shields-Uehling: It is inevitable. Digital identities are needed to control access to patient records. Interoperability will allow for managed access to records across the firewalls of separate health systems. Physicians will use them to sign electronic prescriptions, including those for controlled substances. Healthcare is just crossing the threshold into electronic communications. It is just a matter of time before healthcare enters the era of secure and trusted communication based on interoperable digital identities.
The 7 Laws Of Identity
The seven laws of identity were developed by Kim Cameron, chief identity and access architect at Microsoft, and then refined in the blogosphere through his identity weblog at www.identityblog.com. The laws have been compiled and enhanced during an ongoing conversation among numerous people and represent the best available advice for developing and implementing an identity solution at your company.
Technical identity systems must only reveal information identifying a user with the user’s consent.
The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.
Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
A universal identity system must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
A universal identity system must channel and enable the interworking of multiple identity technologies run by multiple identity providers.
The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human/machine communication mechanisms, offering protection against identity attacks.
The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.
According to Joshua Trupin, executive editor of MSDN and TechNet magazines, these seven laws are important because digital identities play a key role in today’s information infrastructure. “If users and companies do not see identification as safe, private, and secure, the lack of trust will end up undermining any products and technologies that are built upon it,” says Trupin.