2005-05-05

The Evolution of Electronic and Digital Signatures in the Pharmaceutical Industry

I get asked about electronic and digital signatures and the difference between them a lot. In the pharmaceutical industry there is a defined difference based on the US Food and Drug Administrations's (FDA) regulations.

The FDA distinguishes between ‘closed’ and ‘open’ systems. A ‘closed’ system is one where a given company has tight control over system access and always ‘knows’ who is accessing the system – this is typical of important, internal, corporate systems to manage records. In contrast, an ‘open’ system is one where outside users, who may not be known or at least not controlled, may access the system (e.g. staff from a collaborating company). Closed systems depend on system integrity to manage record integrity, whereas in the case of open systems there needs to be more control at the individual record level.

We can see how this works by the type of signatures that are acceptable in the case of closed or open systems. The FDA distinguishes between electronic signatures vs. digital signatures in their 21 CFR Part 11 regulations that cover the management of electronic records and the signatures that may be applied to them.

Electronic signatures, as defined by the FDA, in essence are a record of a users signing action in the audit trail of the system. A user took an action that they know would result in a signing action (e.g. pushing a ‘Sign’ button) and then reconfirmed their identity by responding to a username/password challenge. In order that someone else knows that the document has been signed, there is also a requirement that the same metadata be embedded in the document in a form that is human readable and cannot be separated from the document – typically this requires systems to produce a secure PDF version of the document with the signature ‘manifestation’ added in a defined area or on an extra page. So, the signature is verifiable in the audit trail of a closed system which is controlled by the company. The company can continue to manage this information as records are moved from active use to archives. Open Text’s eSign product provides for electronic signatures to electronic records in Livelink systems.

Digital signatures, as defined by the FDA, usually use PKI technology. Typically the signature is contained within the signed document, rather than simply being a manifestation of system records. The advantage of this approach is that in theory a record can be sent to people outside the originating system but still be verifiable. However, such verification depends on access to certificate information. If certificate management is only within a given company then users outside cannot verify signatures. In addition, there are many proprietary permutations of PKI technology, so two companies may not have compatible systems that support mutual verification. This has significantly impaired the implementation of digital signatures in the pharmaceutical industry; in essence the question is, “What is the point of incurring the extra expense of implementing digital signatures if they can only be used internally, when electronic signatures are sufficient according to the regulations?”

To address these concerns a number of leading pharma and life sciences companies have formed a consortium to develop an industry-wide open standard for the secure, trusted exchange of signed documents. You can read more about it here: http://www.opentext.com/pharmaceutical/safe.html (see especially the link to the News Release and the SAFE website at the bottom of the page). Open Text Livelink was used as the technology demonstration platform and Open Text now sells a SAFE-complaint PKI solution. SAFE depends on established certificate management networks – in the first instance on the Identrus network already widely used and supported in the financial services and banking industries. The long term integrity and availability of these networks is required for archiving.

No comments:

Post a Comment