Globalized collaboration is forcing the biopharmaceutical industry to find new ways to work across vast geographical and enterprise boundaries. Companies co-develop products and form coalitions to improve R&D. Clinical trials are outsourced to CROs, often working with researchers and sites around the globe.
Cloud computing makes it all possible by allowing applications and their frequent updates to be accessed centrally, at a fraction of the cost and time required in the past.
But relying on the cloud also increases risk. It exposes organizations to data theft, significant challenges to business security, and regulatory compliance. While true in any globalized industry, for the highly regulated pharmaceutical sector it can result in compromised trial data and loss of proprietary information to unethical competitors. Taken to the extreme, it could render a trial useless.
On a larger scale, society's collective technology reliance has spawned new security concerns that are top of mind for senior executives and their boards of directors. Breaches in the public and private sectors result in big headlines and significant losses in market value. Certain nation states have targeted life sciences for commercial espionage. Suddenly, cyber security has become the hot topic.
Put another way, cyber-collaboration forces us to take a hard look at the issues of whom to trust and how to manage their access to valuable intellectual property. It also creates a need to apply legally binding and regulatory-compliant cyber-signatures to the electronic documents involved in day-to-day business, clinical development, and regulatory submissions.
Those issues were anticipated more than 10 years ago by a cadre of industry visionaries. They collaborated in developing a global industry standard for managing digital identities and for using those identities to apply secure and legally binding digital signatures to electronic documents. They named it SAFE-BioPharma and to manage the standard, created an industry-supported non-profit under the same name. With member companies such as Pfizer, Merck, AstraZeneca, Bristol-Myers Squibb, Bayer, GSK, Lilly, and Sanofi - among others - SAFE-BioPharma is now celebrating its ten-year anniversary.
In this article I'll provide background on the standard, several examples of how it is being used, and address how global cyber security concerns are contributing to its growth.
Background
Compliance with the SAFE-BioPharma standard assures trust in the cyber-identities of all participants involved in secure Web-based communications and transactions. This happens because the standard requires that each individual with a compliant identity credential - generally a form of code securely stored on token, in the enterprise or in the cloud - has undergone a thorough and standardized vetting of his or her actual identity. This identity proofing process proves an individual's legal identity through the presentation and review of documentation and/or biometric evidence. The process is aligned with national and international laws, regulations and standards.
The trust is further assured through authentication, the process that proves the user's identity to the computer system. The SAFE-BioPharma standard assures use of strong authentication by requiring two-factor authentication, which proves, with certainty, an individual’s cyber identity. These factors may be something the user has (e.g. a cell phone to which a one-time password may be sent), something the user knows (e.g. a username), or something the user is (e.g. fingerprint, iris scan, or other biometric).
For the most part, member companies sponsor those to whom the credential is assigned. Once the credential is issued, it can be used to access data vaults, cross firewalls, and enter locations where protected information assets reside. Authorization to access a portal or application by a trusted credential holder is managed by the application owner. The credential ensures high trust assurance in the person’s identity, but access is based on authorization by the application owner.
Among the numerous advantages of this approach are that a single cyber credential can be used across a host of cooperating systems. This interoperability extends to all US Government agencies (e.g. FDA, NIH, VA) and other systems that, like SAFE-BioPharma, are part of a Government-managed network of trusted cyber-communities. It's the equivalent of having a single, universal Internet passport that can be recognized by an extensive global network of connected cyber-communities.
Compliance with the standard gives member companies - a company must be a member of SAFE-BioPharma Association to use the standard - an efficient way to manage those identities. Personnel involved in Trial A can have access to all of the trial documentation throughout the course of the trial but not to Trial B. Those involved in Trial B can have access to those files, but not to Trial A. Individuals involved in both, will have access to both.
Identity credentials compliant with the standard provide organizations with strong and scalable safeguards assuring access only to those authorized to have it.
SAFE-BioPharma also facilitates use of digital signatures. It's important to understand that digital signatures are a more secure and protective way to sign an electronic document than common electronic signatures, and they are key to facilitating truly paperless transactions. Digital signatures compliant with the SAFE-BioPharma standard are the single, strongest form of electronic signature in existence. Based on cryptography, each signature provides the strongest proof of the identity of the person who applied it, making it legally-binding and preventing it from being denied by the signatory. Each signature also identifies the signatory and states what was signed, why it was signed, and when it was signed.
Cryptographic technology assures that any post-signature manipulation of a document reveals that change has occurred. We call this information integrity. While the specific change is not identified, the fact that the document has changed cannot be legally denied. This tamper-evident feature exists for the life of the document, often measured in decades. It applies to the entire document, including the thousands of pages in an ETMF.
When all documentation is truly digital, there are real cost savings from speedy audits and the elimination of the small but ever-mounting costs of copying, faxing, scanning, storing, retrieving and shipping. It also allows for more easily searchable data bases – important for improving and speeding the clinical trial and many other business and regulatory processes.
Many Uses
The pharmaceutical industry has many uses for the standard. For the purpose of this article, I'll group the main uses into four categories and provide examples of how the standard is being (or can be) utilized.
Collaboration and the Healthcare Ecosystem
Use of identity credentials compliant with the standard enables collaboration with clinical sites, in research environments, and with JVs and partnerships. Merck, for example, employs identity credentials compliant with the standard in its EngageZone External Partner Program, an enterprise-wide initiative facilitating collaboration with more than 700 external partners. It lets Merck safely share documents of any size, without compromising intellectual property or network security. It's able to do this with full accountability and security. EngageZone also creates a way for company and partners to participate in discussions, contribute ideas, view meetings and connect with other members of EngageZone through a single point of entry. The system is being used to leverage big data analytics, proprietary applications, and multiple databases from access points worldwide. Since the beginning of the year, EngageZone has allowed participating organizations to share securely more than 500,000 documents.
Workflow Automation
Recognizing the potential to accelerate review, exchange and signing of trial start up documents, the National Cancer Institute piloted a program between its own researchers and their counterparts at Bristol-Myers Squibb and Sanofi. The process typically takes a surprisingly long time, often months to years.
Delays at the beginning influence when a trial will end. From the patient perspective, the lack of an approved medication may mean loss of life or loss of life quality. From the company perspective, the delay may mean loss in time to market.
In this pilot, all researches used interoperable digital identities. NCI researchers used government-issued cyber credentials. The BMS and Sanofi researchers used credentials compliant with the SAFE-BioPharma standard, which, by definition, are interoperable with the government-issued credentials. All participants were operating in a cyberenvironment where their respective identities would be trusted by the participating organizations. The startup documents were placed in a secure vault in the cloud where all participants had access. The process significantly reduced cycle time and saved money. They were able to review, edit, comment, and digitally sign the documents with a few keystrokes. Gone were the timewasting paper-based requirements of printing, shipping, storing, filing, etc. The project received White House recognition for its efficiency and potentially lifesaving benefits.
From the first days of the standard, compliant digital signatures became the signature of choice to sign electronic laboratory notebooks, the daily lab records of activity and progress that can serve as crucial evidence in intellectual property legal challenges. Pfizer scientists, alone, report millions of compliant signatures applied to their eLNs.
For years, numerous companies have been using SAFE-BioPharma credentials to sign eSubmissions, among them, AstraZeneca, Pfizer and Bristol-Myers Squibb. For the FDA, which has received literally millions of submissions with SAFE-BioPharma signatures, their use is not a requirement. But for the EU's European Medicines Agency all electronic submissions must carry a digital signature. That became a regulatory requirement in June, and it's one of the reasons we're seeing more demand for SAFE-BioPharma credentials and signatures.
Over the past few years, a number of applications companies have incorporated the SAFE-BioPharma standard into their own eSignature platforms. Anyone with a SAFEBioPharma identity credential using one of these platforms, may make an on-line choice to sign using a secure SAFE-BioPharma signature.
In addition, any SAFE-BioPharma® identity credential used to sign a PDF document in Adobe® Acrobat®, or Reader® will automatically be trusted by any other user of Adobe Acrobat, or Reader.
eHealth/Healthcare Regulatory Compliance
We know that the standard has a big, timesaving role to play in facilitating clinical trials. Several large CROs are piloting use of compliant identity credentials within their own organizations and with remote clinical sites.. Importantly, major cross-industry collaborations including the TransCelerate Shared Investigator Platform and the proposed ACRES life science federated trustframework will utilize the standard for the identity credentials associated with those initiatives.
It's worth noting that for several years, the US Drug Enforcement Agency has required digital signature on all ePrescriptions for controlled substances. DEA recognizes SAFE-BioPharma signatures as compliant.
Cyber/Technical Security
Despite extensive security measures, companies and networks in all sectors - pharma included - are not adequately protecting against illegal access to systems, private records, and other data. Two out of every three breaches occur through hijacked user name and passwords, including the remarkable OPM, IRS, and Anthem breaches.
Fifty-two percent of all breaches could have been prevented using strong authentication. Multi-factor authentication is a defense the US government requires of its agencies. But, with a few exceptions, that requirement has largely been ignored. It’s worth noting that not one of the agencies adopting multifactor authentication has experienced an authentication-based breach.
SAFE-BioPharma requires two-factor authentication for an identity credential to be compliant. Because of that, the careful identity proofing, use of cryptography and other factors, the standard provides a welcome level of security to mobile computing and cloud technology. The standard enables secure and private access from any Internet connection, and it prevents against unauthorized access to information that has significant value.
The estimates of cost savings associated with full utilization of the standard - from assuring trusted collaboration with external partners to signing any type document and improving all document related workflows - are enormous. But, biopharma has a history of slow change. We know that's about to change.
Boards of Directors now require cyber accountability, with regular reports from their Chief Information Security Officers. Share values rise and fall with news of the most recent theft of what should have been secured. Executives are keenly aware of private and public sector hack attacks. They have a collective short fuse for financial loss or the embarrassment of negative headlines. They don't want to be at or near the helm when regulators, shareholders or the public learn that data has been compromised or that proprietary information is now in the hands of competitors. Worst of all, no one wants responsibility for poor security to result in killing an entire trial.
It all starts with knowing that the identity asserted through a cyber credential accurately reflects the identity of the person behind it. We function in an age defined by cybercode but with few restraints on its use. Regardless of the process or the application, identity trust among all participants will be necessary for secure, future growth.
Mollie Shields-Uehling directs the business and strategic activities of SAFE-BioPharma Association® and serves as the primary liaison with member companies, vendor partners and others in the growing SAFE-BioPharma community. She is a member of the association’s Board of Directors. Mollie has more than 20 years of international trade and biopharmaceutical industry experience. She previously served in various leadership positions with Bristol-Myers Squibb, Wyeth, the International AIDS Vaccine Initiative (IAVI), and in the White House Office of the U.S. Trade Representative and the U.S. Foreign Commercial Service.