New SAFE-BioPharma Standards Create Identity Trust Ecosystem

Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

Trust is the most valuable currency in business– most importantly in Internet interactions. It’s essential to be able to trust that the identity on screen truly represents who that person is. Usernames and passwords do little to assure true identity. When used by health care providers to access applications and electronic health records, they compromise what should be secure and leave it open to hacking and cyber theft.

Recently announced standards protect against cyber theft and hacking.  They support an Identity Trust Ecosystem in which all participants – relying parties, federation gateways, credential issuers, and solutions providers – meet common interoperable standards of identity trust aligned with US, EU, and other global technical and policy standards.

The Identity Trust Ecosystem standards were created by SAFE-BioPharma Association. They allow — for the first time — use of a single cyber identity that can access a broad range of partners and applications in health care and the life sciences without compromising security or patient data.

Here’s how it works: The single identity credential authenticates to participating applications. Every time the credential is used to access the application, the credential service provider verifies the identity of the credential holder and informs the other organizations involved in the process.

Participants in the new Identity Trust Ecosystem will have confidence that the identity of each individual requesting access to their applications has been strongly authenticated before access is provided. Importantly, this automated process eliminates inefficiencies and costs typically associated with identity authentication.

Animated Video Explains Cyber-Security

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

---

Mollie Shields-Uehling, President & CEO, SAFE-BioPharma Association

How do you explain complicated cyber-security issues in a way that is quick and not confusing?

That was our mission in creating a brief animated video about authentication and digital signatures. Even though it’s specifically about cyber-security in the life sciences, this little gem will be useful explaining issues and solutions to people in any sector.

Click on the image below to view. And, if you agree with my assessment, click “Like” and share with others.

 

 

 

 

Global Regulatory Leadership from European Medicines Agency

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association
as posted on Pharma iQ 09/29/2014

Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

I’m an American who has lived in Paris, London, and numerous other countries around the globe. It’s atypical for my generation. The experience has helped me appreciate the best ideas and policies, wherever they originate.

When it comes to greater efficiencies and cost savings in filing electronic submissions, the European Medicines Agency is well ahead of any other regulatory agency on the planet. They’re on record stating…

The Agency expects the exchange of digitally signed electronic documents to increase the efficiency of procedures and eliminate the need to archive paper documents. It may also bring about cost savings for companies, by removing the need to print documentation and reducing courier charges.

EMA uses digital signatures “systematically” in its outgoing documents that require a legally binding signature. Currently these are documents related to scientific advice for human medicines, to orphan medicines and to paediatric medicine procedures. The Agency also provides certified PDF electronic application forms to allow companies to sign these forms digitally using a PDF reader application.

It’s all part of EMA’s “strategy to increase electronic-document-only exchanges between the Agency and the pharmaceutical industry.”

I put digital signatures in bold because it’s an important detail in EMA’s policy that people in industry need to understand. By European Union definition, an electronic signature is “digital” when it is uniquely linked to the signatory; capable of identifying the signatory; created using data that the signatory can use under his/her sole control with a high level of confidence, and linked to the signed document in such a way that subsequent change in the document is detectable.

EMA also requires that the digital signature comes from a Certification Authority (CA) listed on an EU member state trust list.

These requirements provide high assurance of the individual’s identity, allowing the credential to be used for a multitude of purposes including applying legally binding, non-repudiable digital signatures to electronic documents.

Importantly, all EU/EMA requirements for a digital signature are consistent with those used in the SAFE-BioPharma® standard, and credentials obtained through Verizon Business UIS, a credential service provider under the SAFE-BioPharma Trust Framework, can be used to sign EMA submissions.

Why is this important? Drug development is now a global collaborative activity relying heavily on working with people and entities via Internet. This requires technologies that deliver greater trust in cyber-transactions. The SAFE-BioPharma standard was created toward that end.

Several widely available signing engines (e.g. DocuSign and Taigle’s MySignatureBook) have become compliant with the SAFE-BioPharma standard.

And not long ago, Adobe added SAFE-BioPharma to its Adobe Approved Trust List. This means that anyone with a SAFE-BioPharma® identity credential is able to sign a PDF document in Adobe® Acrobat®, or Reader® that will be automatically trusted globally by any other user of Adobe Acrobat, or Reader. The Adobe Approved Trust List (AATL) comprises almost 50 member organizations from around the world, including the US government, Japanese government, and members of the European Union Trust List.

Digital signatures based on the SAFE-BioPharma standard are used to sign electronic laboratory notebooks, regulatory submissions, clinical trial documents, and routine day-to-day business documents. This is what the signature looks like:

 

Digital identity credentials based on the SAFE-BioPharma standard are used to manage access across firewalls and to portals and to access protected information, such as electronic health records.

By embracing, using, and requiring digital signatures, EMA “…expects to increase the efficiency of procedures and eliminate the need to archive paper documents.” The new policy will advance cost savings for companies by removing the need to print documentation and reducing courier charges.

In the big picture of drug development and submissions, these may seem like minor savings. If you think that, consider the hidden costs of printing, scanning, copying, archiving/locating, shipping paper documents and/or the CDs and other media on which they’re stored.

EMA is improving it’s own operations and coaxing industry to do the same. I hope other regulatory bodies take note.

The Power of One

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association
as posted on Pharma iQ 08/19/2014

Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

 

There is elegance in the apparently simple solution to the complex problem.

I say “apparently” because so many solutions are complicated in their detail and the people responsible for them struggle to tell their stories in simple terms — in ways that decision-makers and end-users can understand and appreciate.

That’s why we at SAFE-BioPharma have been on a quest to make the standard easier to understand for those concerned with improving digital workflows, systems, and business processes, in general.

The standard addresses many technical and regulatory details. We’re always available to lift the hood and take those who are interested or need to know on a thorough and detailed tour of how the SAFE-BioPharma standard for managing digital identities and applying digital signatures operates.

But how to get the message to a point where it can be understood by the many?

We recently decided to focus our message around benefits and the Number 1.

• First, readers should know that SAFE-BioPharma is the one industry collaboration helping to improve productivity, reduce costs, and lower time to market by protecting information assets, moving business processes online, and becoming paperless.

• SAFE-BioPharma also is the only identity standard created by the biopharmaceutical industry and its regulators to provide high-assurance identity trust for cyber-transactions across the biopharmaceutical and healthcare sectors. Identity credentials compliant with the standard are regulatory complaint and will be trusted by all US Government agencies, other companies in the SAFE-BioPharma systems and with companies in other industries with similar systems.

• Identity credentials based on the SAFE-BioPharma standard are like a single, trusted, interoperable Internet passport used to authenticate and manage identity and to apply secure digital signatures in electronic transactions. Signatures are linked to the individual’s identity. They are legally enforceable and non-repudiable. They ensure an eDocument’s integrity for as long as the document exists.

• They also are part of one global ecosystem, a rapidly expanding network of users, credential issuers, applications, services and solutions governed by the SAFE-BioPharma Standard. This means that all compliant products can be confidently used by industry with the knowledge they are acceptable to industry and regulators in the United States, Europe and around the globe.

For a more thorough look at how we’re explaining what we do and why we do it, please visit our new homepage at www.safe-biopharma.org.

I hope you see the value of the Standard’s benefits and agree with our use of the power of One.

Fuel the Digital Revolution in Life Sciences with SAFE-BioPharma

by Patric Wiesmann
August 11, 2014

When we as consumers think about the critical medicines and treatments developed by life sciences organizations, we often don’t consider the many data and approval processes inherent in the research and commercialization process. The harsh reality is that despite global investment in breakthrough drugs and devices, the recent slowdown in the clinical and economic efficiency of the development lifecycle imperils the industry. Pricewaterhouse Coopers substantiates this threat of declining scientific productivity, reporting that companies face more stringent regulatory hurdles from the FDA and European Medicines Agency (EMA). Between 2012 and 2018, nearly $150 Billion of revenues will meet death by “patent cliff.”

Compliance and risk management are always top of mind in the shifting landscape of life sciences. And as multinationals continue to expand across borders, reaching global patient populations in BRIC and beyond, they need to meet new and different standards to effectively bring life-sustaining treatments to market.

DocuSign is delighted to have a longstanding partnership with SAFE-BioPharma, a leading life sciences industry association that works to enable pharmaceutical companies to adopt and implement fully digital workflows. Leveraging the SAFE-BioPharma digital identity credential to apply digital signatures and to authenticate a user’s identity, companies are able to comply with digital authentication standards in different regions around the world.

I am honored to have recently attended a SAFE-BioPharma board meeting where I had the distinct privilege of accepting the SAFE-BioPharma DIGI Award for Innovative Product Compliance. The timing was ripe, as the dialogue among SAFE-BioPharma board members addressed the pressing need for life sciences companies to fully embrace digital adoption. I couldn’t agree more; it is high time that we champion efficiency and eradicate our product development cycle’s chief malady: Paper.

“DocuSign is a leader in delivering a secure and compliant platform that enables life sciences organizations to adopt a 100% digital solution,” said Mollie Shields-Uehling, President & CEO of SAFE-BioPharma. “Our member organizations, comprising most of the top 10 global BioPharma companies, realize that moving to secure, compliant end-to-end digital processes is required to modernize business, clinical and regulatory processes and bring medicines to patients faster and at lower cost.”

DocuSign has integrated with the global SAFE-BioPharma digital signature standard to provide fully digital workflows that facilitate compliance with 21 CFR Part 11.  We look forward to our dynamic partnership with SAFE-BioPharma and the opportunity to meaningfully help global life sciences organizations develop and commercialize treatments with greater clinical and economic efficiency.

About the Author

Patric Wiesmann joined DocuSign in 2011 and serves as Managing Director for Healthcare and Life Sciences. Patric brings over 20 years of experience in executive leadership, managing global sales and marketing organizations and serving both public and private industries including healthcare, software/technology and consumer products.  He previously held Corporate Sales and Sales leadership positions at American Hospital Supply and Baxter International. At DocuSign, he works with senior executives in customer and partner organizations to identify solutions that improve their ability to serve patients and improve compliance across their enterprises and around the world.

Security and Trust

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

Given front-page preoccupation with privacy and trust, this is a good time to look at the relationship between cyber security and cyber trust. Each is a key component of the other, and each deserves to be understood in order to assure a secure and protected system.

Broadly defined, cyber security comprises a body of behaviors and implementations whose goal is to protect the enterprise and its digital resources – including content – from harm.

These days, enterprise firewalls do a fair job of excluding known threats.  Your network devices have had their default passwords reset to something more than “password” and all software security patches are implemented in a timely fashion. You require staff to take an annual refresher in proper online security, such as never clicking on attachments from addressees they don’t know and never disclosing personal information online. Passwords are changed every ninety days. Your CISO may have deployed network sniffers to search for more advanced threats and behaviors (e.g., employees logging into websites of questionable reputation or downloading files from dubious sites at home and transferring them to the office computer on an unprotected thumb drive). On the surface it might appear that the enterprise is secured. But deep down, the enterprise will still be at risk from a variety of threats, not the least trusted employees.

Cyber trust is a category of cyber security. It’s the ability to trust that the user accessing your systems online is authorized to do so. It’s also the knowledge that certain sites outside your domain can be trusted. Accomplishing these levels of trust requires credentialing and authenticating users seeking access to your systems. Credentialing and authenticating are separate functions. If your enterprise can be accessed by external users who are credentialed and authenticated by third parties, it’s essential to require that the vetting and credentialing practices of the third parties — and the appropriate handling of personally identifiable information – are acceptable to the enterprise.

Perhaps the greatest overlap between cyber trust and cyber security occurs in the issuance, management and revocation of credentials. Among others, credential management cyber security  targets include: how the proofed identity assertion is sent to the credential issuing service; how the device issuing the credential is protected from hacking or other disruption; how the personnel managing the operation are themselves vetted, and how the credential is transferred to the subscriber.

All of these issues become more complicated when factoring for anonymity, which exists in two forms — trustworthy and untrustworthy. Use of trustworthy anonymous credentials – those vouched for by a trusted entity — increases cyber risk by adding another element that the cyber security strategies must address. These assertions have a place in the ecosystem but not in e-commerce or e-government domains.

Cyber security and cyber trust are separate and intertwined enterprise issues. . They remind me of the M.C. Escher print where the white fish turn into black fish as foreground and background merge and separate.

 

THE SOURCES OF ONLINE TRUST: CREDENTIAL TRUST OR TRANSACTION TRUST?

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

The eCommerce and eGov Services cyber-world currently use two  models for secure trusted transactions. One, the credential model, presumes a user with one or more credentials of various degrees of trustworthiness using an appropriate credential to log on to a web, telnet, or online app.  In the social media world, it’s the Google or Facebook userID/password pair. In the eGov world, it’s the SAFE-BioPharma-compliant digital certificate. The online app (or its proxy) receives the credential, validates it, and then grants the user access.

The other, the transaction model , looks pretty much the same to the user: user logs on to app but instead of validating the credential, the app starts a series of tests and challenges. Banks tend to use other, more robust methods to ensure that users logging on to their portals are who they claim to be. Credential? They hardly need one and they certainly don’t rely much on the trustworthiness of the actual credential.

It’s worth looking at how trust is determined in each model. In the credential model, the credential carries the trust, and its trustworthiness  comes from the credential issuer. In the transaction model, the extent to which users are deemed to be who they say they are depends on factors and tests that the application applies. In other words, the app makes the decision.

The credential model allows the trust and data contained in the credential to be used by many apps at many sites. The transaction model allows each app to determine trust and reliability each time the user goes to a different app.

 In the credential model, the cost of assigning trust and aggregating attributes is borne by the issuer, once (and passed along to one customer or another). In the transaction model, the cost  is borne repeatedly by each app. Finally, in the credential model, all the apps must trust the credential issuer as much or more than the credential user, while in the transaction model the app must be responsible for that trust by creating and managing its own trust architecture.

At some point, the app owner needs to make an informed decision on where to spend scarce resources: running a trust infrastructure for each online app or trusting credentials that carry high assurance everywhere. Unless what’s in the app can threaten world destruction, the answer to business should be clear. A dollar or euro saved in the trust phase is free money.

The New Credential Order Emerges

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

We’ll soon look back on 2012 as the year the future of electronic identity credentialing began to appear out of the cloud (pun intended).For years, the electronic identity credentialing space has been trying to climb out of the siloed userID/password hole. Many initiatives and technologies have been thrown at the problem, with notable successes such as the academic InCommon and related academic federations based on the Shibboleth/SAML technology sponsored by OASIS and Internet2.

These local successes – many with millions of users, so I mean no slight when I call them local – led to the federated identity management initiatives. The US government has a lot to be proud of in this space, having initiated and then led a number of the technical, policy and practice efforts to enable federated identity management globally.

Alas, the

world of federated identity will soon be lost to the archives.

Three converging currents predict what is about to happen:

1. For years, , common credit cards in Europe have carried a digital certificate chip. In 2012, the US credit industry committed to converting from the ubiquitous mag stripe format to a smartcard compatible with the European credit card by 2015.
2. A bill has been introduced in Congress to direct the Centers for Medicare and Medicaid Services (CMS) to issue high assurance digital credentials to all citizens receiving CMS benefits; this encompasses every citizen over the age of 65 and many millions of others receiving Medicare and/or Medicaid services. Whether it passes or not, it points to the trend of governments credentialing their citizens. Many European and Pacific Rim nations already issue and manage high assurance digital credentials to their citizens.
3. Verizon has announced that it is moving from being a telecom company to an e-services company. The first step in this evolution is Verizon’s fourth quarter issuance of its Universal Identity Solution, zero-footprint credential. It links to all of the subscriber’s mobile and digital devices and is both user-friendly and high assurance.

These three sources: credit industry, governments and telcos, will credential every one of us, ending the current situation in which companies, websites, identity federations and communities of interest issue many kinds of credentials. This will be accompanied by the end of debates over technology interchange protocols, trust levels, policies, goals and standards.

The new challenge will be getting the Big Dogs to adopt three of the four goals of NSTIC: interoperability, user-friendliness and privacy enhancing. (In all likelihood the fourth, voluntary opt-in, a relic of the birth of the goals in a US government office, is likely to be deemed unnecessary and irrelevant by the telcos and the credit card consortium.)

There will be clear winners in this Brave New World. US businesses would do well to align with Federal PKI Architecture and/or FICAM-approved credential issuers. SAFE-BioPharma credentials fall into this category, and are likely to be among the long-term smart options. Relying on bank-issued ATM cards, next-generation smartcard-based credit cards, and mobile-device-based credentials issued by the major telcos will also be good bets.

How Cheap is Cheap?

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

I’d like to talk about a dirty little secret in the cyber world: most system owners/operators want to do authentication and signing on the cheap. Fact is, the userID/password model in use since generation 1 of the computing lifetime is viewed by many of the online services as sufficient to their needs, while improved identity management for authentication is considered by these same managers as overly complex and expensive. Furthermore, most of the systems managers say they’ve never been attacked and don’t think they’re likely to be attacked.

There’s no arguing with the fact that the userID/password implementation is less expensive and simpler than implementing a high assurance trusted credentialing solution for authentication and signing. That said, there is a substantial hidden or overlooked cost for maintaining this rudimentary solution . The operational cost of managing a database of userIDs and passwords is buried in the overall cost of maintaining the system that houses it, but it’s real enough. As is the cost of helpdesk support (human or automated). Additionally, the risk of attack is real, and the probability of attack is getting greater, not smaller. Still, it’s hard to quantify the cost of the risk at budget time when the manager is going up against the rising cost of everything from electricity to toilet paper.

Risk calculations are part of the toolset of the cybersecurity folks, and higher assurance credentialing is one of the mitigating technologies they can deploy. But cybersecurity folks get very little respect at budget time themselves. So the usual model finds the IdM guy and the cybersecurity guy fighting over the crumbs left on the table. But I digress.

As governmental services, including the workflows of the regulatory agencies, move online, the risk assessment math changes. The formula stays pretty much the same but the numbers change. The cost of a breach goes up logarithmically.  The fines for privacy breaches are just the beginning. There’s loss of credibility among customers and business partners, opportunities for competitors to steal the cheese and the negative effects on other project budget lines when the victim is forced to spend unbudgeted funds on security consultants, repair services and new software tools to address the damage. On top of all of that, the new security practices disrupt most of the workflows in the victim’s business processes.

So what’s the cost of all this to the firm? Until the spit hits the fan, nobody wants to know. But it’s a good bet that one of the costs is the head of the underfunded cybersecurity guy, who gets to be the corporate scapegoat. In the TV drama world, he or she would find happiness in a new career selling toilet paper to industry at a higher income. In the real world, things aren’t so happy.

Report from the Attribute Management Vortex: How Things are Currently Swirling

Peter Alterman, PhD., Chief Operating Officer,
SAFE Bio-Pharma Association

Authentication? A Done Deal:  Contrary to some of the wheel-reinventing heard around the rooms at the recent Identity Ecosystem Steering Group kickoff meeting in Rosemont, electronic authentication was solved about four years ago.  The InCommon-NIH “Tao of Attributes” workshop officially signaled that the new frontier was attribute management in all its fuzzy dimensions.  Often overlooked by the Usual Suspects (of which I am one) has been the banking and online retail industries’ highly successful use of non-credential-based, sort of-two-factor transactional trust models for authenticating users to online services.  Another sign that the authentication problem has been successfully resolved is the plethora of proposed International Standards efforts in this area.  .  To the extent that the Identity Ecosystem Steering Group eschews standards-setting and drives for implementations, we will be able to gauge its potential for success.  But I digress…

A Fun Time for the Meeting Addicted:  The current frontier, on which the Usual Suspects have been laboring like Dr. Frankenstein on his Creature, is how to authorize user access to relying parties without the messy involvement of carbon-based life forms.  To do this, we are harkening back to a process addressed by NIST years ago, which they called Role-Based Access Control.  Of course, since everything old is new so long as its name is changed, we’re not calling this effort Son of RBAC, we’re talking XACML or metadata profiles or Rex the Wonder Dog.  Nonetheless, it’s all the same: how to format an attribute, how to exchange it, how to know how to trust it, how to know who to trust for an attribute and finally, how to make calculated, real-time authorization decisions that will stand up to appropriate risk management review.  My last count shows there are four “community of interest” working groups chewing on this piece of rawhide: one OIX work group, two FICAM work groups and at least one Internet2/InCommon group.  Kantara is debating starting up yet another one and is likely to do so.  And this count doesn’t even include agency-internal initiatives related to health IT and whatever the telecom industry, the SmartGrid folks, and their regulatory colleagues are talking about to themselves.  Oh, it’s a Fun Time for those addicted to meetings.

The Rush to be Second:  Nobody questions the need to bring attribute assertions and attribute management into play to further e-services and e-commerce.  Nobody who’s part of the discussion pileup questions the ROI for deploying authentication and attribute management services, but the business operators who run those services, both in the private sector and in the government sector, are generally less than enthusiastic.  Why, even when a positive ROI can be demonstrated?  First of all, most (not all) of the business operators don’t believe the analyses.  They see two things only: first, the burden of jumping into the unknown and changing business processes with the usual attendant risks  including substantial upfront costs; second, this stuff is pretty arcane to the average business operator, especially one who’s still struggling to understand online risk assessments and risk mitigation, identity management and electronic authentication.  That said, these folks are generally willing to be third in line to adopt, so long as they can see at least two comparably-sized implementations, sniff them, examine their books and get the nod from senior management.

Silly Season…Again: This is where federal agencies can have the most impact, as what the National Strategy calls “early adopters.”  A few are out there, but it isn’t more than a handful, and some of those are huddled in a self-made silo.  Mostly, agencies are ignoring Office of Management and Budget direction and hoarding their cash against possible Congressional sequestration in January.  Agency managers are also waiting to see what the outcome of the November elections will be before doing anything more than keeping the motors idling.  For those not familiar with the  Washington, DC, climate, this is the Season of Paralysis.  It happens every four years about this time, which by itself is a good reason why the private sector needs to offer up “early adopters” instead of waiting for government.

That said, some important government initiatives in this space continue to make themselves felt.  More about some of this next time.