New SAFE-BioPharma Standards Create Identity Trust Ecosystem

April 21, 2017
Mollie Shields-Uehling

Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

Trust is the most valuable currency in business– most importantly in Internet interactions. It’s essential to be able to trust that the identity on screen truly represents who that person is. Usernames and passwords do little to assure true identity. When used by health care providers to access applications and electronic health records, they compromise what should be secure and leave it open to hacking and cyber theft.

Recently announced standards protect against cyber theft and hacking.  They support an Identity Trust Ecosystem in which all participants – relying parties, federation gateways, credential issuers, and solutions providers – meet common interoperable standards of identity trust aligned with US, EU, and other global technical and policy standards.

The Identity Trust Ecosystem standards were created by SAFE-BioPharma Association. They allow — for the first time — use of a single cyber identity that can access a broad range of partners and applications in health care and the life sciences without compromising security or patient data.

Here’s how it works: The single identity credential authenticates to participating applications. Every time the credential is used to access the application, the credential service provider verifies the identity of the credential holder and informs the other organizations involved in the process.

Participants in the new Identity Trust Ecosystem will have confidence that the identity of each individual requesting access to their applications has been strongly authenticated before access is provided. Importantly, this automated process eliminates inefficiencies and costs typically associated with identity authentication.

Animated Video Explains Cyber-Security

October 26, 2016

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

Mollie Shields-Uehling

Mollie Shields-Uehling, President & CEO, SAFE-BioPharma Association

How do you explain complicated cyber-security issues in a way that is quick and not confusing?

That was our mission in creating a brief animated video about authentication and digital signatures. Even though it’s specifically about cyber-security in the life sciences, this little gem will be useful explaining issues and solutions to people in any sector.

Click on the image below to view. And, if you agree with my assessment, click “Like” and share with others.





Global Regulatory Leadership from European Medicines Agency

September 30, 2014

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association
as posted on Pharma iQ 09/29/2014

Mollie Shields-Uehling

Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

I’m an American who has lived in Paris, London, and numerous other countries around the globe. It’s atypical for my generation. The experience has helped me appreciate the best ideas and policies, wherever they originate.

When it comes to greater efficiencies and cost savings in filing electronic submissions, the European Medicines Agency is well ahead of any other regulatory agency on the planet. They’re on record stating…

The Agency expects the exchange of digitally signed electronic documents to increase the efficiency of procedures and eliminate the need to archive paper documents. It may also bring about cost savings for companies, by removing the need to print documentation and reducing courier charges.

EMA uses digital signatures “systematically” in its outgoing documents that require a legally binding signature. Currently these are documents related to scientific advice for human medicines, to orphan medicines and to paediatric medicine procedures. The Agency also provides certified PDF electronic application forms to allow companies to sign these forms digitally using a PDF reader application.

It’s all part of EMA’s “strategy to increase electronic-document-only exchanges between the Agency and the pharmaceutical industry.”

I put digital signatures in bold because it’s an important detail in EMA’s policy that people in industry need to understand. By European Union definition, an electronic signature is “digital” when it is uniquely linked to the signatory; capable of identifying the signatory; created using data that the signatory can use under his/her sole control with a high level of confidence, and linked to the signed document in such a way that subsequent change in the document is detectable.

EMA also requires that the digital signature comes from a Certification Authority (CA) listed on an EU member state trust list.

These requirements provide high assurance of the individual’s identity, allowing the credential to be used for a multitude of purposes including applying legally binding, non-repudiable digital signatures to electronic documents.

Importantly, all EU/EMA requirements for a digital signature are consistent with those used in the SAFE-BioPharma® standard, and credentials obtained through Verizon Business UIS, a credential service provider under the SAFE-BioPharma Trust Framework, can be used to sign EMA submissions.

Why is this important? Drug development is now a global collaborative activity relying heavily on working with people and entities via Internet. This requires technologies that deliver greater trust in cyber-transactions. The SAFE-BioPharma standard was created toward that end.

Several widely available signing engines (e.g. DocuSign and Taigle’s MySignatureBook) have become compliant with the SAFE-BioPharma standard.

And not long ago, Adobe added SAFE-BioPharma to its Adobe Approved Trust List. This means that anyone with a SAFE-BioPharma® identity credential is able to sign a PDF document in Adobe® Acrobat®, or Reader® that will be automatically trusted globally by any other user of Adobe Acrobat, or Reader. The Adobe Approved Trust List (AATL) comprises almost 50 member organizations from around the world, including the US government, Japanese government, and members of the European Union Trust List.

Digital signatures based on the SAFE-BioPharma standard are used to sign electronic laboratory notebooks, regulatory submissions, clinical trial documents, and routine day-to-day business documents. This is what the signature looks like:


Digital identity credentials based on the SAFE-BioPharma standard are used to manage access across firewalls and to portals and to access protected information, such as electronic health records.

By embracing, using, and requiring digital signatures, EMA “…expects to increase the efficiency of procedures and eliminate the need to archive paper documents.” The new policy will advance cost savings for companies by removing the need to print documentation and reducing courier charges.

In the big picture of drug development and submissions, these may seem like minor savings. If you think that, consider the hidden costs of printing, scanning, copying, archiving/locating, shipping paper documents and/or the CDs and other media on which they’re stored.

EMA is improving it’s own operations and coaxing industry to do the same. I hope other regulatory bodies take note.

The Power of One

September 30, 2014

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association
as posted on Pharma iQ 08/19/2014

Mollie Shields-Uehling

Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association


There is elegance in the apparently simple solution to the complex problem.

I say “apparently” because so many solutions are complicated in their detail and the people responsible for them struggle to tell their stories in simple terms — in ways that decision-makers and end-users can understand and appreciate.

That’s why we at SAFE-BioPharma have been on a quest to make the standard easier to understand for those concerned with improving digital workflows, systems, and business processes, in general.

The standard addresses many technical and regulatory details. We’re always available to lift the hood and take those who are interested or need to know on a thorough and detailed tour of how the SAFE-BioPharma standard for managing digital identities and applying digital signatures operates.

But how to get the message to a point where it can be understood by the many?

We recently decided to focus our message around benefits and the Number 1.

• First, readers should know that SAFE-BioPharma is the one industry collaboration helping to improve productivity, reduce costs, and lower time to market by protecting information assets, moving business processes online, and becoming paperless.

• SAFE-BioPharma also is the only identity standard created by the biopharmaceutical industry and its regulators to provide high-assurance identity trust for cyber-transactions across the biopharmaceutical and healthcare sectors. Identity credentials compliant with the standard are regulatory complaint and will be trusted by all US Government agencies, other companies in the SAFE-BioPharma systems and with companies in other industries with similar systems.

• Identity credentials based on the SAFE-BioPharma standard are like a single, trusted, interoperable Internet passport used to authenticate and manage identity and to apply secure digital signatures in electronic transactions. Signatures are linked to the individual’s identity. They are legally enforceable and non-repudiable. They ensure an eDocument’s integrity for as long as the document exists.

• They also are part of one global ecosystem, a rapidly expanding network of users, credential issuers, applications, services and solutions governed by the SAFE-BioPharma Standard. This means that all compliant products can be confidently used by industry with the knowledge they are acceptable to industry and regulators in the United States, Europe and around the globe.

For a more thorough look at how we’re explaining what we do and why we do it, please visit our new homepage at

I hope you see the value of the Standard’s benefits and agree with our use of the power of One.

Fuel the Digital Revolution in Life Sciences with SAFE-BioPharma

August 12, 2014


by Patric Wiesmann August 11, 2014 As posted on

by Patric Wiesmann
August 11, 2014

When we as consumers think about the critical medicines and treatments developed by life sciences organizations, we often don’t consider the many data and approval processes inherent in the research and commercialization process. The harsh reality is that despite global investment in breakthrough drugs and devices, the recent slowdown in the clinical and economic efficiency of the development lifecycle imperils the industry. Pricewaterhouse Coopers substantiates this threat of declining scientific productivity, reporting that companies face more stringent regulatory hurdles from the FDA and European Medicines Agency (EMA). Between 2012 and 2018, nearly $150 Billion of revenues will meet death by “patent cliff.”

Compliance and risk management are always top of mind in the shifting landscape of life sciences. And as multinationals continue to expand across borders, reaching global patient populations in BRIC and beyond, they need to meet new and different standards to effectively bring life-sustaining treatments to market.

DocuSign is delighted to have a longstanding partnership with SAFE-BioPharma, a leading life sciences industry association that works to enable pharmaceutical companies to adopt and implement fully digital workflows. Leveraging the SAFE-BioPharma digital identity credential to apply digital signatures and to authenticate a user’s identity, companies are able to comply with digital authentication standards in different regions around the world.

I am honored to have recently attended a SAFE-BioPharma board meeting where I had the distinct privilege of accepting the SAFE-BioPharma DIGI Award for Innovative Product Compliance. The timing was ripe, as the dialogue among SAFE-BioPharma board members addressed the pressing need for life sciences companies to fully embrace digital adoption. I couldn’t agree more; it is high time that we champion efficiency and eradicate our product development cycle’s chief malady: Paper.


“DocuSign is a leader in delivering a secure and compliant platform that enables life sciences organizations to adopt a 100% digital solution,” said Mollie Shields-Uehling, President & CEO of SAFE-BioPharma. “Our member organizations, comprising most of the top 10 global BioPharma companies, realize that moving to secure, compliant end-to-end digital processes is required to modernize business, clinical and regulatory processes and bring medicines to patients faster and at lower cost.”

DocuSign has integrated with the global SAFE-BioPharma digital signature standard to provide fully digital workflows that facilitate compliance with 21 CFR Part 11.  We look forward to our dynamic partnership with SAFE-BioPharma and the opportunity to meaningfully help global life sciences organizations develop and commercialize treatments with greater clinical and economic efficiency.

About the Author

Patric Wiesmann joined DocuSign in 2011 and serves as Managing Director for Healthcare and Life Sciences. Patric brings over 20 years of experience in executive leadership, managing global sales and marketing organizations and serving both public and private industries including healthcare, software/technology and consumer products.  He previously held Corporate Sales and Sales leadership positions at American Hospital Supply and Baxter International. At DocuSign, he works with senior executives in customer and partner organizations to identify solutions that improve their ability to serve patients and improve compliance across their enterprises and around the world.

Security and Trust

July 23, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

Given front-page preoccupation with privacy and trust, this is a good time to look at the relationship between cyber security and cyber trust. Each is a key component of the other, and each deserves to be understood in order to assure a secure and protected system.

Broadly defined, cyber security comprises a body of behaviors and implementations whose goal is to protect the enterprise and its digital resources – including content – from harm.

These days, enterprise firewalls do a fair job of excluding known threats.  Your network devices have had their default passwords reset to something more than “password” and all software security patches are implemented in a timely fashion. You require staff to take an annual refresher in proper online security, such as never clicking on attachments from addressees they don’t know and never disclosing personal information online. Passwords are changed every ninety days. Your CISO may have deployed network sniffers to search for more advanced threats and behaviors (e.g., employees logging into websites of questionable reputation or downloading files from dubious sites at home and transferring them to the office computer on an unprotected thumb drive). On the surface it might appear that the enterprise is secured. But deep down, the enterprise will still be at risk from a variety of threats, not the least trusted employees.

Cyber trust is a category of cyber security. It’s the ability to trust that the user accessing your systems online is authorized to do so. It’s also the knowledge that certain sites outside your domain can be trusted. Accomplishing these levels of trust requires credentialing and authenticating users seeking access to your systems. Credentialing and authenticating are separate functions. If your enterprise can be accessed by external users who are credentialed and authenticated by third parties, it’s essential to require that the vetting and credentialing practices of the third parties — and the appropriate handling of personally identifiable information – are acceptable to the enterprise.

Perhaps the greatest overlap between cyber trust and cyber security occurs in the issuance, management and revocation of credentials. Among others, credential management cyber security  targets include: how the proofed identity assertion is sent to the credential issuing service; how the device issuing the credential is protected from hacking or other disruption; how the personnel managing the operation are themselves vetted, and how the credential is transferred to the subscriber.

All of these issues become more complicated when factoring for anonymity, which exists in two forms — trustworthy and untrustworthy. Use of trustworthy anonymous credentials – those vouched for by a trusted entity — increases cyber risk by adding another element that the cyber security strategies must address. These assertions have a place in the ecosystem but not in e-commerce or e-government domains.

Cyber security and cyber trust are separate and intertwined enterprise issues. . They remind me of the M.C. Escher print where the white fish turn into black fish as foreground and background merge and separate.



April 3, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

The eCommerce and eGov Services cyber-world currently use two  models for secure trusted transactions. One, the credential model, presumes a user with one or more credentials of various degrees of trustworthiness using an appropriate credential to log on to a web, telnet, or online app.  In the social media world, it’s the Google or Facebook userID/password pair. In the eGov world, it’s the SAFE-BioPharma-compliant digital certificate. The online app (or its proxy) receives the credential, validates it, and then grants the user access.

The other, the transaction model , looks pretty much the same to the user: user logs on to app but instead of validating the credential, the app starts a series of tests and challenges. Banks tend to use other, more robust methods to ensure that users logging on to their portals are who they claim to be. Credential? They hardly need one and they certainly don’t rely much on the trustworthiness of the actual credential.

It’s worth looking at how trust is determined in each model. In the credential model, the credential carries the trust, and its trustworthiness  comes from the credential issuer. In the transaction model, the extent to which users are deemed to be who they say they are depends on factors and tests that the application applies. In other words, the app makes the decision.

The credential model allows the trust and data contained in the credential to be used by many apps at many sites. The transaction model allows each app to determine trust and reliability each time the user goes to a different app.

 In the credential model, the cost of assigning trust and aggregating attributes is borne by the issuer, once (and passed along to one customer or another). In the transaction model, the cost  is borne repeatedly by each app. Finally, in the credential model, all the apps must trust the credential issuer as much or more than the credential user, while in the transaction model the app must be responsible for that trust by creating and managing its own trust architecture.

At some point, the app owner needs to make an informed decision on where to spend scarce resources: running a trust infrastructure for each online app or trusting credentials that carry high assurance everywhere. Unless what’s in the app can threaten world destruction, the answer to business should be clear. A dollar or euro saved in the trust phase is free money.

%d bloggers like this: