The New Credential Order Emerges

January 11, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

We’ll soon look back on 2012 as the year the future of electronic identity credentialing began to appear out of the cloud (pun intended).For years, the electronic identity credentialing space has been trying to climb out of the siloed userID/password hole. Many initiatives and technologies have been thrown at the problem, with notable successes such as the academic InCommon and related academic federations based on the Shibboleth/SAML technology sponsored by OASIS and Internet2.

These local successes – many with millions of users, so I mean no slight when I call them local – led to the federated identity management initiatives. The US government has a lot to be proud of in this space, having initiated and then led a number of the technical, policy and practice efforts to enable federated identity management globally.

Alas, the

world of federated identity will soon be lost to the archives.

Three converging currents predict what is about to happen:

  1. For years, , common credit cards in Europe have carried a digital certificate chip. In 2012, the US credit industry committed to converting from the ubiquitous mag stripe format to a smartcard compatible with the European credit card by 2015.
  2. A bill has been introduced in Congress to direct the Centers for Medicare and Medicaid Services (CMS) to issue high assurance digital credentials to all citizens receiving CMS benefits; this encompasses every citizen over the age of 65 and many millions of others receiving Medicare and/or Medicaid services. Whether it passes or not, it points to the trend of governments credentialing their citizens. Many European and Pacific Rim nations already issue and manage high assurance digital credentials to their citizens.
  3. Verizon has announced that it is moving from being a telecom company to an e-services company. The first step in this evolution is Verizon’s fourth quarter issuance of its Universal Identity Solution, zero-footprint credential. It links to all of the subscriber’s mobile and digital devices and is both user-friendly and high assurance.

These three sources: credit industry, governments and telcos, will credential every one of us, ending the current situation in which companies, websites, identity federations and communities of interest issue many kinds of credentials. This will be accompanied by the end of debates over technology interchange protocols, trust levels, policies, goals and standards.

The new challenge will be getting the Big Dogs to adopt three of the four goals of NSTIC: interoperability, user-friendliness and privacy enhancing. (In all likelihood the fourth, voluntary opt-in, a relic of the birth of the goals in a US government office, is likely to be deemed unnecessary and irrelevant by the telcos and the credit card consortium.)

There will be clear winners in this Brave New World. US businesses would do well to align with Federal PKI Architecture and/or FICAM-approved credential issuers. SAFE-BioPharma credentials fall into this category, and are likely to be among the long-term smart options. Relying on bank-issued ATM cards, next-generation smartcard-based credit cards, and mobile-device-based credentials issued by the major telcos will also be good bets.


How Cheap is Cheap?

January 5, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

I’d like to talk about a dirty little secret in the cyber world: most system owners/operators want to do authentication and signing on the cheap. Fact is, the userID/password model in use since generation 1 of the computing lifetime is viewed by many of the online services as sufficient to their needs, while improved identity management for authentication is considered by these same managers as overly complex and expensive. Furthermore, most of the systems managers say they’ve never been attacked and don’t think they’re likely to be attacked.

There’s no arguing with the fact that the userID/password implementation is less expensive and simpler than implementing a high assurance trusted credentialing solution for authentication and signing. That said, there is a substantial hidden or overlooked cost for maintaining this rudimentary solution . The operational cost of managing a database of userIDs and passwords is buried in the overall cost of maintaining the system that houses it, but it’s real enough. As is the cost of helpdesk support (human or automated). Additionally, the risk of attack is real, and the probability of attack is getting greater, not smaller. Still, it’s hard to quantify the cost of the risk at budget time when the manager is going up against the rising cost of everything from electricity to toilet paper.

Risk calculations are part of the toolset of the cybersecurity folks, and higher assurance credentialing is one of the mitigating technologies they can deploy. But cybersecurity folks get very little respect at budget time themselves. So the usual model finds the IdM guy and the cybersecurity guy fighting over the crumbs left on the table. But I digress.

As governmental services, including the workflows of the regulatory agencies, move online, the risk assessment math changes. The formula stays pretty much the same but the numbers change. The cost of a breach goes up logarithmically.  The fines for privacy breaches are just the beginning. There’s loss of credibility among customers and business partners, opportunities for competitors to steal the cheese and the negative effects on other project budget lines when the victim is forced to spend unbudgeted funds on security consultants, repair services and new software tools to address the damage. On top of all of that, the new security practices disrupt most of the workflows in the victim’s business processes.

So what’s the cost of all this to the firm? Until the spit hits the fan, nobody wants to know. But it’s a good bet that one of the costs is the head of the underfunded cybersecurity guy, who gets to be the corporate scapegoat. In the TV drama world, he or she would find happiness in a new career selling toilet paper to industry at a higher income. In the real world, things aren’t so happy.

Report from the Attribute Management Vortex: How Things are Currently Swirling

September 9, 2012
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer,
SAFE Bio-Pharma Association

Authentication? A Done Deal:  Contrary to some of the wheel-reinventing heard around the rooms at the recent Identity Ecosystem Steering Group kickoff meeting in Rosemont, electronic authentication was solved about four years ago.  The InCommon-NIH “Tao of Attributes” workshop officially signaled that the new frontier was attribute management in all its fuzzy dimensions.  Often overlooked by the Usual Suspects (of which I am one) has been the banking and online retail industries’ highly successful use of non-credential-based, sort of-two-factor transactional trust models for authenticating users to online services.  Another sign that the authentication problem has been successfully resolved is the plethora of proposed International Standards efforts in this area.  .  To the extent that the Identity Ecosystem Steering Group eschews standards-setting and drives for implementations, we will be able to gauge its potential for success.  But I digress…

A Fun Time for the Meeting Addicted:  The current frontier, on which the Usual Suspects have been laboring like Dr. Frankenstein on his Creature, is how to authorize user access to relying parties without the messy involvement of carbon-based life forms.  To do this, we are harkening back to a process addressed by NIST years ago, which they called Role-Based Access Control.  Of course, since everything old is new so long as its name is changed, we’re not calling this effort Son of RBAC, we’re talking XACML or metadata profiles or Rex the Wonder Dog.  Nonetheless, it’s all the same: how to format an attribute, how to exchange it, how to know how to trust it, how to know who to trust for an attribute and finally, how to make calculated, real-time authorization decisions that will stand up to appropriate risk management review.  My last count shows there are four “community of interest” working groups chewing on this piece of rawhide: one OIX work group, two FICAM work groups and at least one Internet2/InCommon group.  Kantara is debating starting up yet another one and is likely to do so.  And this count doesn’t even include agency-internal initiatives related to health IT and whatever the telecom industry, the SmartGrid folks, and their regulatory colleagues are talking about to themselves.  Oh, it’s a Fun Time for those addicted to meetings.

The Rush to be Second:  Nobody questions the need to bring attribute assertions and attribute management into play to further e-services and e-commerce.  Nobody who’s part of the discussion pileup questions the ROI for deploying authentication and attribute management services, but the business operators who run those services, both in the private sector and in the government sector, are generally less than enthusiastic.  Why, even when a positive ROI can be demonstrated?  First of all, most (not all) of the business operators don’t believe the analyses.  They see two things only: first, the burden of jumping into the unknown and changing business processes with the usual attendant risks  including substantial upfront costs; second, this stuff is pretty arcane to the average business operator, especially one who’s still struggling to understand online risk assessments and risk mitigation, identity management and electronic authentication.  That said, these folks are generally willing to be third in line to adopt, so long as they can see at least two comparably-sized implementations, sniff them, examine their books and get the nod from senior management.

Silly Season…Again: This is where federal agencies can have the most impact, as what the National Strategy calls “early adopters.”  A few are out there, but it isn’t more than a handful, and some of those are huddled in a self-made silo.  Mostly, agencies are ignoring Office of Management and Budget direction and hoarding their cash against possible Congressional sequestration in January.  Agency managers are also waiting to see what the outcome of the November elections will be before doing anything more than keeping the motors idling.  For those not familiar with the  Washington, DC, climate, this is the Season of Paralysis.  It happens every four years about this time, which by itself is a good reason why the private sector needs to offer up “early adopters” instead of waiting for government.

That said, some important government initiatives in this space continue to make themselves felt.  More about some of this next time.

Six Questions to Ask Before Investing in a Digital Identity or Digital Signature Solution

November 9, 2011


Mollie Shields-Uehling

Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

Some people say that the answer to life is in the nature of the questions we ask. I believe the same is true when it comes to making good business decisions.

In a world that is going digital faster than it knows how to control the technology and its endless uses, asking the right questions can help avoid the kinds of decisions that deliver less than optimal results.

This is especially true when selecting digital identity and signature solutions.

We need to inquire about regulatory acceptance and the ability for a digital identity to be used in the world at large – not merely within the confined space of an individual company or the closed world of a slightly larger community.

The reality is that each of us and our respective employers exists in an ever-expanding cyber-community of other companies, government agencies, academia, CROs, etc. We need to be able to exchange and sign electronic information securely, seamlessly, and with full knowledge that the identity on the other end of the screen is truly who he or she asserts to be.

Digital identities and digital signing solutions that are compliant with the SAFE-BioPharma digital identity and digital signature standard provide distinct advantages over other commercially available digital signature solutions.

When evaluating any digital identity or digital signature solution, ask these questions. The answers will help determine if you’re about to get full value for this important decision

1.   Does it allow a single identity credential to replace multiple credentials (and user names and passwords)?

Many solutions will add yet another user name and password to the multitude of user name and password combinations that executives, clinicians and others are burdened with across the globe. The option is a universal credential that can be used in any context. Think of it as the universal remote control that replaces the ones for the TV, the DVD, radio, etc., etc. Credentials compliant with the SAFE-BioPharma standard are becoming universal. One highly secure and totally versatile SAFE-BioPharma credential allows every user to clean out his or her cluttered credential closet.

2. Is it interoperable with digital identity credentials used by other organizations, including FDA, NIH, EMA, etc?

Identity credentials based on the SAFE-BioPharma standard are interoperable with US government regulatory and other agencies and with other organizations across the life sciences and other industries. That means that the credentials are trusted by an ever-expanding global trust community incorporating both public and private sectors.

If the credential is not interoperable, a) its use will be limited in its ability to authenticate the identities of external collaborators, such as clinicians accessing clinical portals, and b)it also will be limited in its ability to apply legally binding signatures.

3. Is it linked to an actual, vetted individual identity?

Many identity credentials are issued in a manner that does not tie the user’s identity to the credential. Among the disadvantages is that you don’t really know if the identity is valid – a problem when dealing with legal and regulatory compliance. A digital identity based on the SAFE-BioPharma standard is tightly bound to the closely examined identity of the individual to whom the digital credential is assigned.  This procedure and the legal agreements the individual signs provide the ability to manage who can have access to what.

If the credential is not tightly bound to the user’s identity it cannot be used to manage access to portals, health and other confidential records, physical facilities, etc.

4. Is it legally-binding and non-repudiable?

Identity credentials based on the SAFE-BioPharma standard allow the user to apply legally binding digital signatures to a wide variety of electronic documents including laboratory notebooks, submissions, contracts, forms, etc.

Signature solutions not based on the SAFE-BioPharma standard may allow electronic signatures to be applied by someone other than its authorized user. The signature will not be non-repudiable (a unique consideration that prevents a signatory from denying a signature was applied).

5. Does it have widespread regulatory compliance?

Many digital identity and digital signature solutions are not. The SAFE-BioPharma standard is 21 CFR Part 11 compliant. It was developed with participation from the US Food and Drug Administration and the European Medicines Agency. The SAFE-BioPharma privacy policy is compliant with the US Department of Commerce and EU Safe Harbor requirements for protection of personal data.

6. Is it DEA compliant?

Digital signatures based on the SAFE-BioPharma standard have been cited by the US Drug Enforcement Agency as acceptable for applying electronic signatures to ePrescriptions for controlled substances. This capability is critically important for the rapidly changing world of ePrescribing.

Most of the world’s most successful biopharmaceutical companies have asked the right questions about their choice of digital identity and digital signature solutions. They have concluded that compliancy with the SAFE-BioPharma standard is the most important answer.

Reprinted with permission from Pharma IQ, a division of IQPC 2011 All rights reserved.

Nobody Knows You’re a Dog

October 27, 2011

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

A few years ago, The New Yorker magazine published a cartoon of two dogs sitting in front of a computer monitor. One was explaining to the other: “On the Internet, nobody knows you’re a dog.”

Given the regulated nature of the global biopharmaceutical industry, the explosion in global collaboration, and our reliance on the Internet, it is absolutely essential that we know and trust the identity of people on the other side of the screen.

Basically, faith in electronic processes is a function of trusting identities of people we don’t know – a serious complication in the regulated, highly collaborative, global biopharmaceutical industry. 

Additionally,  to make our dealings truly electronic – and to eliminate the excessive cost and time associated with handling, shipping, storing and accessing paper documents –  the people who possess those identities need a way to sign electronic documents in a manner that can be trusted and that will stand up to legal review.

Several years ago, a group of IT visionaries from the world’s largest biopharmaceutical companies foresaw these needs.  They reasoned that a standardized way to establish digital identities and to apply digital signatures to electronic documents would discourage development of a patchwork of costly systems unable to communicate with each other. They also reasoned that if the standard were interoperable with similar systems used by government agencies and in other industries, it would facilitate collaboration and ease communications with global regulatory agencies.

The result of this pan-industry effort – including cooperation from the US Food and Drug Administration and the European Medicines Agency.– is the SAFE-BioPharma digital standard, designed specifically for the life sciences to mitigate the risks inherent in electronic transactions.

The group also created a non-profit organization – SAFE-BioPharma Association — to manage the standard’s development. The association’s vision is to help catalyze the transformation of the biopharmaceutical and healthcare communities to a fully electronic business environment by 2015, and in the six years it has been functioning, it has progressed steadily toward that goal.

While the technology behind the standard is complex, the way it is used is quite simple – increasingly in the form of a password in some combination with software in the cloud and an existing device such as a cellphone.

Part of the standard’s unique characteristic is that it provides each user with a digital identity that is closely linked to that user’s carefully vetted, actual identity. This allows the individual to be identified every time a signature is applied to an electronic document. The result, unlike common electronic signatures, is a signed document that is legally-binding and non-repudiable.

No canines pretending to be something they aren’t.

Among numerous other unique aspects of the standard is that it meets the EU Advanced Electronic Signature Directive. Documents and transactions shared with external parties in Europe or within the US federal government need the strength of a digital signature that is tightly bound to the identity of the signer. Because of this requirement, SAFE-BioPharma digital signatures are the only solution for European submissions.

Separately, but of equal importance, SAFE-BioPharma is the only solution cited by the US DEA as suitable for electronically signing prescriptions for controlled substances. The signatures also are compliant with (US) HIPAA regulations

The standard is used for a broad range of applications by large and small biopharmaceutical companies. Among the most common are signing electronic laboratory notebooks, contracts, and a spectrum of regulatory submissions.

But the application that currently is attracting the greatest interest is clinical trial management. It makes a lot of sense, given the global expansion of clinical development, the need to track many participants in many sites, and use of the Web as an alternative to relying on hard copies and moving them around using FedEx, DHL and fax.

This relevance is being demonstrated in an ongoing pilot program involving scientists in the National Cancer Institute (the world’s largest sponsor of cancer treatment clinical trials) and scientists in Bristol-Myers Squibb and sanofi-aventis.

The numerous documents associated with the start up process have been placed in the cloud where the scientists are able to access, amend and sign them using their interoperable digital identities. The industry scientists use SAFE-BioPharma digital identities, and the NCI scientists use their U.S. government-issued digital identities.

Because the two types of digital identities are interoperable (an identity asserted by SAFE-BioPharma will be trusted by US federal agencies, among other inter-connected cyber communities), the scientists have been able to greatly reduce the time and costs associated with starting a clinical trial.

Many who have reviewed the pilot feel it is an important milestone in the use of secure cloud computing to streamline the future of the clinical trial process. They see how interoperable digital identities allow sponsors and CROs  to transition safely and easily to fully electronic processes in efficient and cost-effective on-line collaborations with vendors, suppliers and regulatory agencies.

SAFE-BioPharma is a standard with widespread buy-in. Many biopharma lawyers, researchers, and managers rely on it. Many are in the process of learning about the benefits. In the United States digital identity credentials compliant with the SAFE-BioPharma standard soon will be in use by hundreds of thousands of clinical investigators and other practicing physicians.

The minds that created SAFE-BioPharma developed a digital identity and digital signature standard that would improve operations wherever it was put to work. That has been demonstrated repeatedly.

Even those two dogs in front of the computer screen would consider the SAFE-BioPharma standard to be best of class.

In future columns, I’ll explain new ways the biopharmaceutical industry is using the SAFE-BioPharma standard to improve efficiencies and reduce costs.

Reprinted with permission from Pharma IQ, a division of IQPC 2011 All rights reserved.

From Mesopotamia to Cyberspace

February 21, 2011

By Mollie Shields-Uehling, President & CEO,
SAFE-BioPharma Association

Cylinder seals used in Mesopotamia are one of the earliest known forms of authenticating identity. Dating to 3000 BC, cylinder seals were used to make documents legally binding and to assure the owner’s identity. They were hand engraved, and, when rolled on wet clay, left a unique and often elegant picture. Each imprint was associated with an individual and became a sign of trust. Collections of these tiny works of art can be seen in New York’s Morgan Library, the British Museum and the Louvre.

Authentication has taken a new meaning in our cyber-centric business culture – especially in regulated industries like biopharmaceuticals and healthcare.

To benefit from our new web-based interconnectivity, we must know – beyond doubt – the identities of each and every person with whom we’re conducting business.

That’s where the SAFE-BioPharma digital identity standard plays its critical role.  The standard requires each digital identity to be closely linked to the user’s proven identity. That information is used in a digital credential — a form of software installed on a computer, cell phone or other device. The digital credential asserts the user’s identity and can be used to apply digital signatures to electronic documents

These are not simple electronic signatures. SAFE-BioPharma digital signatures cryptographically guarantee the integrity of every bit of information contained in the document.

The identities also are interoperable, meaning that they can be trusted by people in governments, in other companies and in other industries.

This combination of factors – trust, interoperability and the ability to sign electronic documents in a legally-binding way – has made identity credentials based on the SAFE-BioPharma standard critical where used.

But use of these digital credentials needs to expand for the biopharmaceutical and healthcare communities to realize greater time and cost savings.

The clinical trial start-up process is one of many areas that can benefit. To prove the point, SAFE-BioPharma member company, Bristol-Myers Squibb (BMS) and the National Cancer Institute’s Cancer Therapy Evaluation Program (NCI/CTEP).are well along in a pilot study demonstrating the elimination of paper forms and letters used when initiating clinical trials.

NCI/CTEP is the world’s largest sponsor of cancer treatment clinical trials. In 2010, it generated documents comprising almost 100,000 pages to develop and correspond in its clinical trials.

While the unit does not track the time involved in scanning, organizing and sending these paper documents to the FDA, it reports that it is extremely labor intensive.

The pilot study was started in July, 2010 to demonstrate the ability of both public and private sectors to sign and exchange documents digitally in the cloud, thus eliminating any need for wet signatures and, therefore, any need for paper.

BMS researchers used their SAFE-BioPharma digital identity credentials. NCI researchers used digital identity credentials issued by the federal government. Both types of credential are interoperable.

There were dramatic time savings for all document flows that require multiple signatures or signatures from signatories working off-site. There were no lost or misplaced documents. Because cloud-based digital signatures were used, there was an audit trail of when the document was uploaded, of the email that was sent to alert the signatory that the document is available for signature, and when the document was actually signed.

By eliminating paper-reliance, BMS and NCI saw the possibility of reducing environmental impact associated with use of paper and ink, document shipment, storage and retrieval.

What is the future bottom line of this improved business process flow? NCI and its collaborators can speed up research and be more responsive to public health needs.

Recently, researchers from sanofi-aventis, another SAFE-BioPharma member, joined the pilot and are signing and exchanging electronic documents with NCI, using their SAFE-BioPharma digital credentials. Before long, researchers at several university-based cancer centers will participate, as well.

Just consider what this will mean when lessons from this study migrate to other companies and to the CRO community.

We’ve come a long way since the days of authenticating identity with cylinder seals and wet clay. Today, interoperable digital credentials allow electronic documents to be signed anywhere there’s an Internet connection and to be exchanged with trust.

Finally we can become paperless.  Come to think of it, the Mesopotamians didn’t use paper either. Paper wasn’t invented until 105 AD.

%d bloggers like this: