This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
SAFE is a biopharmaceutical industry initiative to standardize credentials for drug discovery. It could save the industry billions.
Rick Yborra doesn't like paper. Unfortunately for the senior director of global shared services for Bristol-Myers Squibb, the pharmaceutical industry's drug-approval process is besieged by it.
The effort to bring a drug to market takes 10 to 12 years of rigorous testing at a cost of $1.1 billion — just to earn Food and Drug Administration approval. Forty percent of that cost is attributed to the submission, management and archiving of the 6.5 million pages of data generated during the process. Cutting down the paperwork can save time and resources in the research process — at the estimated price of $1 million a day.
"Creating the initial paper documents, then having them scanned in and out of electronic systems, creates an enormous amount of friction and waste in the system," Yborra says. "If you could review and sign these documents online, and if they would meet regulatory muster, the cost savings would be tremendous."
In an effort to rid itself of all that waste, the biopharmaceutical industry has turned to a security technology that many had declared a market failure: PKI.
A SAFE Alternative?
Many of the vendors marketing PKI solutions failed following the dot-com bust. And as the economy weakened, corporate belt-tightening didn't
Today, more business applications have integrated the ability to accept digital signatures; new standards have made legally enforceable digital signatures a reality; and organizations are building the processes needed to trust third-party issued digital credentials. "PKI is ready to go mainstream, especially for high-value applications," Lindstrom says.
Few industries have higher-value applications than the $100-billion-a-year biopharmaceutical industry. If it succeeds across the board in leveraging PKI to provide standardized digital signatures for authentication and access control, it could prove to be one of the strongest returns on investment ever for a security technology — centralizing the issuance of electronic credentials could save $300 million a year. And, over the 10 to 12 years it typically takes to bring a drug to market, this means $3 billion in savings. The SAFE (Secure Access For Every- one) initiative promises to streamline this paper-intensive process.
The product of a coalition of leading pharmaceutical companies, such as AstraZeneca, Bristol-Myers Squibb, GlaxoSmith-Kline, Johnson & Johnson, Merck, Pfizer, Procter & Gamble and Sanofi-Aventis Group, SAFE is standardizing electronic identity credentials and providing regulatory-compliant digital signatures for researchers that would be recognized by business partners and the FDA. "That's the underlying business case. Why can't we, as an industry, come up with a trusted credentialing scheme so that there's no competitive advantage?" asks Gary Secrest, SAFE chairman and director of world wide information security at Johnson & Johnson. "Everybody wants out of the paper process."
SAFE stands to be a success story that the PKI market can leverage — one standard, recognized signature per researcher could slash billions off the cost of drug discovery. To ensure global regulatory compliance for its standardized credentials, the group works closely with govern- ment agencies, including the FDA, European Medicines Agency and European Federation of Pharmaceutical Man-ufacturers Association.
In spring 2004, the SAFE Baseline Version 1.0 was published. The standard is a set of policies, guidelines, technical specifications and the legal infrastructure necessary for companies to adopt legally enforceable, digital signatures.
"These credentials bring automation, accountability, user provisioning and the ability to interoperate," says Pamela Fusco, chief security officer for Merck.
One Credential, 750,000 Researchers
In drug discovery, each biopharmaceutical company relies on contracted research organizations (CROs) to investigate and test medicines. Each CRO employee needs separate credentials from every pharmaceutical company he works with, and it's not uncommon for a new drug's documentation to collect one million signatures as it goes through clinical trials. With SAFE's PKI proposal, each re-searcher will need only one credential.
Guy Tallent, program director for SAFE, estimates that 750,000 primary research investigators and support staff around the globe could use the new credential. With its standard mostly established, the group this year formed the nonprofit SAFE-BioPharma LLC to establish and manage the rules for the provisioning and management of digital credentials used to access and sign clinical research records between the biopharmaceutical industry and government regulators around the world.
It's funded by annual member fees that cover the cost of issuing and managing the credentials. But, SAFE-BioPharma doesn't issue the digital credentials itself; rather, it contracts other companies for the authentication and issuance of digital credentials. CyberTrust, Royal Bank of Scotland and Wells Fargo have already signed on. The idea is that, with the same policies, procedures and standards in place, any member of the SAFE network can trust the digital credentials of other members.
For example, credentials issued by the Royal Bank of Scotland and managed by its Trust-Assured PKI services can be used and trusted by any SAFE members. The SAFE initiative is also working closely with Identrus, whose identity credentials are used by more than 50 financial services companies in 160 countries. SAFE and Identrus will cross-license their intellectual property, such as technical and business specifications, surrounding electronic identities and digital signatures.
As part of this collaboration, Identrus will also market SAFE credentials outside the biopharmaceutical industry. To various degrees, pharmaceutical companies such as GlaxoSmithKline, Merck and Pfizer have begun to implement the SAFE standard. Pfizer is using the standard to streamline credentialing costs and to link each of its credentials to a smart card. The company estimates that it spends more than $10 million annually to reset the passwords of its 200,000 employees and contractors, and believes that deploying smart cards for access control and digital signatures will make logons and electronic signing easier and will cut costs.
GlaxoSmithKline has leveraged the standard to provide clinical investigators a way to securely exchange research data during trials. As a result of its initial success, the company now plans to further utilize SAFE initiatives to deploy identity badges and improve its electronic business processes. These successes will go a long way to further the cause. To authenticate users, the SAFE standard requires two-factor authentication, such as a smart card or a USB token. As the standard gets implemented within the industry, medical researchers will need only one smart card or token to access other companies in the SAFE community. "It will start to feel like a single sign-on environment," says Bristol-Myers Squibb's Yborra.
|Credentialing Researchers: Drug-to-Market Process|
The drug-discovery process is inefficient and paper-laden. The SAFE initiative hopes to digitize electronic signatures to shave years and millions of dollars off the cost of bringing a drug to market.
From the lab to the pharmacy:
What SAFE Baseline Version 1.0 standard can do:
Pilots Take Off
The SAFE standard will make it possible for the industry to comply with 21 CFR Part 11, an FDA regulation that governs electronic record-keeping and signatures.
Small-scale pilot projects using the standard are underway, says SAFE's Tallent; he believes widespread adoption of the standard will begin next year.
SAFE digital signatures have already simplified life for Robert J. Morgan Jr., staff physician in the department of medical oncology and therapeutics research at City of Hope Medical Center in Duarte, Calif. The center has more than 300 doctors and scientists and more than 2,500 employees studying cures for cancer, HIV/AIDS and other life-threatening diseases.
The City of Hope began using SAFE credentials several months ago to file electronic documents for National Cancer Institute programs and other paperwork-intensive clinical research. "It's just as easy, if not easier, for me to use this system than to use paper. And it saves our staff an enormous amount of time preparing paperwork," he says.
To access the system, Morgan inserts his smart card and enters his username and password. To sign electronic medical documents, he clicks where his signature would have been required in the past; each time he electronically signs a document, his smart card must be in the reader and he must reenter his password.
"There's absolutely no paper involved," Morgan says.
Soon, Bristol-Myers Squibb will roll out an authenti-cation and digital signature pilot based on SAFE by distributing CyberTrust smart cards to about 20 re-searchers and support staff at one of its CROs. These users will be to externally access Bristol-Myers' research applications to view and update data. To gain access, users will be prompted to swipe their smart card and enter their PIN. Once authenticated, they'll be connected through a VPN.
"It sounds simple," Bristol-Myers's Yborra says. "Everything always looks good on paper, but the purpose of a pilot is to make sure the technology is there and the business process works."
Yborra believes that PKI technology has been proven for years, but nailing the business process is the biggest challenge. In these types of implementations, that means deciding what actually needs to be signed as part of the approval and regulatory process.
"We pick up the pen and sign many things that don't legally need to be signed. It's more just a check of approval," he says. That may not be a big deal in the world of paper, but tooling business technology systems and documents to accept digital signatures takes a lot of IT effort. Yborra likens it to users logged into an ERP system. "Sometimes in the process all you need is to check something off, based on your user name and password. Sometimes you need to bind a signature to an electronic document for five, 10 or 20 years. Those are the ones we're looking for." And each paper signature the biopharmaceutical industry can find and digitize could slash the cost of drug development by billions. "That's a lot of trees that could be saved," says Yborra.
This was first published in July 2005