This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
SAFE is a biopharmaceutical industry initiative to standardize credentials for drug discovery. It could save the industry billions.
Rick Yborra doesn't like paper. Unfortunately for the senior director of global shared services for Bristol-Myers Squibb, the pharmaceutical industry's drug-approval process is besieged by it.
The effort to bring a drug to market takes 10 to 12 years of rigorous testing at a cost of $1.1 billion — just to earn Food and Drug Administration approval. Forty percent of that cost is attributed to the submission, management and archiving of the 6.5 million pages of data generated during the process. Cutting down the paperwork can save time and resources in the research process — at the estimated price of $1 million a day.
"Creating the initial paper documents, then having them scanned in and out of electronic systems, creates an enormous amount of friction and waste in the system," Yborra says. "If you could review and sign these documents online, and if they would meet regulatory muster, the cost savings would be tremendous."
In an effort to rid itself of all that waste, the biopharmaceutical industry has turned to a security technology that many had declared a market failure: PKI.
A SAFE Alternative?
Many of the vendors marketing PKI solutions failed following the dot-com bust. And as the economy weakened, corporate belt-tightening didn't
Today, more business applications have integrated the ability to accept digital signatures; new standards have made legally enforceable digital signatures a reality; and organizations are building the processes needed to trust third-party issued digital credentials. "PKI is ready to go mainstream, especially for high-value applications," Lindstrom says.
Few industries have higher-value applications than the $100-billion-a-year biopharmaceutical industry. If it succeeds across the board in leveraging PKI to provide standardized digital signatures for authentication and access control, it could prove to be one of the strongest returns on investment ever for a security technology — centralizing the issuance of electronic credentials could save $300 million a year. And, over the 10 to 12 years it typically takes to bring a drug to market, this means $3 billion in savings. The SAFE (Secure Access For Every- one) initiative promises to streamline this paper-intensive process.
The product of a coalition of leading pharmaceutical companies, such as AstraZeneca, Bristol-Myers Squibb, GlaxoSmith-Kline, Johnson & Johnson, Merck, Pfizer, Procter & Gamble and Sanofi-Aventis Group, SAFE is standardizing electronic identity credentials and providing regulatory-compliant digital signatures for researchers that would be recognized by business partners and the FDA. "That's the underlying business case. Why can't we, as an industry, come up with a trusted credentialing scheme so that there's no competitive advantage?" asks Gary Secrest, SAFE chairman and director of world wide information security at Johnson & Johnson. "Everybody wants out of the paper process."
SAFE stands to be a success story that the PKI market can leverage — one standard, recognized signature per researcher could slash billions off the cost of drug discovery. To ensure global regulatory compliance for its standardized credentials, the group works closely with govern- ment agencies, including the FDA, European Medicines Agency and European Federation of Pharmaceutical Man-ufacturers Association.
In spring 2004, the SAFE Baseline Version 1.0 was published. The standard is a set of policies, guidelines, technical specifications and the legal infrastructure necessary for companies to adopt legally enforceable, digital signatures.
"These credentials bring automation, accountability, user provisioning and the ability to interoperate," says Pamela Fusco, chief security officer for Merck.
One Credential, 750,000 Researchers
In drug discovery, each biopharmaceutical company relies on contracted research organizations (CROs) to investigate and test medicines. Each CRO employee needs separate credentials from every pharmaceutical company he works with, and it's not uncommon for a new drug's documentation to collect one million signatures as it goes through clinical trials. With SAFE's PKI proposal, each re-searcher will need only one credential.
Guy Tallent, program director for SAFE, estimates that 750,000 primary research investigators and support staff around the globe could use the new credential. With its standard mostly established, the group this year formed the nonprofit SAFE-BioPharma LLC to establish and manage the rules for the provisioning and management of digital credentials used to access and sign clinical research records between the biopharmaceutical industry and government regulators around the world.
It's funded by annual member fees that cover the cost of issuing and managing the credentials. But, SAFE-BioPharma doesn't issue the digital credentials itself; rather, it contracts other companies for the authentication and issuance of digital credentials. CyberTrust, Royal Bank of Scotland and Wells Fargo have already signed on. The idea is that, with the same policies, procedures and standards in place, any member of the SAFE network can trust the digital credentials of other members.
For example, credentials issued by the Royal Bank of Scotland and managed by its Trust-Assured PKI services can be used and trusted by any SAFE members. The SAFE initiative is also working closely with Identrus, whose identity credentials are used by more than 50 financial services companies in 160 countries. SAFE and Identrus will cross-license their intellectual property, such as technical and business specifications, surrounding electronic identities and digital signatures.
As part of this collaboration, Identrus will also market SAFE credentials outside the biopharmaceutical industry. To various degrees, pharmaceutical companies such as GlaxoSmithKline, Merck and Pfizer have begun to implement the SAFE standard. Pfizer is using the standard to streamline credentialing costs and to link each of its credentials to a smart card. The company estimates that it spends more than $10 million annually to reset the passwords of its 200,000 employees and contractors, and believes that deploying smart cards for access control and digital signatures will make logons and electronic signing easier and will cut costs.
GlaxoSmithKline has leveraged the standard to provide clinical investigators a way to securely exchange research data during trials. As a result of its initial success, the company now plans to further utilize SAFE initiatives to deploy identity badges and improve its electronic business processes. These successes will go a long way to further the cause. To authenticate users, the SAFE standard requires two-factor authentication, such as a smart card or a USB token. As the standard gets implemented within the industry, medical researchers will need only one smart card or token to access other companies in the SAFE community. "It will start to feel like a single sign-on environment," says Bristol-Myers Squibb's Yborra.
This was first published in July 2005