The Value of Digital Signatures in E-clinical Applications

The word "signature" carries great trans-cultural and historic weight. Their significance can be traced back centuries, and their role as authentication devices and safeguards against false repudiation have served as building blocks for civilization.

(PHOTOGRAPHY: EYEWIRE ILLUSTRATION: PAUL A. BELCI)

It's not surprising then that transitioning from analog to digital signatures has generated some anxiety and confusion. Digital signatures are an essential element of e-clinical deployments. Yet integration of digital signature technology is lagging, especially in small-to-medium sized operations, including CROs.

This article reviews the value of deploying digital signatures as part of an overall e-clinical strategy; looks at the challenges of deploying Public Key Infrastructure (PKI)-based digital signatures (which have kept this mostly in the provence of large pharma companies); outlines the technological developments that now make it easier for small- and medium-sized organizations to take advantage of the security and conveniences PKI-based digital signatures provide; and offers guidelines to use when considering a PKI-based solution.

Figure 1. An overview of capabilities and costs of three different PKI technologies.

The need for digital

Systems and processes involved in CRO operations generate a tremendous amount of paperwork. These paper processes can result in liability concerns and difficulty in controlling and monitoring changes, updates, and approvals. By implementing digital signatures into their systems, pharmaceutical organizations can benefit from a convenient method of monitoring changes. Also, authorizations and updates have a clear electronic audit trail.

In the United States, the importance of secure digital signatures was underscored by:

• The U.S. FDA's 21 CFR Part 11 Electronic Records; Electronic Signatures, Final Rule¹

• The FDA's Guidance for Industry, Part 11, Electronic Records; Electronic Signatures, Scope and Application²

• The U.S. E-Sign Bill.³

The European Union has provided guidance for digital signatures for member countries with its EU Directive 99/93/EC on Electronic Signatures.⁴

In order to migrate to more efficient electronic systems, pharmaceutical organizations must comply with 21 CFR Part 11 specific requirements, which mandate that companies implement:

• A system in which electronic records and signatures are trustworthy, reliable, and secure

• Electronic signatures that are equivalent to paper records and handwritten signatures executed on paper

• Signatures that offer integrity as well as ensure that the signer cannot readily repudiate the signed records

• A system that discerns invalid or altered records

• Signatures that are linked to an electronic record.

The EU Directive defines a stronger type of electronic signature than specified in CFR Part 11 or the U.S. E-Sign Bill. While the EU Directive is technology-neutral, PKI-based digital signatures meet the requirements particularly well. This is good, as PKI technology provides CROs and other organizations with strong user authentication and protects the integrity of the data signed, thus ensuring nonrepudiation of the transaction by the signer.

Advantages of PKI-based solutions

Strong signatures are critical to the success of an e-clinical solution, yet confusion over the technology involved in implementing digital signatures can lead to compromises. This is especially true in the United States, where a strong PKI-based digital signature or other certificate-based system or technology for ensuring authentication are sometimes confused with a less strong alternative, often referred to as an electronic signature. In Europe such confusion is not a problem because EU Directive 99/93/EC essentially requires PKI technology.

PKI implementations typically include authentication technology as well as digital signature technology. There are lots of options available to properly authenticate users in order to allow them to apply their digital signature; 21 CFR Part 11 allows simple two form authentication, such as username and password, but other forms of authentication could include biometrics or advanced two factor methods such as one-time password systems.

Regardless of the technology used to ensure authentication, it is important to mark the difference between a proprietary electronic signature and a standards-based digital signature. Though the terms are often used interchangeably, there is a big difference. Although both electronic signatures and digital signatures can provide 21 CFR Part 11 compliance, only digital signatures can provide the additional benefits of cryptographic safeguards, reduced costs, increased collaborations, and electronic submission capabilities.

Electronic signatures can be a representation of a person in the form of a digitized image of their handwritten signature, symbol, voiceprint or other unique identifier. An electronic signature is typically attached to an electronic document or transaction. However, they generally lack cryptographic safeguards, making them fairly easy to copy, tamper with or forge.

Digital signatures (sometimes referred to as advanced or secure electronic signatures) are created using a cryptographic operation. The technology behind digital signatures is an industry standard, PKI, which helps guarantee data integrity and nonrepudiation of transactions. The digital signature cannot be copied, tampered with or forged. And because digital signatures are based on standards, they create electronically signed documents that are truly portable. Users can sign and verify documents or records anywhere, without the need for proprietary or legacy hardware/software.

Regular readers of Applied Clinical Trials may be familiar with the basics of PKI, as it has been written about previously, including in Paul Bleicher's excellent overview: "Public Key Infrastructure: The Beginning of a Beautiful Friendship?"⁵

Challenges of deployment

PKI, also known as asymmetric cryptography, provides each user with a key-pair: a private key and a public key used in every signature. The private key, as the name implies, is kept private and stored securely. The private key is used for signing, thereby adding a "fingerprint" to the document. The public key, on the other hand, is made available to other people who use it for validating the sender's electronic signature.

Because each user in a PKI environment must have a pair of keys for signing and validating information, a method for storing the keys is required to keep private keys safe. Usually, key storage solutions are divided into two categories: a hardware medium and a software medium. Hardware devices, often called hardware tokens, store the keys on either smart cards or USB tokens. When using a software medium, keys are stored in encrypted files on the user's desktop (or laptop). These encrypted files are often referred to as soft tokens.

Though the concept is simple, many companies have found that both soft tokens and hardware tokens have been very difficult to manage from both a technical and an operational standpoint. People tend to lose and forget their hardware tokens, creating lots of administrative problems (e.g., keys and certificates need to be re-issued in cases of loss, and temporary keys and certificates must be issued when users forget their hardware token at home). The result: Organization help desks are overloaded. IT personnel are needed to handle the management and distribution of keys and certificates continuously, resulting in an increase in the number of employees in the IT department or a loss of time and efficiency.

For most organizations, soft tokens are not a suitable solution. In an organization where workers tend to be mobile and switch locations and computers, soft tokens are problematic since there is no easy way of moving them from one computer to another. Moreover, computers can crash, resulting in data loss, including the software token. There is no simple way for preventing the loss of soft tokens in such situations.

Deployment and administration is complicated because of the need to integrate and support the multiple components. These include the certificate authority, key storage systems, the software for managing and enrolling users, and of course the components necessary for signing real-life applications (workflow applications, enterprise resource planning, mail, and a range of other applications). Integration of all the components is complex and hard to maintain on an ongoing basis.

Until recently, there have been very few standard interface options between the different components—even when implementing these interfaces, each vendor defines their own variation of the interface. This has created a long and expensive integration process, where costs are rolled over to the end user, resulting in a high cost of ownership for the project.

Integration of the electronic signature infrastructure with applications is complex and usually involves development with low-level cryptographic application programming interfaces. Although the technology is maturing and vendors are complying with standards more than ever, the only way to interact with tokens (hardware or software) and with the certificate authority is through these low-level cryptographic interfaces that require indepth knowledge of PKI technology.

Easier PKI solutions

Fortunately, new solutions are being developed that enable companies to deploy PKI-based digital signature solutions without the burden of having to deploy traditional PKI infrastructure. This means that PKI-based solutions that, from a pragmatic standpoint, had been limited to pharmaceutical companies and other large organizations can now be deployed by small-to-midsized operations such as CROs.

Sometimes referred to as "PKI in a box" or "plug-and-play," these solutions use a tamper-proof hardware appliance for centralized key generation, storage, and signing operations. They also use software components for integration with various third-party applications, such as Microsoft Office, Adobe Acrobat, TIFF images, content management systems, and operating system directories. The ability to deploy PKI-based digital signature solutions on a plug-and-play basis will greatly reduce deployment and maintenance costs. And this should, in turn, significantly accelerate the pace of e-clinical adoption.

Evaluation guidelines

What follows is a list of evaluation guidelines to use when shopping for a plug-and-play PKI-based digital signature solution. These are critical make or break factors for ensuring smooth implementation, management, and use of PKI-based systems. Basically, you want your solution to offer:

Sealed documents. Make sure the solution is based on standard PKI technology, which seals documents to prevent changes. Make sure self-signed certificates are not used, as they can enhance the potential for repudiation problems.

Multiple application support. Make sure applications and file types intended for signature are supported by the solution.

Graphical signatures. Many solutions lack graphical signature support, which is required by CFR Part 11. Graphical signatures also have a psychological impact: The signer is reassured they signed the record and that it is legally compliant.

Multiple signatures. A digital signature solution should support multiple signings on the same document, whether it is in Word or even Excel—in Excel, different users may be asked to sign different cells within the same spreadsheet.

Zero IT management. To ensure ease of use and keep costs low, make sure the PKI-based solution is operational the moment it's hooked up to the network and that it does not require any special administrative maintenance.

Compliance. Pharmaceutical organizations need to ensure that the solution meets regulatory requirements, such as FDA CFR Part 11 or EU Directive 99/93/EC.

Transportability. The digital signature must be transportable within the signed document. In other words, your documents should be able to be validated by an outside user without them having to install a third-party application.

Seamless user registration. The implementation of a digital signature solution should be as transparent as possible so that staff can start signing immediately upon deployment, without having to start a wizard in order to enroll or call on the IT department. The system should also be able to update a user profile in case of name changes, such as after marriage.

Simple to use. Choose a system that is easy to use, ideally one that requires zero IT involvement after deployment. A good way to test this: It should take just a single click to ensure your document is sealed and legally compliant.

Total cost of ownership. Always consider total cost of ownership—look at initial cost, deployment, administration, help desk, and other recurring expenses. The goal is to find a solution that is inexpensive to deploy and does not incur ongoing IT administration, help desk or other ongoing expenses.

Real benefits

In conclusion, PKI-based digital signatures (or equally secure third-party authentication solutions) are a critical element for a complete e-clinical solution. Although deployment and administration of PKI infrastructure has historically been expensive, the advent of plug-and-play PKI-based solutions should accelerate adoption of digital signatures and e-clinical solutions—to the benefit of the pharmaceutical and life sciences industry.

References

1. U.S. Food and Drug Administration, "21 CFR Part 11 Electronic Records; Electronic Signatures, Final Rule," Federal Register, March 20, 1997.

2. U.S. Food and Drug Administration, "Guidance for Industry, Part 11, Electronic Records; Electronic Signatures—Scope and Application," Federal Register, February 4, 2003.

3. U.S. E-Sign Bill (which became active on October 1, 2000), http://www.ftc.gov/os/2001/06/esign7.htm, and the EU Directive 1999/93/EC for Digital Signatures allow for a basic digital signature, europa.eu.int/eur-lex/pri/en/oj/dat/2000/l_013/l_01320000119en00120020.pdf.

4. European Parliament, "Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures" Official Journal L 013, 19/01/2000 pp. 0012–0020.

5. P. Bleicher, "Public Key Infrastructure: The Beginning of a Beautiful Friendship?" Applied Clinical Trials, August 2001.

Gadi Aharoni , PhD, is CEO of ARX Inc., Petach Tikva, Israel. Rodd Schlerf* is life sciences manager for North America, ARX (Algorithmic Research), 341 First Avenue South, Pleasant Hill, CA 94523, (925) 798-0901, email: rschlerf@arx.com

*To whom all correspondence should be addressed.