the use of eu qualified esignatures in the biopharmaceutical...
TRANSCRIPT
SAFE-BioPharma Association
The Use of EU qualified
eSignatures in the
BioPharmaceutical Industry
Rich Furr, Head Global Regulatory Affairs, Policy &
Compliance, SAFE-BioPharma
Viky Manaila, Managing Director, Trans Sped SRL
ETSI ESI Workshop 9 February 2012
Washington, DC
Overview
SAFE-BioPharma Association Introduction
– Why advanced electronic signatures?
Trans Sped
– Technical overview of SAFE-BioPharma credentials
2
3 SAFE-BioPharma Association
What is SAFE-BioPharma?
SAFE-BioPharma
– A non-profit membership association formed by the worlds leading
Pharmaceutical companies to create and manage the Digital Identity and
Signature standard for Life Sciences and Healthcare
– The only industry-designed solution interoperable with NIH, FDA and other US
federal agencies, and European Medicines Agency
– The only industry-designed solution with an authenticated identity connection
– The only industry-designed standard that meets advanced e-signature
requirements of the EU Directive 1999/93/EC and is compliant with HIPAA and
DEA
– Single identity for clinical investigators and clinical workers
– High-level assurance binding identity to a digital signature
– Mitigates risk with B-to-B and B-to-Regulator transactions
– Provides secure, compliant way to verify identities
– Federated identity across Federal Bridge Certification Authority
– Meets DEA requirements – working with leading ePrescribing service
4
Organization Pilots and Implementations
Abbott ELNs
Amgen Global Infrastructure
AstraZeneca ELN; eSubmissions (US); Investigator Portal; Global infrastructure
BMS ELNs; Promotional material review (EU); alliances; Indian CRO
EMEA EudraVigilance; eCTDs, regulatory submissions
GSK eSubmissions, R&D docs; Global infrastructure; Indian IT support
J&J eSubs; External partners; Records; CRO contracts
Eli Lilly eSubmissions
National Notary Association Digital Notary Signature
Pfizer ELNs; eSubmissions; contracts/SOWs; investigator portal
Premier Contracts
Sanofi-Aventis ELN; eSubmissions; Clinical portal; Legal; pharmacovigilance;
finance and purchasing
SNAP Diagnostics Physician signatures on sleep apnea diagnostic
SAFE-BioPharma Pilots & Implementations
SAFE-BioPharma Digital Signatures: Enjoy the Benefits
Legal Enforceability. SAFE signatures meet three key legal criteria.
– With authentication, you are sure of the identity of the person who provided the signature.
– With integrity, you are sure the document has not been altered since it was signed.
– With non-repudiation, you are sure that the sender cannot deny signing the document.
Regulatory compliance. The SAFE standard meets or exceeds regulatory guidelines for
21 CFR Part 11 and HIPAA. SAFE designed the standard to meet similar international guidelines,
including the Directive 1999/93/EC of the European Parliament and of the Council, and ensures
that new versions comply with emerging regulations
Strong Security. SAFE standard ensures security and data integrity. With two-factor
authentication, the standard uses public key infrastructure (PKI) to apply digital signatures to
documents and to assure the integrity of their content.
Global. SAFE members are global companies and require a global standard, both for internal
and external use.
5
6
SAFE-BioPharma and Regulators
EMA and FDA are on a publicly-announced paths to requiring fully electronic submissions within the next few years
– Both agencies helped write standard
FDA has accepted over 10,000 SAFE-BioPharma signed submissions
EMA accepted eCTD test new drug marketing authorization submissions
– EMA guidance requires advanced electronic signature on submissions
– EMA has funded electronic signature (advanced) project for 2012
FBCA cross-certified
7 SAFE-BioPharma Association
SAFE:Verizon
Symantec
Fed Common
Policy Root CA
Entrust
CertiPath
Bridge CA
SAFE
Bridge CA
Federal
Bridge CA
Boeing
Northrop
Grumman SITA
Lockhee
d Martin
CertiPath
Common
Policy
Root CA
Exostar
VDoT
GSA
MSO
VeriSign
SSP
DoT HUD
Verizon Bus
SSP
EOP
VA
HHS
US Treasury
SSP
NASA
SSA
State
of
Illinois
DoE
Dept. of
State
US PTO
GPO
DHS
DoJ
E-Commerce
DoJ
DEA
ARINC
DoD
SA SA
AZ
Merck
ORC
ACES
EADS
Raytheon
VeriSign
GPO
SSP
USPS
NRC DoD
Interoperability
Root
DoL
EPA
REBCA
Identrust
J&J
Verizon
Pharmas
GSK
8 SAFE-BioPharma Association
Simplifying Trust
SAFE-
BioPharma
Bridge
US Federal
Bridge
J&J
BMS
Sanofi-
Aventis
Chosen
CITIGroup
Cybertrust
Identrust
Trans Sped
HHS
FDA
Netherlands
EU
Trusted
Lists
EMEA UK
France
Germany
MHRA
AFSSAPS BfArM
MEB
Romania
Trans Sped
9 SAFE-BioPharma Association
EMEA & Electronic Signatures
Q1 What is the position of EMEA regarding the use
of electronic signatures within the eCTD?* – ‘Advanced electronic signatures’ are currently accepted in the EU as
being legally equivalent to handwritten signatures (Directive
1999/93/EC3).
– Digital signatures will be accepted by EMEA in the context of the
Centralised Procedure provided that they are compliant with the
European Electronic Signature Directive (e.g.‘SAFE’)
– ‘Flattened’ or embedded digital signatures are preferred.
* EMEA IMPLEMENTATION OF ELECTRONIC-ONLY SUBMISSION AND eCTD SUBMISSION: QUESTIONS AND
ANSWERS RELATING TO PRACTICAL AND TECHNICAL ASPECTS OF THE IMPLEMENTATION, V0.4, 07-
20-08
Trans Sped – about us
Qualified certificates business started in 2004 – Authorized and accredited by Romanian Ministry of IT&C www.mcsi.ro
Managed PKI Solution – TC TrustCenter – a Symantec company
2 Certification Authorities – Trans Sped Qualified CA
– Trans Sped SAFE-BioPharma CA
Solutions portfolio – digital signature and encryption
– strong user authentication and single sign-on
– training courses
Business partners – TC TrustCenter
– Gemalto, Future Card, Athena
10 SAFE-BioPharma Association
EU Directive 1999/93/EC - Principles
Legal recognition of electronic signatures
– requirements for signature products and services
Technology independent
Free market for products and services
– avoiding prior authorization scheme
– voluntary accreditation scheme for CSPs
No discrimination
– national legislator shall not discriminate electronic signatures coming from other member states
– independent and transparent supervision of CSP
Mutual recognition
Personal data protection
– electronic signatures shall not make data mining easier
– pseudonyms are explicitly permitted
11 SAFE-BioPharma Association
Three types of electronic signatures
1. “electronic signature” – the simplest form
– it serves to identify and authenticate data.
– it can be as simple as signing an e-mail message with a person’s name or using a PIN-code.
2. “advanced electronic signature”
– data integrity and non-repudiation
3. “qualified electronic signature”
– consists of an advanced electronic signature based on a qualified certificate and created by a secure-signature-creation device and needs to comply with the requirements in Annex I, II and III.
12 SAFE-BioPharma Association
1999/93/EC - Legal Effects
Equivalence with handwritten signatures for
– advanced electronic signatures based on
– qualified certificates, created by
– secure signature creation device
Any other general electronic signature
admissible as evidence
13 SAFE-BioPharma Association
Advanced electronic signature
Qualified certificate
Secure signature creation device
Handwritten signature
EU Standards on Electronic
Signatures
European Electronic Signature Standardisation Initiative (EESSI)
14 SAFE-BioPharma Association
European Telecommunications
Standards Institute Comitèe Europèen de Normation
Information Society Standardisation System
EESSI SG
Industry and business, assisted by European standard bodies
ETSI TS 101 862
- Qualified Certificate Profile
based on the Internet certificate profile RFC 3739 (Qualified Certificates Profile)
– issued to a physical person
4 individual statements for use with "qCStatements” extension:
– statement claiming that the certificates is issued as a Qualified Certificate;
– statement regarding limits on the value of transactions for which the certificate can be used;
– statement indicating the duration of the retention period during which registration information is archived;
– statement claiming that the private key associated with the public key in the certificate resides within a SSCD.
15
ETSI TS 101 456
- Policy requirements for CA issuing QC
defines policies requirements on the operation and management practices of CA issuing QC
– registration service
– certificate generation service
– certificate dissemination service
– revocation management service
– revocation status service
– SSCD provision service
2 policy OID
– QCP public + SSCD (0.4.0.1456.1.1)
– QCP public (0.4.0.1456.1.2)
audit standard for CA
– TTP.NL scheme
16
SAFE Top-Level Architecture
17 SAFE-BioPharma Association
Subscriber
SAFE
Member
SAFE
Issuer
SAFE-BioPharma
Registration and Certificate Management Systems
SAFE Enabled Applications
SAFE Bridge
CA
End-User Systems or
Machine Systems
or CCS
SAFE
Certificate
C P
Details contained in SAFE CP C P Details contained in associated Technical Specification
Cross
Certificates
C P
OCSP
Response
OCSP
Request
Signing or Validation
Request &
Response
OCSP
Response
OCSP
Request
CCS Definition
Centralized Credential Server (CCS)
Stores & applies private keys for multiple subscribers on a
central credential server, or CCS, based on either a hardware
security module (HSM) interfaced to a server, or a software-
protected set of private keys in a controlled server environment
Subscriber’s control use of their credentials from any
workstation or location
18 SAFE-BioPharma Association
SAFE-BIOPHARMA
IMPLEMENTATIONS
KEY
GENERATION
KEY STORAGE &
USE
KEY
EXPORTABLE?
KEY IN
‘CONTROL’ OF
USER?
CLIENT
REQUIRE-
MENT
Split-Key CCS with OTP or
SMS OTP
CCS Hardware CCS Hardware No (useless
without client
password)
Yes (client
password is
part of split)
Web Browser
Split RSA Key CCS with OTP or SMS
2-factor authentication:
– Something you have OTP token [OATH OTP device or SMS OTP to cell phone]
– Something you know Memorized secret token [pass phrase]
19 SAFE-BioPharma Association
CCS
End User PC
End User
Subscriber
2-Factor
Authentication Browser
CSP/Private
Key Store
Keyboard
Interface /
USB
Interface
Network /
Internet Interface
FIPS 140-2
Level 3
Protected;
Periodic
Scans;
Access
Controlled &
Audited
Environment
Up-to-date virus &
malware protections App Server
SAFE-Enabled
Application
Up-to-date
virus &
malware
protections
Identity-proof
[F2F]; must
report
compromises
Pass Phrase
Secure Session
Secure Session
OATH-compliant
OTP device
307789
SMS Text OTP to
User cell phone
Split
Key
-or-
Document hash
Digital Signature
20
CCS & Identity
The credential used to authenticate to the CSS is a
FICAM approved NIST 800-63 LOA 3 credential - Verizon Credential Policy is approved by FICAM under the Kantara Trust
Framework
- SAFE-BioPharma also now a certified FICAM Trust Framework Provider - Verizon planning to also certify under SAFE-BioPharma
The certificate issued is a SAFE-BioPharma medium
assurance policy certificate – SAFE-BioPharma CP requirements mapped to Federal Bridge CP
requirements for Medium CBP certificate policy (SAFE-BioPharma cross-
certified)
21
CCS Components for SAFE
SAFE-BioPharma Issuer (Trans Sped)
Issues SAFE-compliant Medium Assurance digital certificates to Subscriber’s
CCS Hardware
Generates Subscriber’s private key FIPS 140-2 Level 3 validated hardware module
Uses a patented 3-key RSA algorithm such that the usual single RSA private key is instead
delivered as two separate private keys or two partial credentials
One credential part stored on CCS and never leaves
Other credential part recreated on-the-fly using the Subscriber’s pass phrase
The CCS has no knowledge of Subscriber’s part of credential
Subscriber has no knowledge of CCS’s part of credential
Provisioned OTP Token
OTP Device – OATH compliant OTP
Personal Cell Phone – SMS texting for OTP transmission on log on
Is a Verizon FICAM approved LOA3 credential
This provides Zero Foot Printing Roaming Certificates
Questions
22 SAFE-BioPharma Association
Contact information
Viky Manaila
++40.21.210.75.00 – Office
+40.721.32.86.44 – Cell
www.transsped.ro
Rich Furr
+1-980-236-7576 – Office
+1-704-575-1680 – Cell
www.safe-biopharma.org