SAFE-BioPharma - A new domain standard for secure identity
In medical and pharmaceutical research, researchers deal with sensitive private information on a daily basis. That makes secure identity management a crucial need. Mollie Shields-Uehling is the CEO of the SAFE-BioPharma Association, a non-profit organization charged with creating a standard that meets that need.
iSGTW: Thank you for joining us for this discussion, Mollie. Could you tell us a little bit about SAFE-BioPharma?
Shields-Uehling: SAFE-BioPharma Association is a non-profit industry collaboration established by the world's leading biopharmaceutical companies to develop and maintain a global interoperable digital identity and signature standard for the biopharmaceutical and healthcare communities. The purpose of the standard is to allow the transformation of business and regulatory process to fully electronic by 2015. The Association has made a great deal of progress in establishing the standard, gaining recognition by the US Food and Drug Administration and the European Medicines Agency (EMEA), piloting its use in Japan, standing up a streamlined, easy identity proofing and credentialing service for members, and in expanding use by SAFE-BioPharma members and their external partners.
The standard is for assuring trust of identities on-line and for ensuring that a digital signature is uniquely mathematically linked to the person's identity. The standard allows for on-line trust among parties who may never meet one another and allows for legally-binding signatures for contracts, regulatory and other purposes.
iSGTW: Your new standard is called SAFE. What does that stand for?
Shields-Uehling: SAFE stands for Signatures and Authentication for Everyone.
iSGTW: You described the standard as a non-profit industry collaboration. Was there any academic involvement in creating the standard?
Shields-Uehling: Yes. Academic medical centers were involved in testing the earliest version of the standard in a pilot with the National Cancer Institute. The pilot provided valuable information and led to a number of changes to the standard.
iSGTW: Beyond industry, where do you see SAFE being used - in a clinical setting? During medical research?
Shields-Uehling: It is being used in some academic institutions that are partnered with pharma and biotech. They are using SAFE-BioPharma digital credentials to sign contracts and regulatory documents.
The standard is being used extensively for regulatory submissions and for electronic lab notebooks (basic research). It is also being used in research and clinical trials. The standard is being piloted to convert existing paper-based processes to fully electronic for contracting and research collaborations between biopharma, NCI, and academic and other medical research groups.
iSGTW: What are some of the biggest technical challenges the collaboration faced in designing this standard?
Shields-Uehling: The biggest technical challenge faced by the consortium was the requirement for a driver download to the desktop in order to load a SAFE-BioPharma digital certificate. The drivers for the USB token or smartcard often had issues with versions of Java as well as configurations of Adobe, depending on the version. It was sometimes difficult for the user and required extensive help desk support.
To address this issue, we expanded the standard to include a software certificate, a digital roaming credential, and now-in-the-works, a zero footprint token.
iSGTW: There are already some large-scale health studies in which participants self-report health information via an online interface. Is SAFE designed to handle that sort of situation?
Shields-Uehling: The SAFE-BioPharma standard could be used in that way. Patients with SAFE digital identities could use their credentials to authenticate into a study site and self-report. If required, they could digitally sign an informed consent form or other documents. Using a SAFE credential would assure both the study site and the patient that their information was only being accessed by trusted parties. It would facilitate HIPAA compliance around patient health information. And it would provide strong legal support that it was indeed the patient in question who accessed the record and signed documents. It would further provide strong evidence that they intended to place their signature.
However, it is not yet being used for that purpose. We are moving step by step into the digital world!
-Miriam Boon, iSGTW