home > ebr > autumn 2012 > sign on the digital line
European Biopharmaceutical Review

Sign on the Digital Line

When we rely on the internet to conduct business, we need to be able to trust the identity of that unseen and possibly unknown person on the other side of the screen. It’s known as identity trust, and in the internet age, it’s the lubricant that keeps the biopharmaceutical industry running smoothly.

Our traditional sense of trust is based on personal experience and that of others whom we rely on as dependable sources of information. Identity trust exists at the intersection of law, philosophy and technology and assumes that in cyberspace it may not be good business to take at word the unknown (or known) individual who vouches for his own identity. Assuming otherwise would simply be irresponsible, especially when dealing with information protected by law and other forms of regulation or when dealing with information used to make important decisions of high economic value. Or would it?

Digital Identities

Many industries accept self-proclaimed internet identities. Most credit card and cash advance card transactions are based on their users providing information that the card issuers evaluate and trust. This seems to work pretty well most of the time. But should an aircraft manufacturer trust the self-asserted identity of an employee for a vendor providing critical parts? Should a government military entity allow physical access to facilities based on an identity that is self-proclaimed? Should a self-asserted physician have access to your medical information?

The difference between credit card identity and access to a military facility is an evaluation of risk and system-wide indemnification. The credit card industry has determined that it is less costly to accept a lower level of identity trust and a higher level of fraud than to invest in higher-assurance processes that may affect customer ease of use. The potential losses are financial and the indemnification scheme handles that risk effectively. An aeroplane manufacturer and the military have far more at risk than money.

So do we in the biopharmaceutical industry. These distinctions have not been lost on the European Commission (EC). In June, the EC adopted a proposal for a regulation “on identification and trusted services for electronic transactions in the internal market” to boost user convenience, trust and confidence in the digital world.


In the US and elsewhere, the security-minded money has been placed on the use of cryptography, the science and technologies of concealing or changing data. Students of military history understand that the most common goal of cryptography is maintaining secrecy – accomplished by changing data from recognisable to unrecognisable and back to recognisable again. If you think that applying the same types of cryptographic disciplines used by the military to business transactions among the biopharmaceuticals is overkill, consider how closely regulated we are, wherever we do business.

The requirements around clinical trial data are no exception. And if concerns about using the internet for secure transmission of protected data aren’t reason enough, consider the importance of protecting our massive investment in developing intellectual property. The stakes are very high, as is the bar by which we need to evaluate the security of our internet transactions. Hence the need to know that we can trust with certainty the identity of who we’re dealing with at the other end of our spaghetti bowl of electronic connections.

This is a problem that applies to every organisation – especially every biopharmaceutical company. And because the problem is industry-wide, it makes sense to solve it as an industry. That’s what a group of biopharmaceutical information technology security people thought about eight years ago when they started one of those rare industry-wide approaches to solve the problem. The alternative? Every company could invent its own language. But that would create a separate problem of deciphering a new industrial Babel. The experts’ solution was to work as a community of common interest: to come up with a solution each of us and each of our vendors, partners, and clinicians would be able to use for secure internet business transactions.

They did it just in time. The industry was entering a period of change; what had been the province of company, university, clinician, and regulator, was now expanding to become a spider web of global relationships. We could keep track of the relationships in the old model, but with collaboration occurring on so many different levels and across so many different economies, those relationships were expanding exponentially.

This phenomenon, driven in part by the availability of internet communication, demanded a secure way to transmit data with trust in the identities of the communicating parties. It also called for the ability to authenticate identities – making sure that the person presenting himself to an online application truly is that person or that the computer or mobile device is the one it’s supposed to be. In the world of cryptography, this procedure is known as authentication.

The Problem of Paper

As far as data is concerned, we might be able to protect when we connect. But how can we take full advantage of the internet if the identity of people accessing our sensitive information and signing documents cannot be authenticated? Biopharma R&D generates a huge number of documents.

Anyone familiar with the problem understands that paper is counter-productive to efficiency. For all the promise of an internet-driven paperless enterprise, the inability to authenticate and trust the identity of the person signing electronic documents prevents business from becoming truly electronic. Being fully electronic saves time and money. It eliminates the need to have a document physically in hand for a wet signature. It eliminates the time and expense of exchanging paper documents. It removes the need to store documents and the time and expense of retrieving them. Lack of confidence in authenticating the identity of the person who applied the signature gets in the way of being fully paperless.

The security experts deliberated on this problem: a way to develop cyber-identities that could be authenticated and trusted and a way to allow those identities to apply legally-binding signatures to electronic documents. They reasoned that the solution should be standardised. That way, the approach used by one company would be the same as the approach used by others. They settled on public key infrastructure (PKI), a solution that had been used successfully in other security-minded industries and by the US government. Within a few years, virtually every major biopharmaceutical company had joined the non-profit enterprise created to develop the standard.

I’ll avoid the mechanics of PKI in this article, but for those who are interested, Wikipedia gives a reasonable explanation, as does the website for the US National Institute of Standards and Technology (NIST). The benefits of PKI are many. Once the province of government agencies, PKI has evolved to become easy for the private sector to acquire and use.

PKI: A Quick Primer

Organisations participating in this infrastructure sign an agreement that they and their associates utilising the technology agree to follow certain reasonable rules. One of those rules is that, in order to qualify for a digital credential, an individual must successfully complete a procedure qualifying him to use and manage the digital identity credential.

Because of the digital identity credential’s close link to the individual’s proven identity, the identity credential can be trusted. Trust is what allows the identity credential’s user to apply valid, non-repudiable (that is, cannot be denied in a court of law) digital signatures to electronic documents.

Once one of these digital signatures has been applied to a document, such as an electronic laboratory notebook, it is permanent for the life of that document. If any change is made to the signed document, the digital signature is invalidated automatically and that invalidation is displayed in a way that can’t be missed.

These digitally signed documents show when they were signed and for what purpose. They can be audited instantaneously; a convenience anyone involved in audits immediately appreciates. The digital identities that allow for digital signatures are universal, meaning that the person with that identity may choose to discard all other identities – and their associated user names and passwords. That alone reduces identity management costs for their organisations.

More significantly, the use of digital identities allows for management of both physical and logical access: ‘physical’ meaning who is permitted access to which building or conference room; ‘logical’ meaning who is permitted access to which portal or file. These benefits are the foundation to the ever expanding use of digital identities in the life sciences and are based on the ability to trust the identity associated with the digital credential.

Each cyber-community using PKI technology is also known as an identity trust hub. Biopharmaceuticals and healthcare comprise one such community. The US Federal Government, including the FDA and the National Institutes of Health (the world’s largest medical research funder) is another. As a result of behind-the-scenes technology activities, each of these identity trust hubs can trust the cyber-identities of individuals from the other trust hubs.

This ability to trust across domains opens myriad opportunities for collaboration. Now, public and private sector cancer researchers are able to speed up the clinical trial initiation process by accessing, signing and exchanging documents via cloud computing. Using their digital identity credentials, they can do this in any place where there is internet connectivity. That’s a vast improvement over documents queued up in a pile on an empty desk, waiting for the recipient to return to the office. In addition to time, it saves the slow financial drip of couriers, messengers and other deliverers of hard copies.


None of these advances would be possible without the solid assurance that all parties can trust the identities of all others in internet business-to-business and business-to-government transactions. That trust factor would not exist without the technology that tightly binds cyber-identity to actual identity. Fortunately, the group of industry information security pioneers made the correct decisions and standardised the way digital identities would be managed and how digital signatures would be used. Their innovations first took root in the research side of R&D, especially when signing electronic laboratory notebooks. Over time, they have been applied to electronic document management and many other uses. More recently, trusted digital identities are being used on the development side, with clinicians receiving one digital identity that, in time, will take the place of all other forms of electronic identity.

Think of that! One universal cyber-identity recognised by every participating biopharmaceutical and healthcare entity. No more Post-It notes on the monitor with a list of userID/ password pairs. No more uncertainty about whether that person is the one he or she is supposed to be. It’s all based on our ability to trust cyber-identities. It may not be as revolutionary as the invention of the internet, but it is the development that liberates its use for our industry.

Read full article from PDF >>

Rate this article You must be a member of the site to make a vote.  
Average rating:

There are no comments in regards to this article.


Mollie Shields-Uehling directs the business and strategic activities associated with the global SAFE BioPharma® digital identity and digital signature standard. SAFE BioPharma ( is used by the biopharmaceutical and healthcare industries to assure secure internet business transactions through identity trust. She has more than 20 years of international trade and biopharmaceutical industry experience including various leadership positions with Bristol-Myers Squibb, Wyeth, the International AIDS Vaccine Initiative (IAVI), the White House Office of the US Trade Representative, and the US Foreign Commercial Service.
Mollie Shields-Uehling
Print this page
Send to a friend
Privacy statement
News and Press Releases


2 November, Abu Dhabi, United Arab Emirates: Etihad Cargo, the cargo and logistics arm of Etihad Aviation Group, in partnership with Etihad Airport Services and Abu Dhabi Airports, are preparing to launch a new state-of-the-art pharmaceutical cool chain facility. Due to go into operation soon, the facility will significantly expand Abu Dhabi International Airport’s (AUH) pharmaceutical handling and storage.
More info >>

White Papers

Generating Scientific Insights by Deep Collaboration - Bridging the Big Data Divide Between Clinical and Research


Translational research, biomarker discovery, clinical studies and even biobanking have become increasingly data intensive.  However, generating scientific insights from such disparate “big” data sources across multiple domains is a challenge for both researchers and the informaticians that support them. Download our Deep Collaboration Whitepaper and and learn how to bridge the clinical and research divide to better explore your biomarker based trials.
More info >>




©2000-2011 Samedan Ltd.
Add to favourites

Print this page

Send to a friend
Privacy statement