SAFE-BioPharma Association The Use of EU qualified eSignatures in the BioPharmaceutical Industry Rich Furr, Head Global Regulatory Affairs, Policy & Compliance, SAFE-BioPharma Viky Manaila, Managing Director, Trans Sped SRL ETSI ESI Workshop 9 February 2012 Washington, DC
22
Embed
The Use of EU qualified eSignatures in the BioPharmaceutical Industrydocbox.etsi.org/Workshop/2012/201202_ESIWORKSHOP/SAFE... · 2012-02-14 · The Use of EU qualified eSignatures
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SAFE-BioPharma Association
The Use of EU qualified
eSignatures in the
BioPharmaceutical Industry
Rich Furr, Head Global Regulatory Affairs, Policy &
Compliance, SAFE-BioPharma
Viky Manaila, Managing Director, Trans Sped SRL
ETSI ESI Workshop 9 February 2012
Washington, DC
Overview
SAFE-BioPharma Association Introduction
– Why advanced electronic signatures?
Trans Sped
– Technical overview of SAFE-BioPharma credentials
2
3 SAFE-BioPharma Association
What is SAFE-BioPharma?
SAFE-BioPharma
– A non-profit membership association formed by the worlds leading
Pharmaceutical companies to create and manage the Digital Identity and
Signature standard for Life Sciences and Healthcare
– The only industry-designed solution interoperable with NIH, FDA and other US
federal agencies, and European Medicines Agency
– The only industry-designed solution with an authenticated identity connection
– The only industry-designed standard that meets advanced e-signature
requirements of the EU Directive 1999/93/EC and is compliant with HIPAA and
DEA
– Single identity for clinical investigators and clinical workers
– High-level assurance binding identity to a digital signature
– Mitigates risk with B-to-B and B-to-Regulator transactions
– Provides secure, compliant way to verify identities
– Federated identity across Federal Bridge Certification Authority
– Meets DEA requirements – working with leading ePrescribing service
4
Organization Pilots and Implementations
Abbott ELNs
Amgen Global Infrastructure
AstraZeneca ELN; eSubmissions (US); Investigator Portal; Global infrastructure
BMS ELNs; Promotional material review (EU); alliances; Indian CRO
– requirements for signature products and services
Technology independent
Free market for products and services
– avoiding prior authorization scheme
– voluntary accreditation scheme for CSPs
No discrimination
– national legislator shall not discriminate electronic signatures coming from other member states
– independent and transparent supervision of CSP
Mutual recognition
Personal data protection
– electronic signatures shall not make data mining easier
– pseudonyms are explicitly permitted
11 SAFE-BioPharma Association
Three types of electronic signatures
1. “electronic signature” – the simplest form
– it serves to identify and authenticate data.
– it can be as simple as signing an e-mail message with a person’s name or using a PIN-code.
2. “advanced electronic signature”
– data integrity and non-repudiation
3. “qualified electronic signature”
– consists of an advanced electronic signature based on a qualified certificate and created by a secure-signature-creation device and needs to comply with the requirements in Annex I, II and III.
12 SAFE-BioPharma Association
1999/93/EC - Legal Effects
Equivalence with handwritten signatures for
– advanced electronic signatures based on
– qualified certificates, created by
– secure signature creation device
Any other general electronic signature
admissible as evidence
13 SAFE-BioPharma Association
Advanced electronic signature
Qualified certificate
Secure signature creation device
Handwritten signature
EU Standards on Electronic
Signatures
European Electronic Signature Standardisation Initiative (EESSI)
14 SAFE-BioPharma Association
European Telecommunications
Standards Institute Comitèe Europèen de Normation
Information Society Standardisation System
EESSI SG
Industry and business, assisted by European standard bodies
ETSI TS 101 862
- Qualified Certificate Profile
based on the Internet certificate profile RFC 3739 (Qualified Certificates Profile)
– issued to a physical person
4 individual statements for use with "qCStatements” extension:
– statement claiming that the certificates is issued as a Qualified Certificate;
– statement regarding limits on the value of transactions for which the certificate can be used;
– statement indicating the duration of the retention period during which registration information is archived;
– statement claiming that the private key associated with the public key in the certificate resides within a SSCD.
15
ETSI TS 101 456
- Policy requirements for CA issuing QC
defines policies requirements on the operation and management practices of CA issuing QC
– registration service
– certificate generation service
– certificate dissemination service
– revocation management service
– revocation status service
– SSCD provision service
2 policy OID
– QCP public + SSCD (0.4.0.1456.1.1)
– QCP public (0.4.0.1456.1.2)
audit standard for CA
– TTP.NL scheme
16
SAFE Top-Level Architecture
17 SAFE-BioPharma Association
Subscriber
SAFE
Member
SAFE
Issuer
SAFE-BioPharma
Registration and Certificate Management Systems
SAFE Enabled Applications
SAFE Bridge
CA
End-User Systems or
Machine Systems
or CCS
SAFE
Certificate
C P
Details contained in SAFE CP C P Details contained in associated Technical Specification
Cross
Certificates
C P
OCSP
Response
OCSP
Request
Signing or Validation
Request &
Response
OCSP
Response
OCSP
Request
CCS Definition
Centralized Credential Server (CCS)
Stores & applies private keys for multiple subscribers on a
central credential server, or CCS, based on either a hardware
security module (HSM) interfaced to a server, or a software-
protected set of private keys in a controlled server environment
Subscriber’s control use of their credentials from any
workstation or location
18 SAFE-BioPharma Association
SAFE-BIOPHARMA
IMPLEMENTATIONS
KEY
GENERATION
KEY STORAGE &
USE
KEY
EXPORTABLE?
KEY IN
‘CONTROL’ OF
USER?
CLIENT
REQUIRE-
MENT
Split-Key CCS with OTP or
SMS OTP
CCS Hardware CCS Hardware No (useless
without client
password)
Yes (client
password is
part of split)
Web Browser
Split RSA Key CCS with OTP or SMS
2-factor authentication:
– Something you have OTP token [OATH OTP device or SMS OTP to cell phone]
– Something you know Memorized secret token [pass phrase]
19 SAFE-BioPharma Association
CCS
End User PC
End User
Subscriber
2-Factor
Authentication Browser
CSP/Private
Key Store
Keyboard
Interface /
USB
Interface
Network /
Internet Interface
FIPS 140-2
Level 3
Protected;
Periodic
Scans;
Access
Controlled &
Audited
Environment
Up-to-date virus &
malware protections App Server
SAFE-Enabled
Application
Up-to-date
virus &
malware
protections
Identity-proof
[F2F]; must
report
compromises
Pass Phrase
Secure Session
Secure Session
OATH-compliant
OTP device
307789
SMS Text OTP to
User cell phone
Split
Key
-or-
Document hash
Digital Signature
20
CCS & Identity
The credential used to authenticate to the CSS is a
FICAM approved NIST 800-63 LOA 3 credential - Verizon Credential Policy is approved by FICAM under the Kantara Trust
Framework
- SAFE-BioPharma also now a certified FICAM Trust Framework Provider - Verizon planning to also certify under SAFE-BioPharma
The certificate issued is a SAFE-BioPharma medium
assurance policy certificate – SAFE-BioPharma CP requirements mapped to Federal Bridge CP
requirements for Medium CBP certificate policy (SAFE-BioPharma cross-
certified)
21
CCS Components for SAFE
SAFE-BioPharma Issuer (Trans Sped)
Issues SAFE-compliant Medium Assurance digital certificates to Subscriber’s