NIH and drug industry build a bridge to paperless processes

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

The National Cancer Institute and Bristol-Myers Squibb are using digital certificates to eliminate paper in a cancer therapy evaluation program, a trend that advocates hope will become more widespread in government.

The National Cancer Institute and Bristol-Myers Squibb are using digital certificates that have been cross-certified by federal and industry public-key infrastructure bridges to take the paper out of paperwork in a cancer treatment evaluation program.

The program to enable digital signatures on electronic documents, which began this spring, could dramatically reduce the cost of clinical trials in the pharmaceutical industry and allow NCI to make fuller use of the government’s Personal Identity Verification card.

“We’re thrilled to be able to use the digital certificates for two modes,” authentication and digital signatures, said Peter Alterman, senior adviser for strategic initiatives to the CIO at the National Institutes of Health.

Related coverage:

Using digital signatures: What took so long?

Will digital certificates replace passwords?

An ID for all domains

The cost of implementing the program has been almost nothing because most of the hardware and infrastructure for validating trusted certificates already is in place, Alterman said.

“It is significantly cutting down on the time it takes to get these things processed,” he said. “I think this is going to become viral in government.”

The program takes advantage of the trust relationship between the Federal Bridge Certification Authority, which certifies trusted digital certificates issued by government agencies, and the SAFE-BioPharma Bridge, which performs the same function for the pharmaceutical industry. The bridges not only ensure common technical standards and standards for ID proofing and issuing of certificates but also establish a chain of trust for those certificates and the signatures they enable and provide a path for validating the certificates.

“Everybody who trusts the federal bridge can trust each other,” Alterman said.

Finding a Niche

The pharmaceutical industry moved to create its own PKI bridge because of the increasing complexity of the research and the growth of regulatory oversight.

“The way that drugs are discovered and researched is changing dramatically,” said Mollie Shields-Uehling, president of the SAFE-BioPharma Association, which manages the standards for the industry’s PKI bridge. More testing of drugs and procedures is being required, and the technical expertise required for research increasingly is coming from outside providers. She cited estimates that 40 percent of the costs of bringing a new drug to market are related to paper-based processes. “There is a compelling business case to move to a fully electronic environment,” she said.

SAFE-BioPharma was created with a goal of developing technical standards that would allow creation of a full electronic business environment for the pharmaceutical and health care industries by 2015. The standards were approved in 2005. The organization originally worked with a number of banks that had established programs for credentialing employees, but it found that those processes did not translate well to the pharmaceutical industry, where employees did not use digital certificates every day and where the medical research environment is more distributed.

Using its own standards, the organization established the SAFE-BioPharma Bridge, which Verizon operates. It enables member companies whose certificates and issuing processes are certified by the bridge to trust one another’s credentials.

The creation of a single trusted identity in the pharmaceutical industry allows members to validate digital certificates from other companies and can enable authentication and authorization for access to resources by outsiders. From the beginning, the goal of the program was to cross-certify the SAFE-BioPharma Bridge with the Federal Bridge Certification Authority, which Shields-Uehling called “the mother of all bridges.”

The federal bridge opened for business in 2002, certifying digital certificates issued by federal agencies. When a digital certificate is submitted to an online application, it can be passed along to the bridge. The bridge can verify that the certificate was indeed issued by an organization whose policies have been accepted as trusted. The bridge also can check with the issuing authority to ensure that the certificate is still valid.

The more entities participating in the process, the more valuable it becomes. Illinois was accepted in 2004 as a trusted certificate authority whose certificates could be validated by the federal bridge, the first nonfederal entity to cross-certify. In 2006, the defense and aerospace industry’s CertiPath bridge was cross-certified, becoming the first nongovernment group. SAFE-BioPharma was cross-certified in 2008. The Higher Education Bridge Certification Authority has also since joined.

Technologically, the bridges are peers, but the federal bridge is the first among equals, said SAFE-BioPharma Chief Technology Officer Cindy Cullen. “We show deference to their policy,” she said.

Because trust is the primary issue that the bridges address, policies for vetting the identity of people who receive certificates and for issuing and managing those certificates are a greater challenge to cross-certification than the technology is.

“The policies are the initial setup components,” Cullen said. “Once that is done, everything is done seamlessly.” It becomes a matter of regular audits to ensure compliance.

Staggered Start

Despite the creation of trust bridges for certificates, the paperless environment they were intended to facilitate has been slow to take off.

“The electronic government initiatives languished for a number of years because of a lack of funding and resources,” Alterman said. However, there were pockets of innovation. “FDA has been in the business for a while.”

The Food and Drug Administration and SAFE-BioPharma initiated a program for electronic submission of applications for new drug and device approval. Submission of digitally signed electronic documents through a secure FDA gateway helped to eliminate large amounts of paperwork and resulted in greater efficiency, Alterman said. NIH began a paperless grants application program, but the development of the Grants.gov website made it unnecessary.

There have been a number of other small programs that use digital signatures, but widespread deployment of the PIV card — a standardized government ID card that contains interoperable digital certificates and is intended for logical and physical access control — could accelerate the move to paperless processes.

“We have known about this technology for years,” Alterman said. “We now have a ubiquity of credentials and a mandate to use them.”

Industry approached NIH about implementing digital signatures in early 2010.

“Bristol-Myers Squibb came to us and said they would like to do a pilot [program] for one business process,” Alterman said. They wanted to partner with the National Cancer Institute on the Cancer Therapy Evaluation Program, which sponsors clinical trials of cancer treatments. It is the world’s largest sponsor of clinical trials, with more than 100 new drug investigations under way and more than 700 treatment protocols being investigated, involving about 33,000 patients. The process requires the exchange of signed documents among NCI, the company and outside organizations that participate in the trial.

NCI already was interested in paperless business processes. “I was excited because this was the kind of thing we had been trying to do,” Alterman said. “The request fell on fertile ground.”

The pilot project, which went into operation in the spring, uses medium assurance credentials, which include the PIV card for NCI personnel, certificates issued to its employees by Bristol-Myers Squibb, and certificates used by third-party organizations involved in trials. Certificates are used for authentication to log on to a secure document management system hosted by Bristol-Myers Squibb to review documents that investigators and managers post. A workflow tool alerts people who need to sign off on documents when those documents are ready for review. The certificates also are used for signing the documents. Signed documents are sent via encrypted link to NCI archives.

“They have eliminated paper completely” from the process, Alterman said.

“There is a chain of trust that is established,” Cullen said. “This is the path of verification.”

When the certificate used to digitally sign is validated, it moves up the chain of trust until the issuing authority can be verified as trusted and still in effect. If the certificate is from an outside organization, validation continues to the certification bridge. If it is from an organization outside that bridge, it continues to cross-certified bridges until it is verified.

Verification assures that:

  • A certificate chain was successfully built to a trusted root certificate.
  • The signer's identity is valid.
  • The signed document has not been altered regardless whether subsequent versions of the document have been created.

Implementing the technology for the program was fairly simple for the pilot program, consisting primarily of putting signing software on NCI desktops, Alterman said.

“We had minor technical glitches to overcome,” he said. “No show-stoppers. We could do that on the pilot scale. We’re trying to make it more turnkey” for wider use.

The results could amount to an estimated savings of more than $48,000 per 100 users a year. “We’re happy that this is doable,” Alterman said.

NEXT STORY: Just how reliable are biometrics?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.