nCipher Security Blog

Securing digital signatures: SureClinical and beyond

John Grimm | Vice President of Strategy and Business Development More About This Author >

Those who follow science news regularly (or even those who scan the front pages) have probably heard that the number of novel therapeutics – including new antibiotics and other lifesaving drugs – is steadily decreasing year over year. There are a number of reasons for this, but the trend is undoubtedly worsened by the slow pace of clinical trials, a process encumbered by mounds of paperwork and red tape.

SureClinical is a company that set out to transform the pharmaceutical clinical trials process with the goal of making it faster and less costly. Drug trials have historically relied on hundreds of clinical investigators worldwide to print, fill out, sign and physically ship the documents required to document a clinical study for a new drug. The cost in labor, shipping, paper and document handling was enormous.

We recently had the opportunity to work with SureClinical to secure its cloud-based filing process with trusted crypto. Our work together is a great case study of public key infrastructure (PKI) to underpin business applications. It shows how innovative security techniques can be used as an enabler of new business, rather than simply as a mitigation of risk.

SureClinical’s vision was a cloud-based solution that enabled pharma companies to eliminate paper, share documents easily, automate document handling and capture regulatory-compliant signatures on hand-held devices. Its end goal? Accelerate time to market – a critical competitive advantage in an industry with a 20-year patent cliff – and save companies hundreds of thousands of dollars in shipping costs alone. But there were significant security challenges that SureClinical needed to address.

The medical records industry is one of the most highly regulated industries in the world, and also suffers by some accounts $50 billion per year in fraudulent paper-based transactions. Pharmaceutical companies developing new medicines are subject to the strictest standards of security and privacy, and are audited regularly. While SureClinical knew that pharma companies would be attracted to the savings in cost and time its solution promised, it also knew that adoption of this new model of document handling was out of the question unless there was a strong root of trust in the digital signature process.

To overcome this trust and security challenge, SureClinical partnered with Thales eSecurity and used our nShield hardware security modules (HSMs). These HSMs are used to secure the Adobe document signing/verification technology that is built into Acrobat and provide a strong anchor of trust in the digital signature process. It is the first cloud-based digital signing solution to win U.S. Food and Drug Administration (FDA) and European commission compliance validation for use in pharmaceutical trials. The HSMs reside in data centers that are audited to FDA 21 CFR Part 11, European Commission Annex 11, and HIPAA standards.

Had SureClinical not used a trusted cryptographic technology, authorities would not have approved the solution and customers would certainly not have accepted it.While this customer example focuses on the role of PKI in securing document signing in the pharmaceutical industry, there is a broad spectrum of other use cases where PKI-based secure document signing is applicable. Patent, land and vehicle registration documents are now being signed electronically, yet regulators have lagged in accepting these e-signatures as legally binding. This foot-dragging is despite the fact that properly-secured e-signatures are far more secure in terms of non-repudiation and integrity than are fresh-ink signatures.

The work we did with SureClinical raises the larger and general issue of the legal standing of digital signatures in different countries. Different jurisdictions have varying rulings regarding digitally signing legal documents, and at some point these discrepancies will need to be resolved. To help push the industry along to a resolution, Thales eSecurity participates in the eIDAS Electronic Trust initiative, an EU working group that aims to establish just such a system. As we continue to provide high assurance security for customers worldwide, we will also continue to take an active role in influencing policy that keeps organizations safe and enables them to save money and run leaner at the same time.

To learn more, check out the SureClinical case study here.