A case study: securing digital signatures for drug trials

July 9, 2015
Cloud-based digital signing solution helps pharma industry rein in costs and speed up trial process

The pharmaceutical trial process has historically been slow and paper-intensive. One of the prime reasons for most delays are that potentially hundreds of clinicians from multiple locations are required to print, fill out, sign and mail paperwork related to the clinical study they are working on. This results in massive costs in terms of labor, shipping, paper and document handling – not to mention the cost of lengthening the process whereby life-saving treatments are made available to the public.

 SureClinical, a company that provides cloud-based health science applications that automate business processes and eliminate paper, wanted to bring the clinical trial process into the digital age. The startup conceived of a cloud-based solution that would enable pharmas to share documents easily, automate document handling, eliminate paper and capture regulatory-compliant signatures on hand-held devices. This new technology would accelerate speed to market—a critical competitive advantage in an industry with a 20-year patent cliff—and would save many companies hundreds of thousands of dollars in shipping costs alone.

However, significant security challenges would need to be addressed in order for the dream to become a reality. The medical records industry faces $50 billion worth of fraudulent paper-based transactions annually, so SureClinical needed a solution that pharmaceutical and healthcare companies would trust. That includes adhering to strict standards of security and privacy, and being auditable against multiple stringent regulatory standards. 

What SureClinical needed was the equivalent level of authenticity of a hand-written signature in an electronic format. It was certain that pharmas would be interested in the savings in cost and time its solution offered, but they also knew that this new model of document handling had no chance of being adopted unless there was a strong root of trust in the digital signature process.

Creating Trust

SureClinical solved this trust and security challenge by using a solution that works with the built-in Adobe document signing/verification technology and is secured in the cloud with Thales nShield Connect hardware security modules (HSMs). These HSMs provide a hardened, tamper-resistant environment for performing secure cryptographic processing, key protection and key management.

 With these devices, SureClinical is able to deploy high-assurance security solutions that satisfy the strongest standards of due care for cryptographic systems and best practices – while also maintaining high levels of operational efficiency.

After initially working with a competitor’s product, SureClinical ultimately chose nShield Connect HSMs to secure the root of trust for several reasons. For one, customers had to have strong trust in the authentication process performed in advance of allowing a signature to be applied; in order to provide high assurance that the person signing really was that person. The HSMs provided the ability to trust the signatures based on strong protection of the signing keys and the enforcement of the multi-factor authentication process.

SureClinical was also looking for scalability; it needed a solution that could work around the world due to their plans for global expansion. The HSMs it chose can scale to handle high levels of transaction volume, and their architecture is designed for easy resilience and availability, enabling HSMs to be deployed at multiple global data centers.

 Meeting Compliance Standards

The pharmaceutical industry is highly regulated, requiring compliance with strict security standards. The use of an HSM that’s been certified by a federal laboratory to meet FIPS 140-2 Level 3 provides confidence to users of the system that the crypto is implemented properly and securely. This is important in the face of potential user concerns about the security and safety of cloud and online services.

SureClinical’s patent-pending, high-trust solution is based on signing technology secured by the HSMs and requires signers to authenticate using multiple methods before they are allowed to digitally sign a document with their HSM-protected private signing key – significantly reducing the possibility of fraud. Clinicians around the world are able to use tablets and smart phones to sign documents at the point of origin, speeding the process and providing greater convenience. In fact, SureClinical’s patent-pending cloud digital signing solution is helping pharmaceutical companies save as much as $200,000 per year in shipping charges while also accelerating time to market and speeding the development of new drugs.

SureClinical is the first cloud-based digital signing solution to receive U.S. Food and Drug Administration (FDA) and European Commission compliance validation for use in pharmaceutical trials. SureClinical has also been included in BioSpace’s list of the Top 30 Life Science Startups to Watch in the U.S.

About the Author:

John Grimm is a Senior Director for Thales e-Security.