ELN authentication: navigating a sea of options.
The effective management and control of e-records assists in their admission into a U.S. court proceeding, either for civil suits or patent interferences. Records must pass criteria m be admissible under the "business records exception" of the Federal Rules of Evidence to avoid being classified as hearsay in situations where the person who created the records is not available to testify. The U.S. Federal Judicial Center's Manual for Complex Litigation (1) notes that a judge should "consider the accuracy of computerized evidence" and a "proponent of computerized evidence has the burden of laying a proper foundation by establishing its accuracy: In the case In Re Vee Vinhnee, (2) the appellate court affirmed the lower court's denial of electronic records admission, noting that the "focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record during the rime it is in the file so as to assure that the document being proffered is the same as the document that was originally created." In Lorraine v. Markel, (3) Judge Paul Grimm wrote. "If it is critical to the success of your case to admit into evidence computer stored records, it would be prudent to plan to authenticate the record by the most rigorous standard that may be applied. If less is required, then luck was with you."
Fortunately, to avoid being lucky, there are a number of technologies used with ELN products to establish the authenticity of both users and records. There are electronic signatures, hash digests, checksums and so forth. What technologies are used is dependent on the needs of the particular user, the environment and the philosophy of the supplier.
Most all ELN records are electronically signed at some juncture for approvals and/or IP witnessing. Electronic signatures can be a confusing topic, since many terms are frequently improperly applied. "Electronic signature" is a broad definition that includes many forms of signatures, such as an electronic reproduction of a person's handwritten signature, biometric stamping, username/passwords. e-mail headers or digital signature. "Digital signature" is often mistakenly used as the comprehensive term. Digital signatures are based on cryptography and adhere to the principle of "non-repudiation," which means it cannot be denied that someone created or signed a record. The simpler forms of electronic signature can be easily repudiated, e.g., hacking a user's password. The International Standards Organization (ISO) defines digital signatures as "data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient. (4)" In essence, a mathematical function is applied, and the outcome of the function is attached to the record to ensure authenticity.
The concept of a "hash" function needs to be described, as this process is used natively in ELN products and in combination with the digital signature process. Cryptographic hash functions create an identifier based on an algorithmic digestion of a record. Since this "hash value" is based on the contents of the record processed, it is unique. Therefore, it is also known as a "digital fingerprint." If the record content changes, re-hashing the record will result in a new fingerprint value; the system or user will knox," that this file has altered during transmission or storage. Some systems retain the hash value in the database, using it for detection of a new version of a record or for monitoring unauthorized changes.
There are many hash algorithms developed over the years, such as MD5, RIPEMD, and SHA-1 (Secure Hash Algorithm) and SHA-2. Several of the older algorithms, like the 160-bit SHA-1, have been proven to be vulnerable to hacking. The U.S. National Institute of Standards and Technology (NIST) now suggests the SHA-2 algorithm, which uses 256-, 384- or 512-bit digests. The SHA-3 standard, said to be even more sophisticated, is under development and is due to be released next year.
Another important concept to consider is "encryption." Encryption is a cryptographic technique for obscuring a record to make it unreadable without special tools or knowledge to decrypt it. A cipher is used for the encryption and decryption process and, in many cases, a "key" is used to modify the cipher algorithm. Having the correct key will allow the algorithm to function properly. The analogy is a door lockset; the cipher is the lock itself, while the key allows the door to open.
In symmetric encryption, or "secret key" cryptography, the same key is used for encrypting and decrypting the record. In other words, you hand the key over to the person on the other side of the door to unlock it. In asymmetric encryption, or "public key" cryptography, different keys are used. In digital signatures, a "private key" is used to encrypt a file, and a public key is used to decrypt it. These keys adhere to non-repudiation; each key cannot undo its own particular function. Once a file is encrypted, the private key cannot unlock it. In the door analogy, your key to lock the door is different than another's used on the other side of the door to unlock it.
[FIGURE 1 OMITTED]
PUBLIC KEY INFRASTRUCTURE
The Public Key Infrastructure (PKI) X.509 standard uses digital signatures based on asymmetric encryption. The goals of PKI are to create a trusted relationship between one party and another to authenticate their identities, guarantee the integrity of a data transmission, and to ensure privacy.
PKI utilizes the concept of digital certificates, which are a type of passport describing certain characteristics of the signer. These certificates act as a form of guarantee to prove the signer's authenticity. A user's identity is matched to a public key, and the details about the encryption algorithm are contained in the certificate. These are issued by what is known as a Certificate Authority (CA), which verifies the identity of the user. Just like a passport, these certificates have a specified period of validity and can be revoked.
In ELN, one of the most common uses of PKI is signing PDF renditions of notebook records. Usually created after the completion of an experiment, the PDF files are signed by an author and witness, attesting the record. The signatures are embedded into the document and the signer's identity can be verified against the certificate authority. Any alteration of the record will invalidate the signatures. Many larger companies post these signed PDFs to another repository, often a document management system and/or an outside third-parry records management service.
The bifurcation of IP storage from ELN is for several reasons. Many of the larger biopharmaceutical companies use multiple ELN products, and they want a common signature and storage process across all of them. Also, not all IP is generated from ELN, so there is a need for a comprehensive archiving solution. There also is fear that the life of the records will outlive the business existence of the ELN supplier, so it is better to store records in an industry-standard format rather than rely on a supplier's proprietary structure.
Though very robust and well-established in the market, the use of PKI is not without its challenges. The exact implementation of PKI is a bit unique to the specific provider of the technology, and there are many flavors on the market. The infrastructure to support it can be quite daunting for small- or medium-size organizations; not only do the costs of the technology have to be considered, but the policies, procedures and administration have to be taken into account for the total cost of ownership. It is a matter of risk analysis and a balance between costs and the potential exposure to your data.
The closest we have to a standard ELN digital signature methodology is from the SAFE-BioPhama Association (SAFE). The association was formed by a consortium of companies and suppliers with a mission to streamline digital authentication and rights management, primarily in the biopharmaceutical industry. Faced with a complex matrix of overlapping and potentially conflicting digital signature products across a number of disciplines and partners, member companies wanted a unified authentication methodology.
Recognized by the FDA and the European Medicines Agency (EMA), SAFE is compatible with the PKI X.509 standard. SAFE accredits select CAs which must meet the SAFE standard for credential services. In this manner, CAs can exist behind the firewall of an organization or be hosted by a third party. Any accredited organization can establish secure data transmittal with another using a SAFE Bridge Certificate Authority (SBCA). This allows verification of identities outside the company, such as employees of a contract research organization or partner. SAFE requires the use of a hardware identity device, such as a smart card or USB token for a key linked to a specific individual.
Abbott, Bristol-Myers Squibb, GlaxoSmithKline, Pfizer and Sanofi-Aventis are among the companies that employ SAFE digital signatures in their ELN workflow. ELN suppliers Accetrys, Agilent, IDBS and Waters have integrated the standard into their systems (Accelrys, IDBS and Waters are certified members.) Digital notarization company Surety, used natively by several ELN suppliers, has worked to integrate their cryptographically based record timestamp service with SAFE's identity management technology.
There is no collective standard, let alone common approach, to record authentication and digital signatures across ELN products. Each vendor has taken a slightly different slant, and opinions vary about the robustness required in a typical installation. This does induce some risk, as your electronic records may outlive your system. Therefore, potential ELN users are advised to determine their risk profile and the capabilities they require as a component of their product evaluation. Below are several vendor approaches:
* Acceirys--In the company's recently acquired Contur ELN, there are a number of options for record authentication and integrity. After publishing experimental content in PDF format, a digital fingerprint is produced using the SHA-2 (512 bit) cryptographic hash algorithm and stored with the record. The user has an option to post records to IP.com, leveraging the Web site's Surety-based digital timestamping service. In Accelrys' Symyx Notebook, records are stored in a proprietary binary format that must be interpreted by the system's middle tier. Any backdoor attempt at changes may create an incompatible record. SHA-2 (256 bit) hashes are available, but only through customization via the product's software development kit (SDK). With either ELN, PDF/A (PDF Archive format, ISO standard ISO 19005-1:2005) records can be created for archiving purposes and signed through SAFE or other digital signature technology. The signed records can be forwarded to a customer's IP repository. This process can be automated via customization using the SDK.
* Agilent--In OpenLAB ELN, PDFs are created during the signature process, stored in the ELN, and can be electronically signed through a variety of methods. The system comes with the ability to sign, using a server certificate, a SHA-1 hash of the PDE An admin module permits integrity checks on the experiment records to discover any unapproved alteration. Agilent supports SAFE-compliant signatures and also has partnered with Surety to integrate their timestamping notarization technology. Signed PDFs can be exported to the XMLDsig (XML digital signature standard format) if desired. For long-term retention, signed documents can be archived to their OpenLAB Enterprise Content Management (ECM) system.
* IDBS--E-Workbook does not natively encrypt the data stored in the database, though the company says they have clients that have done so via third-party tools. They abstract the database via synonyms to view schema objects without ownership rights. Signoffs are through digital signatures, and certificates can be obtained from a customer's certificate authority or from the E-Workbook server; the user identity may he the user's login certificate. Hashing can be either SHA-1 or SHA-2, depending on the preference of the customer. Time-stamping of the signatures can be from the database server or from an external timestamping service. IP archiving is through the generation of PDF/A documents, which can be digitally signed via SAFE or other signature technology via customization. Signed records can be forwarded to a client's master IP archive or pushed automatically via customization.
[FIGURE 2 OMITTED]
* LabWare--LabWare ELN is built from the core of their LabWare LIMS and leverages much of the existing record management functionality. As with other systems, records are time stamped via the server, and audit trail records are produced upon creation and any subsequent activity. Audit records are encrypted in the database. Their auditor function enables an administrator to recreate the ELN records at any given time in their lifecycle. Electronic signatures are possible, along with a checksum (similar to a hash function) to ensure integrity. As the product is installed mainly ill areas that are less concerned with intellectual property protection (e.g., late-stage analytical and quality.), customers generally maintain the data in the database, rather than post records to an outside archive.
* PerkinElmer Informatics (formerly CambridgeSoft)--Out of the box, E-Notebook supports the XML digital signature standard (XMLDsig) associating an XML signature file with a signed PDE Users first create a PDF of the notebook record(s), hash the document via SHA-1, and asymmetrically encrypt it using the server as an electronic notary. Some clients also have integrated their own PKI infrastructure (e.g., SAFE) via E-Notebook's application program interface. Others digitally sign PDFs external of the application using tools like Adobe LiveCycle. The ELN comes with a module known as "Long Term Archive" (LTA), which is an Oracle database for long-term record retention. The signature workflow can automatically post records to LTA after signature, and the module comes with tools for monitoring and verifying signatures. ELN records are not encrypted in the database.
* Rescentris--Every notebook entry in the company's CERF system is a set of separate records, each with its own MD5 hash digest. This value is stored with each record to detect content changes. CERF's workflow signs each of the records in the set, uniquely applying the U.S. federal government's Digital Signature Algorithm (DSA). For archiving, the company says they have an automated solution enabling a signed PDF to be submitted (via a Web service) to a third-party archive like Iron Mountain. A link is created between a global identifier in the database and the record's location in the archive to enable search and retrieval of historical documents.
* VelQuest--The SmartLAB procedure execution system leverages Oracle's Transparent Data Encryption (TDE) technology to protect record privacy. If records are exported, the company applies an Advanced Encryption Standard (AES) which is a symmetric-key encryption. Throughout the application--and dependent on the module--MD5 or SHA-1 hash digests are computed to detect record changes. As with LabWare, the company indicates their analytical and quality customers prefer to leave the data in the database, though there are options for archiving using third-party products.
* Waters--SDMS Vision Publisher creates a SHA-1 digital fingerprint for each section, i.e., component, of an ELN document. Upon electronic signature, a digital fingerprint is included in the signature record via a hash and subject to another hash, enabling modification detection of both the record and the signature. A PDF rendition of the record is created upon approval and can be digitally signed using the SAFE standard. The PDF with the inserted digital signature can be stored in the SDMS archive or posted to another system.
There are a number of standards available to ensure record integrity and authenticity of signatures. Unfortunately, there is no common application of these tools to ELN. The SAFE-BioPharma standard is about as close as we come for digital signatures. The prospective user should fully investigate the available options and determine a record authentication strategy that is right for them before selecting a system. You might have to produce records for a court case years in the future--this could be long after your ELN supplier went out of business. The burden will be on you prove the legitimacy of your records, not the vendor.
(1.) Federal Judicial Center, Manual for Complex Litigation Fourth Edition, 2004 Washington D.C.
(2.) In Re Vee Vinhee, 336 B.R. 437, 2005 9th Cir. BAP
(3.) Lorraine et al v. Markel American Insurance Company, 1:2006cv01893, 2006 US District Court Maryland, www.iso.org/iso/catalogue_detail.htm?csnumber=14256
Michael Elliott is CEO of Atrium Research & Consulting. He may be reached at editor@ScientificComputing.com.
|Printer friendly Cite/link Email Feedback|
|Author:||Elliot, Michael H.|
|Date:||Aug 1, 2011|
|Previous Article:||Blueprint for innovation: encouraging computerized medical devices invention.|
|Next Article:||Caching in on solid-state storage: intelligent use remains the best way to exploit speed and maintain the highest possible ROI.|