By Tom Klaff
Pharmaceutical companies often invest nearly ten years and $1 billion to bring a new drug to market. Throughout each stage of the process, terabytes of electronic records are generated tracking everything from scientific developments to shipping invoices. Technological advances in the pharmaceutical industry have empowered employees to create electronic evidence that could, one day, be challenged in a court of law or by industry regulators.
If it can be proven that just one of these electronic documents has been tampered with or compromised, the entire investment of time and capital could be lost-with a devastating effect on shareholder value and consumer confidence. Clearly, ensuring the integrity of electronic records could be a very expensive afterthought.
The Proliferation of Electronics Records and their VulnerabilitiesPharmaceutical companies and leading laboratories are faced with increasingly fierce competitive pressure to bring new products to market in a rapid and cost-effective manner. Simultaneously, federal regulatory agencies are passing stricter requirements for end-to-end monitoring of the pharmaceutical development and distribution process.
In an effort to streamline the pharmaceutical supply chain, companies are embracing lab automation technologies and electronic tracking systems that generate mass amounts of digital content. The data contained in these electronic records and audit logs can be easily altered, backdated, or eliminated-with little or no evidence that any tampering has occurred.
The Electronic Record MetabolismIt all starts with a galvanizing idea to solve a problem. Then it is a pharmaceutical company’s mission to bring that idea to market and generate substantial profits to boost shareholder value. This process is a capital- and labor-intensive endeavor, especially when the resulting product is a life-enhancing drug.
The documentation generated during the research and development process is extensive. Well before a drug can be approved for human consumption, terabytes of research, lab experiments, tests, patent and regulatory filings, white papers, and clinical trials are generated. The electronic record “metabolism” only accelerates once the drug goes into the production and distribution processes, and it will not subside until years after it is pulled off the market. The databases and record management systems that act as repositories for this growing body of evidence must remain secure. At any moment, senior officers of a pharmaceutical company might be called upon to verify, under penalty of perjury, the integrity of every audit log or record in defense of a product liability investigation.
With vital intellectual property, trade secrets, and regulatory compliance at stake, it has become clear that pharmaceutical companies must take aggressive steps to ensure that electronic records are authentic and legally verifiable, well into the future.
21 CFR Part 11 and the Mandate for Electronic Record IntegrityIn 1991, members of the pharmaceutical industry met with the Food and Drug Administration (FDA) to figure out a process by which the pharmaceutical industry could migrate toward a secure, paperless record system. In 1997, the FDA issued final Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records; Electronic Signatures, establishing the criteria under which electronic records and electronic signatures are considered as equivalent to paper records and handwritten signatures executed on paper.
These regulations established the criteria but did not provide a blueprint for how electronic records would be subject to compliance. The pharmaceutical industry was held accountable for the development of specific ways in which to validate documents, maintain record retention, and create audit trails, particularly third-party time-stamping.
To equate electronic record integrity with traditional paper-based integrity over many years is a difficult task. Traditionally, pharmaceutical companies have relied on cumbersome paper documents or short-lived digital signatures in an attempt to protect their intellectual property and record assets. Both of those methods are vulnerable to tampering and rely on an element of human trust, which is fraught with risk.
When clinical trial data and drug manufacturing records are produced and archived, pharmaceutical executives must have complete confidence that their electronic records have not been altered or backdated.
Choosing an Outsourced Record Authentication Solution: What’s Required?To ensure record integrity, pharmaceutical companies often deploy policies and procedures managed by employees who implement record management and security technologies. The inherent problem with these systems and procedures is that they rely on the “human element” for execution. As today’s headlines attest, methods that depend on people to protect electronic record integrity are fraught with risk.
History has proven that policies and procedures combined with trusted employees and secure technologies do not ensure that all regulated records are protected from tampering. Companies like Enron, CSFB and Tyco all had good policies, procedures, and people; but the actions of a few rogue employees have slashed shareholder value and even imploded some organizations completely.
Even companies that have deployed PKI-based digital signature technologies in an attempt to address electronic record integrity are at risk. Because PKI or hash-and-sign technology, which integrates a digital signature with a time-stamp, is also a technology that is based on human management. If an employee were to leave his or her desk for a moment, another person could slip behind the computer and use the digital signature to alter a document, thus calling into question the integrity of every record that was digitally signed using that key. Furthermore, because signing keys expire, there is more than a reasonable doubt that this short-lived technology can prove record integrity over the long haul.
Removing the Human FactorIn order to prove trustworthiness of electronic records, it is necessary to completely eliminate trust and the human element from a record management system. To restore consumer and investor confidence, electronic records must be protected by a higher order of technology that uses quantitative and mathematical proof, as opposed to human accountability.
Realizing the need for this type of solution, Surety brought to market a solution called AbsoluteProof for Life Sciences. AbsoluteProof provides the pharmaceutical industry with an independent, cryptographically verifiable solution that establishes the exact contents of every record or transaction and the time it was created in such a way that it is beyond challenge and unimpeachable. This solution incorporates four key components for record authentication:
* The ability to digitally notarize and time-stamp any electronic record, including CAD drawings, LIMS records, design diagrams, device readings, audit logs, spreadsheets, videos, and email correspondence
* A digital timeline of proof for the progress of intellectual property in support of a company’s first-to-invent or first-to-file claims
* Validation of the authenticity of electronic records and evidence that files were created when claimed and not altered since
* Compliance with 21 CFR Part 11 mandates for tamperproof time-stamping and secure audit logs
A critical requirement for any data integrity solution is also the ability to validate information years or even decades into the future. Pharmaceutical firms must have a cryptographically repeatable process that gives them the ability to prove the accuracy of their transaction records to courts and regulators indefinitely.
Record Integrity: No Longer an AfterthoughtWith so much at stake, electronic record integrity cannot be treated as an afterthought any more. A company’s investment in its intellectual property and goodwill is too great and too precious to let one bad record be at the forefront of a corporate governance or product liability investigation.
Manufacturing processes and procedures in the pharmaceutical industry are market-tested and market-proven. However, proven processes and procedures do not necessarily prove that electronic records have not been corrupted by once-trusted managers. We keep electronic records around for a single reason: evidence. And there is no time like the present to ensure that your electronic evidence stands up in court.
We live in a society of checks-and-balances. Public companies must perform independent audits of financial statements before filing them with the SEC every quarter. Our justice system is designed to deliver impartial judgments on the accused. Why take electronic record integrity for granted?
Proving chain of custody and integrity for electronic records is an enormous expense that is fraught with enormous risk. Once regulated records are generated, they should immediately be considered as potential evidence sometime in the future. Outsourcing record authentication to an independent third party can pay strong dividends–if you treat record integrity with the respect it deserves. Don’t let one bad record, generated by one rogue employee, destroy your hard-earned value.
About the author:Tom Klaff was appointed Chief Executive Officer of Surety, Inc. in March 2003. A 15-year software industry veteran Klaff brings to Surety a new focus to expand the company’s data integrity service to help customers guarantee the trustworthiness of their electronic records. As Surety’s CEO, Klaff is leading the company’s efforts to broaden its customer base. He also is responsible for formulating and executing the broader business plan for Surety, focusing on opening critical vertical markets and forging new relationships with key channel partners.
Prior to joining Surety, Klaff served as Chairman, President, and CEO of Reliacast Inc., a leading digital media software company. As a founder of Reliacast, he secured $41 million in funding and led the company from a concept stage to revenue generation and market leadership in the telecom and enterprise markets.
Before founding Reliacast’s, Mr. Klaff created and managed two ventures. College Town(r), was the first web portal for college admissions and was widely used by college-bound students searching and applying to college, financial aid, and purchasing college-related items. After College Town, Mr. Klaff established a management-consulting firm to aid Internet-centric businesses in developing strategic plans, installing sales operations and providing contract-marketing services.
Mr. Klaff received a Bachelor of Arts degree in English from Brown University and a Masters of Science in Industrial Administration from the Graduate School of Industrial Administration, Carnegie Mellon University.