Hajar SabuurHajar SabuurJohnson & Johnson Worldwide Information SecurityJohnson & Johnson Worldwide Information Securityhsabuur1@corus.jnj.com

June 16, 2005June 16, 2005

www.safe-biopharma.org

What is SAFE?

SAFE – Secure Access for Everyone – is a Standard

Specifies technical, legal, and regulatory compliance standards

A non-profit association (SAFE-Biopharma, Association) to manage the SAFE Standard

The SAFE Standard delivers..

unique electronic identity credentials for legally enforceable & regulatory compliant access control and digital signatures across the global bio-pharmaceutical environment

The SAFE Standard applies to all..

business to business, and business to government / regulator transactions

© T

he N

ew Y

orke

r C

olle

ctio

n 19

93 P

eter

Ste

iner

from

cart

oonl

ink.

com

. All

rig

hts

rese

rved

.

Impact of Today’s Environment

The pharmaceutical industry spends over $1 billion per year on independent identity credentialing models

– Over 200,000 clinical investigators sites, 1,500 CRO’s, 1,000 university medical centers, and 1,000 medical labs (the total amounts to ~700,000 individual users) all use Independent proprietary credentials for remote access to information systems

Paper-based processes – Approximately 40% of all R&D costs are attributed to paper based business processes ($9 Billion in the US alone)– With global geographic locations & time zones, it can take between several days to even months to just obtain one

signature on a paper document

Paperwork = 31% of all health costs / $500 billion this year– Emergency Department: 1 hr. care/1 hr. of paperwork– Surgery & Inpatient Acute Care: 1 hr. care/36 min. paperwork– Skilled Nursing Care: 1 hr. care / 30 min. of paperwork– Home Health Care: 1 hr. care / 48 min. of paperwork

Without a legally enforceable and interoperable identity and digital signature solution, the health care industry cannot eliminate or reduce the loss in time or financial impact of paper-based

processes* New England Journal of Medicine, 2004

Key Points on SAFE

SAFE Provides:– Common credential for access control to internal or business partner systems– Replaces hand-written signatures with digital signatures creating legally

enforceable electronic records– Ensures data integrity of digitally signed documents

Basis:– Hardware based solution (smart card or other device)

• 2-Factor security: something you have and something you know– Closed user community based on mutually agreed legal rules to ensure global

enforceability among participating entities• Bridges local and regional differences in digital signature laws (state, federal,

European, etc)

One hardware device per person, which holds the digital identity

Simplified user environment

Common implementation standard across all biopharmaceutical companies

Clinical Site ExampleClinical Site Example

Pharma APharma B

NCI/caBIG Pharma C

Site IDPharma D

User ID/

Password

Current Environment

Goal

SAFE Environment

SAFE Participants

SAFE Members/Full Members: – Existing Members: Abbott Labs, AstraZeneca, Bristol Myers-Squibb,

GlaxoSmithKline, INC Research, Johnson & Johnson, Pfizer, Procter & Gamble, Merck, Sanofi-Aventis

– Ongoing Discussions: Eli Lilly, Schering Plough, Novartis, Genzyme, Wyeth, Quintiles, Akzo-Nobel/Organon

Government entity memberships in discussion: – National Cancer Institute (NCI), EMEA, and various EU Member State Agencies

Partners & Agencies– PhRMA (sponsor), EFPIA (sponsor), FDA (Reviewers for compliance), EMEA (will

sponsor SAFE Pilot)

SBCA Update

SBCA will be operational by mid July 2005– Cybertrust acting as the SBCA Operational Authority (OA)

– The SBCA directory LDAP only

– The SBCA OCSP Responder

SBCA test environment is available for SAFE Issuers.

Cross certification with the SBCA– Indicate the issuer is SAFE complaint - SAFE Accredited Issuer

– Request for Cross Certification after July 2005 SAFE 2.0

– Many SAFE Issuers will cross certify with the SBCA by end of year or early next year