CoSign Digital Signatures for Life Sciences

By ensuring compliance with FDA regulations such as 21CFR Part 11 and GxP audits, as well as HIPAA, SOX, and ISO, the CoSign digital signature solution is an ideal signing solution for organizations in the life sciences industry.

There are no specific requirements by the FDA or HIPAA to use electronic signatures, however both agencies/departments accept electronic signatures to be used in a compliant manner. The U.S. FDA’s 21 CFR Part 11 Electronic Records, Electronic Signatures - Final Rule (March 20, 1997) and the FDA’s Guidance for Industry, Part 11, Electronic Records, Electronic Signatures—Scope and Application (February 4, 2003) are the guiding Predicate Rules for this market. The 21 CFR Part 11 areas covered by the system include:

• 11.10 Controls for closed systems.
• (d) Limiting system access to authorized individuals.
• (e) Audit trails.
• (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
• 11.30 Controls for open systems. Authenticity & integrity of electronic records from the point of their creation to the point of their receipt.
• 11.50 Signature manifestations. Signed electronic records shall clearly indicate printed name of signer, date & time and reason for signing.
• 11.100 General requirements. Unique electronic signatures for each user.
• 11.200 Electronic signature components & controls. Employ at least two distinct identification components; Continuous sessions.

• U.S. - Electronic Signature in Global and National Commerce Act (ESIGN)
• U.S. - Uniform Electronic Transactions Act (UETA) - adopted by 48 states
• U.S. - Digital Signature And Electronic Authentication Law (SEAL)
• U.S. - Government Paperwork Elimination Act (GPEA)
• U.S. - The Uniform Commercial Code (UCC)
• Canada - Uniform Electronic Commerce Act (UECA)
• UK - Electronic Communications Act 2000 (chapter 7)
• Europe - EU Directive for Electronic Signatures (1999/93/EC)
• Europe - EU VAT Directive
• China - Electronic Signature Law of the People's Republic of China

For additional information on other countries, visit the Digital Signature Law Survey.

• Life Sciences - FDA's 21 CFR Part 11
• Healthcare - Health Insurance Portability and Accountability Act  (HIPAA)
• Homeland Security - Public Law 108-390
• Engineering - PE Board Regulations
• Finance - Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley)
• Environmental - Cross-Media Electronic Reporting Regulation (CROMERR)
• Public Companies - Sarbanes-Oxley Act of 2002
• Veterinary/Equine - USDA EIA (Coggins) Testing
• Aviation - FAA's CFR Title 14
• European Telecommunications Standards Institute (ETSI)
• ISO (9001:2000)
• Joint Commission on Accreditation of Healthcare Organizations (JCAHO)

• CoSign® is FIPS 140-2 Level 3 validated. 

Digital signature regulations vary from country to country. Taking the European Electronic Signature Directive (EC Directive 99/93 on Electronic Signatures) as an example, the requirements for a standard (advanced) Electronic Signature are:

• It is uniquely linked to the signatory. 
• The signature-creation-data used for signature generation cannot, with reasonable assurance, be derived, and the signature is protected against forgery using currently available technology.
• It is created using means that the signatory can maintain under his sole control.
• It is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

The European Directive (EC Directive 99/93 on Electronic Signatures) defines SSCD as:

1. Secure signature-creation devices must, by appropriate technical and procedural means, ensure:
• The signature-creation-data used for signature generation can practically occur only once, and that their secrecy is reasonably assured.
• The signature-creation-data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology. 
• The signature-creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others.
2. Secure signature-creation devices must not alter data to be signed or prevent such data from being presented to the signatory prior to the signature process.
   

CoSign complies with the SSCD requirements defined by the EU electronic signature directive in the following ways:

• CoSign is available as FIPS 140-2 level 3 validated for those EU member states requiring such a certification for SSCD devices. 
• The CoSign SSCD model includes CWA approved smartcards for EU member states requiring this specific certification for SSCD devices.