Compliance with CFR-11 and eIDAS as a trust service provider
There is significant legal risk in not being able to prove the integrity of an organization's electronic records. DigiStamp's API toolkit easily automates the process of creating secure electronic records using timestamps. Not only can you prove what and when.
A primary value to the customer is that our software works with the existing electronic documents and business process - making the transition to authentic electronic records easier to manage. Our API toolkit is used to easily automate the process of applying a standards-based, electronic notary transaction to the daily collections of all data. Our technology does not enforce the privacy of medical records, but it can help to prove that your business process is being followed and that your internal records are authentic. For example. you can authenticate the chain of custody for medical testing records.
DigiStamp operates with compliance to e-signature practices set forth in 21 FDA CFR-11 and regional requirements like eIDAS (Electronic Identification and trust services). DigiStamp acting as a trust service provider, we produce electronic time stamps through use of advanced electronic seals. The medical industry is focused on two sets of regulations called HIPAA, FDA CFR-11 and GxP. Understanding the regulations and how to apply them to your organization is a growing industry concern.
DigiStamp’s systems are a NIST certified (FIPS 140-2 Level 4) tamper-detecting Hardware Security Module. This HSM performs all secure timestamp functions, clock and audit trail. DigiStamp’s operates two, redundant, geographically-separated data centers to ensure continual access to DigiStamp's service. Both data centers have passed the SSAE 16 Type II audit. DigiStamp's services relate to the area of proving authentic records and go beyond the regulations. In a legal dispute, a third-party witness to the electronic data (medical and corporate records) may be very valuable.
DigiStamp provides some thoughts on data authentication below that may help you. Additional web resources on this subject are here.
Is a third-party timestamp for proving authentic records required in order to fulfill regulatory requirements?
Our service may help in passing regulatory inspection but is usually not required. The technology of digital signatures is far superior to what is described in the basic regulatory requirement.
So generally, an external witness to your electronic data is not required by the regulations. You would need an external timestamp if you perceive some additional legal risk and you need external proof that your data is authentic. The external or third-party timestamp proves that people within your organization did not alter nor backdate electronic data. For example, your system administrators under duress from the CEO cannot tamper with our timestamp or use an employee's password or backdate an altered system log file.
Are digital signatures required for auditing the actions of people who use electronic records?
No, overall, it appears that existing system login procedures may be adequate to fulfill the regulatory requirements. In this approach, there is assumed trust of the company and the company's internal system administrators.
You would consider using digital timestamps and signatures if you perceive these types of risks:
- You need to prove the authenticity of the records of your company or to avoid the risk that an external party would claim that there was collusion within the company to alter their records.
- Password-based authentication systems are designed so that an employee's password is stored in multiple locations; the system administrators commonly have access to the employee's password. Alternatively, when an employee creates a digital signature, only that employee has the private key. Having the single key in the sole possession of the employee avoids the potential risks of someone with administrator privileges using the employee's password and compromising the audit trail. Digital signature standards have been designed with strong non-repudiation qualities.
You would consider using digital timestamps and signatures if you perceive these types of values:
- You value a workflow improvement that ties employee actions directly to the electronic document and can flow with the document.
- You need to have standard signature qualifiers, such as counter and multiple signatures, receipt, approval, or originator.
- You want to communicate documents outside your organization with industry-standard signatures and independent proof of authenticity.
- A summary of HIPAA from the SANS organization.
- Magazine article on HIPAA final release here (2/21/03).
- 21 CFR Part 11 as related to cGMP LC and GC