Healthcare exec talks security

George Rathbun, director of IT architecture at Pfizer, is also the CTO for SAFE-BioPharma, the pharmaceutical industry group coordinating secure sharing of information with physicians and others. SAFE members, including Johnson & Johnson, Abbott Labs, Bristol-Myers-Squibb, Proctor & Gamble, and Merck and GlaxoSmithKline, have embarked on a shared authentication approach based on public-key infrastructure cross-certification. Rathbun recently chatted with Network World Senior Editor Ellen Messmer to discuss how this security program works and what its implications are for users.

How many members does SAFE have, and what has the organization accomplished since its founding?

SAFE, which stands for Signatures and Authentication for Everyone, was established about one and a half years ago to meet the challenge of global online identification of individuals in the pharmaceutical industry. We now have 30 [corporate and government] members. We initially looked at sharing a single directory, a database of personal information, to have a single authentication source. But instead, we went with an approach to public-key infrastructure (PKI) and digital certificates based on a bridge.

What is that exactly?

A bridge is a certificate authority dedicated to issuing certificates for bridging multiple certificate technologies. Today, there's a SAFE bridge certificate authority that issues cross-certificates to anyone that's part of it. We call it the "trust bridge." It's maintained by a vendor, CyberTrust.

So how does this digital-certificate cross-certification work for SAFE members?

Well, for example, all of the workforce at Johnson & Johnson is already PKI-enabled internally with their own digital certificates. J&J [last month] elected to have their corporation certified with the trust bridge. To do that, J&J went to a cross-certification ceremony where agents from J&J made sure the certificate authorities are aligned and there are no discrepancies between policies. It's quite a bit of work. But it creates a trusted network of [certificate authorities] for authentication. Vendors, such as CoreStreet, are also involved in supporting the bridge.

So how does all this technical effort come to serve business goals?

Doctors in hospitals are often participating in clinical trials. Intellectual property, such as laboratory notebooks and human studies, have to be signed by them or others. Today, documents receive wet signatures on paper, which is scanned. The goal is to do this electronically with digitally signed documents, all time-stamped. The SAFE authentication model means the doctor doesn't have to get a digital certificate from each company but just one issued under SAFE.

So if one key goal at SAFE is to get doctors using SAFE cross-certified digital certificates, how is that proceeding?

The current strategy is to have members invite doctors into this and pay for their certificates. It also requires a hardware device, too, to hold the certificate, a USB token or smart card. We believe that the Trusted Computing Group's Trusted Platform Module might also lend itself to this hardware model.