|
21-CFR part 11 -
Electronic Records ESignatures Compliance |
See also: Healthcare
Signishell technology, fully complies with Department of Health and Human Services (FDA) 21-CFR part 11 Electronic Records; Electronic Signatures; Final Rule [Docket No. 92N-0251] RIN-0910-AA29 dated March 20th, 1997; hereinafter: "reference document")
The following sections will quote from the reference document and prove that Signishell stands within the limitations and comply with the described procedures.
"Part 11 (21 CFR part 11) applies to any paper records required by statute or agency regulations and supersedes any existing paper record requirements by providing that electronic records may be used in lieu of paper records. Electronic signatures which meet the requirements of the rule will be considered to be equivalent to full handwritten signatures, initials, and other general signings required by agency regulations."
Signishell core technology captures handwritten signature with its dynamic parameters. Therefore the technology is equivalent to handwritten signatures including full signatures, initials and any other pen-marking related to agency regulations as stated.
"Section 11.2 provides that records may be maintained in electronic form and electronic signatures may be used in lieu of traditional signatures. Records and signatures submitted to the agency may be presented in an electronic form provided the requirements of part 11 are met and the records have been identified in a public docket as the type of submission the agency accepts in an electronic form. Unless records are identified in this docket as appropriate for electronic submission, only paper records will be regarded as official submissions."
Signishell can put signatures on electronic forms used in a public docket as the type of submission that the agency accepts in electronic form. The technology is capable of signing any digital data in any format by using Public Key Infrastructure.
"Section 11.3 defines terms used in part 11, including the terms: Biometrics, closed system, open system, digital signature, electronic record, electronic signature, and handwritten signature"
Signishell uses these definitions: Biometrics for body moves measurements that provide authentication, Closed and Open systems, Digital signature using PKI, electronic record, electronic signature according to e-signature laws and handwritten signature.
"Section 11.10 describes controls for closed systems, systems to which access is controlled by persons responsible for the content of electronic records on that system. These controls include measures designed to ensure the integrity of system operations and information stored in the system. Such measures include: (1) Validation; (2) the ability to generate accurate and complete copies of records; (3) archival protection of records; (4) use of computer-generated, timestamped audit trails; (5) use of appropriate controls over systems documentation; and (6) a determination that persons who develop, maintain, or use electronic records and signature systems have the education, training, and experience to perform their assigned tasks."
Signishell also sets access control and authorization to specific personnel by: (1) Integrating it into SSO solutions, Active-Directory etc. (2) Enforcing the sequence of steps as defined (3) Integrates into any workflow process that may include individuals in certain positions allowing them certain functionality, access input or output devices (such as certain keys, communication devices, printers etc. (4) Checks the validity of input source for operational instructions (5) Written policies that link between individuals to their electronic handwritten signatures by either automated or behavioral meanings
"Section 11.30 sets forth controls for open systems, including the controls required for closed systems in § 11.10 and additional measures such as document encryption and use of appropriate digital signature standards to ensure record authenticity, integrity, and confidentiality."
Signishell sets controls for open systems, including the controls previously mentioned and additional measures such as RSA encryption and using the digital signature standards (XX bytes key length) to ensure record integrity;
"Section 11.50 requires signature manifestations to contain information associated with the signing of electronic records. This information must include the printed name of the signer, the date and time when the signature was executed, and the meaning (such as review, approval, responsibility, and authorship) associated with the signature. In addition, this information is subject to the same controls as for electronic records and must be included in any human readable forms of the electronic record (such as electronic display or printout)."
Signishell contains signature manifestations to contain the signed data. The information includes the printed name of the signer, the relevant server that authenticated the user and the signatory role; In addition, the manifest contains a written declaration (such as "I hereby approved this document"). This information is signed with the electronic signature and is human readable either by viewer, word processor or printer.
"Under § 11.70, electronic signatures and handwritten signatures executed to electronic records must be linked to their respective records so that signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means."
Signishell signature is embedded into the document; the signature contains the document hash value therefore it cannot be copied, pasted, excised or transferred to any other than the original digital data; In case of pasting a signature object into a non-signed data, the signature immediately becomes invalid. The invalidity of a signature is presented in a graphically noticeable way.
"Under the general requirements for electronic signatures, at § 11.100, each electronic signature must be unique to one individual and must not be reused by, or reassigned to, anyone else. Before an organization establishes, assigns, certifies, or otherwise sanctions an individualīs electronic signature, the organization shall verify the identity of the individual."
Signishell signature is unique due to its biometric nature; The algorithm detects unique personal traits of an individual's signature and creates a personal envelope that compiles several signatures with their relevant variations. The biometric authentication opens the way to the electronic signature to use the private key (stored in a secured data area) in order to sign the document hash value. The signatory is the only person that can use his/her private key in order to sign documents. A person's personal profile cannot be reverse engineered in order to detect the original strokes. Moreover, a signature cannot be used twice since a 100% compatible signature is recognized as a fraud attempt. Enrolling a new user includes verifying the person's identity using other means such as ID picture card etc. The person has to sign his/her signature 6 times in order to create the personal profile. The personal profile is stored in a secured database and can be accessed only by a SigniShell server. Upon signing a test signature a comparison to the reference personal profile authenticates the user's identity;
See also: Healthcare |
| |
|
