Single Sign-On: Security and Compliance with CRIO
With the emergence of new technologies and tools in clinical research, the burden on sites to keep up with the flood of new applications and software is especially daunting when it comes to user access and account management. As we’ve discussed in our previous blog post, Single-Sign-On (SSO) can help alleviate some of the burden that comes with using unique usernames and passwords for each single application. In this post, we want to dig deeper into the ins-and-outs of SSO to understand how organizations can meet 21 CFR Part 11 compliance requirements when implementing SSO.
Why 21 CFR Part 11?
The release of the regulation in 1997 established guidelines for the use of electronic records and electronic signatures in FDA-regulated industries. To date, this regulation is the standard against which all electronic systems that collect, store, and process clinical trial data are being assessed. Most notably, the user authentication portion of the regulation must be considered when implementing a compliant SSO solution.
How to implement SSO to meet regulatory requirements?
CRIO attests that its application, in conjunction with relevant product documentation, has been designed to meet the compliance requirements of 21 CFR Part 11. Here, we provide guidance regarding the implementation and use of the single-sign on functionality (SSO) and compliance with the applicable regulations.
The workflow within the application for CRIO users using the SSO functionality is as follows:
- User is on the login screen of the CRIO application and selects the “Login with SSO” option
- User is redirected to their Identity Provider (IdP) to enter their username and password
- The user is redirected back to the CRIO application
- The user opts to sign something within the CRIO application (e.g. patient chart or file)
- When selecting the electronic signature button/field using the SSO option, the CRIO application automatically checks with the IdP if the user’s session with the IdP is still valid (checks if the user exists, if the user is active, and if the user has the proper rights to perform this action.
- The IdP may not require the user to enter their credentials because the user exists in the system, is an active user in the system, and has the rights to perform this action in the system. If the system notices that the session has expired, the user is required to enter their credentials to re-activate their session with the identity provider.
- Once this check has been performed, the electronic signature is executed / applied in the CRIO application.
- Any subsequent signature would follow the same steps outlined in steps 5-7.
How does this workflow meet 21 CFR Part 11 requirements?
The 21 CRA Part 11 regulation was released in 1997, SSO became commercially available in the early 2000’s. The challenge CRIO faced was to demonstrate that SSO, in the way it was implemented at CRIO, met the requirements of the regulators to be in alignment with Part 11.
Over the years, CRIO has sought out guidance from regulatory bodies and independent regulatory experts for the CRIO application and the workflows contained therein.
CRIO leaders Jonathan Andrus and Marc Wartenberger are frequent contributors to various industry initiatives that foster relationships with regulators. For example, Jonathan Andrus has been part of the Society for Clinical Data Management (SCDM) for numerous years and has been the host for the regulatory town hall at the annual events both in the U.S. and in Europe.
Additionally, he has been instrumental in creating the SCDM Regulatory Council, a distinguished group of regulators from the FDA, participating under the principles of an official Public-Private Partnership with the intent to increase dialogue and interaction between regulators and the CDM profession.
Further, Marc Wartenberger has been a volunteer review lead on behalf of SCDM to gather comments from its members as part of the public comment process on the recently-released FDA guidance on Data Monitoring Committees. Additionally, he has hosted the Regulatory session at the SCDM India conference this past December along with regulators from the European Union.
These interactions, fostered over the years, have allowed CRIO to leverage the insights gained by the interactions with regulators.
When it came time to determine the compliance aspect of the SSO functionality, CRIO leaders knew where to turn to in order to get feedback on this proposed method.
During the development of the feature, CRIO interfaced with FDA regulators via email and described the proposed workflow within the CRIO application and its intent to meet Part 11 compliance.
While regulators do not approve/disapprove of certain software tools in the marketplace, the feedback received from FDA was clear enough to ascertain that 21 CFR Part 11 does not specify a particular method to authenticate the user who is executing an electronic signature. Examples include, but are not limited to, the use of computer-readable ID cards, biometrics, digital signatures, and username and password combinations. The check performed by the IdP each time the user attempts to sign a document meets the requirements under 11.200(a)(1)(i) and (ii). Specifically, when an individual executes a series of signings during a single, continuous period of controlled system access the first signing shall be executed using all electronic signature components, while subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
Interested in enabling SSO in CRIO for your organization? Reach out to your Customer Success Manager or contact us today.