Straight Talk About Electronic Signatures And Office Security
by Jacqueline Stader

While conducting training, I’ve encountered an alarming number of comments in regards to electronic signatures and overall security attitudes in the workplace. The horrific tales that are shared with me are no doubt true. What concerns me is the seemingly lack of concern in regards to your own safety, so lets start with a little review session.

Following are guidance points provided by the FDA’s Guidance for Industry Computerized Systems Used in Clinical Trials specifically regarding Data Entry and Electronic Signatures.

1. To ensure that individuals have the authority to proceed with data entry, the data entry system should be designed so that individuals need to enter electronic signatures, such as combined identification codes/passwords or biometric-based electronic signatures, at the start of a data entry session.

2. The data entry system should also be designed to ensure attributability. Therefore, each entry to an electronic record, including any change, should be made under the electronic signature of the individual making that entry. However, this does not necessarily mean a separate electronic signature for each entry or change. For example, a single electronic signature may cover multiple entries or changes.

   • The printed name of the individual who enters data should be displayed by the data entry screen throughout the data entry session. This is intended to preclude the possibility of a different individual inadvertently entering data under someone else=s name.

   • If the name displayed by the screen during a data entry session is not that of the person entering the data, then that individual should log on under his or her own name before continuing.

3. Individuals should only work under their own passwords or other access keys and should not share these with others. Individuals should not log on to the system in order to provide another person access to the system.

4. Passwords or other access keys should be changed at established intervals.

5. When someone leaves a workstation, the person should log off the system. Failing this, an automatic log off may be appropriate for long idle periods. For short periods of inactivity, there should be some kind of automatic protection against unauthorized data entry. An example could be an automatic screen saver that prevents data entry until a password is entered.

I’ve trained in large institutions and small private offices and it happens in both settings. Situations have been shared with me that indicate there is serious need to reread the above guidelines by both the PI’s, Monitors and Study Coordinators.

These are straight forward easy to follow guidelines, so the questions are why do we violate them? And why do we feel it’s safe to share our information with co-workers…or are we even aware we’re being violated?

Contrary to what you’ve been told as a child, there isn’t safety in numbers when it comes to electronic signatures. Would you share your banking personal PIN with a co-worker? Would you post you social security number on a message board? Would you let someone else forge your name? Of course you wouldn’t, so why share or even inadvertently leave this information around?

I recently took a class on Internet security after experiencing a similar situation myself. The speaker started the class something like this…

” I was performing security consultation in a large office setting. I bet the owner I could break into all the employee’s computers within the hour. The owner accepted my bet and I went to work. Following me to make sure I didn’t utilize my own technical skills the owner stood watch as I went from station to station. Within 45 minutes I had gained access to every computer.”

What was the reason for his success? Thinking like the employee, he sat in the chair looked around the cubicle and started typing what he saw and in each cubicle if the password wasn’t posted on the monitor, it was in the drawer, in the Rolodex or some other location. But it was there. All he had to do was look. The answer for my own situation was now clear.

So how far do we really need to go to protect our passwords and systems of electronic data capture?

The answer is simple. We need to go as far as necessary. This includes the obvious but let’s state it again for the record. DO NOT SHARE YOUR PASSWORDS or any form of personal identification with ANYONE in your office.

Believe me I know how the number of ID and passwords we need to keep track of can seem like a full time job in itself. We all have friends in the work environment, but if we don’t practice stronger self- preservation we may find ourselves in hot water. Who wants to be banned from participating in clinical research due to fraud or forgery? Surely the answer is none of us. But we daily fail to take the proper precautions to protect our electronic signatures not to mention the subject’s personal health information. Think of what HIPPA could do in this situation. We assume that all our co-workers have the same work and moral ethics that we live by. Well, let’s just say the word assume says it all.

An estimated 26.2 percent of Americans ages 18 and older — about one in four adults — suffer from a diagnosable mental disorder in a given year. When applied to the 2004 U.S. Census residential population estimate for ages 18 and older, this figure translates to 57.7 million people. I’m not saying that one in four of your co-workers suffer from a mental disorder but I am saying that there is enough evidence that indicates we need to take a closer look at how we act within the workplace.

Be proactive in your own protection by following these actions.

• Change your passwords frequently.

• Don’t write or file them in places where inquiring eyes can find them. Keep them in your head or securely imbedded in your PDA or cell phone address book.

• Don’t let others stand nearby as you sign into your passwords.

• Don’t let others enter into a secure system under your password, otherwise you’re basically allowing them to abuse your identity. If there’s a problem and it’s investigated how can you prove otherwise?

• Don’t use wireless notebooks or laptops or even your PC unless you know for sure it’s secure. The class speaker shared that as he drove down his own street he was able to access many of his neighbor’s wireless connections.

• Become educated and stay on top of the electronic changes so you are aware of the potential hazards.

• Report any concerns you have as they occur. Don’t discount your own warning signals. It’s the only way to truly protect yourself.

Remember it’s your own credibility and reputation you’re protecting, aren’t you worth it?

Jacqueline Stader is a Clinical Research Lecturer and Trainer. She supports clinical research personnel by sharing proven techniques, strategies, information and tips that inform and educate.

Visit her website at www.ortsedu.com
Copyright © 2006, by Jacqueline Stader. All rights reserved.