Hajar Sabuur Johnson & Johnson Worldwide Information Security June 16,

What is SAFE? SAFE – Secure Access for Everyone – is a Standard Specifies technical, legal, and regulatory compliance standards A non-profit association (SAFE-Biopharma, Association) to manage the SAFE Standard The SAFE Standard delivers.. unique electronic identity credentials for legally enforceable & regulatory compliant access control and digital signatures across the global bio-pharmaceutical environment The SAFE Standard applies to all.. business to business, and business to government / regulator transactions © The New Yorker Collection 1993 Peter Steiner from cartoonlink.com. All rights reserved.

Impact of Today’s Environment The pharmaceutical industry spends over $1 billion per year on independent identity credentialing models –Over 200,000 clinical investigators sites, 1,500 CRO’s, 1,000 university medical centers, and 1,000 medical labs (the total amounts to ~700,000 individual users) all use Independent proprietary credentials for remote access to information systems Paper-based processes –Approximately 40% of all R&D costs are attributed to paper based business processes ($9 Billion in the US alone) –With global geographic locations & time zones, it can take between several days to even months to just obtain one signature on a paper document Paperwork = 31% of all health costs / $500 billion this year –Emergency Department: 1 hr. care/1 hr. of paperwork –Surgery & Inpatient Acute Care: 1 hr. care/36 min. paperwork –Skilled Nursing Care: 1 hr. care / 30 min. of paperwork –Home Health Care: 1 hr. care / 48 min. of paperwork Without a legally enforceable and interoperable identity and digital signature solution, the health care industry cannot eliminate or reduce the loss in time or financial impact of paper-based processes * New England Journal of Medicine, 2004

Key Points on SAFE SAFE Provides: –Common credential for access control to internal or business partner systems –Replaces hand-written signatures with digital signatures creating legally enforceable electronic records –Ensures data integrity of digitally signed documents Basis: –Hardware based solution (smart card or other device) 2-Factor security: something you have and something you know –Closed user community based on mutually agreed legal rules to ensure global enforceability among participating entities Bridges local and regional differences in digital signature laws (state, federal, European, etc)

One hardware device per person, which holds the digital identity Simplified user environment Common implementation standard across all biopharmaceutical companies Clinical Site Example Pharma A Pharma B NCI/caBIGPharma C Site ID Pharma D User ID/ Password Current Environment Goal SAFE Environment

SAFE Participants SAFE Members/Full Members: –Existing Members: Abbott Labs, AstraZeneca, Bristol Myers-Squibb, GlaxoSmithKline, INC Research, Johnson & Johnson, Pfizer, Procter & Gamble, Merck, Sanofi-Aventis –Ongoing Discussions: Eli Lilly, Schering Plough, Novartis, Genzyme, Wyeth, Quintiles, Akzo-Nobel/Organon Government entity memberships in discussion: –National Cancer Institute (NCI), EMEA, and various EU Member State Agencies Partners & Agencies –PhRMA (sponsor), EFPIA (sponsor), FDA (Reviewers for compliance), EMEA (will sponsor SAFE Pilot)

SBCA Update SBCA will be operational by mid July 2005 –Cybertrust acting as the SBCA Operational Authority (OA) –The SBCA directory LDAP only –The SBCA OCSP Responder SBCA test environment is available for SAFE Issuers. Cross certification with the SBCA –Indicate the issuer is SAFE complaint - SAFE Accredited Issuer –Request for Cross Certification after July 2005 SAFE 2.0 –Many SAFE Issuers will cross certify with the SBCA by end of year or early next year