21 CFR Part 11 Compliance: Electronic Signatures and Your LMS
Complying with the FDA’s 21 CFR Part 11 can be pretty challenging. In large part, that is because the government’s requirements seem rather nebulous and ill-defined. However, it is crucial for life science organizations to comply with those rules.
One area where many organizations struggle with compliance is in creating and implementing policies that comply with the government’s rules on electronic signatures. This guide will explore some of the most important elements to understand to comply.
What Is an Electronic Signature?
For electronic records to be deemed as trustworthy as hardcopy records, there must be ways to validate their authenticity. One of those is through an electronic signature. In essence, this is simply a digital version of someone signing their name on a legally binding document.
Of course, the idea of what goes into creating an electronic signature can vary a great deal from platform to platform. For instance, in the past, it was not unusual for digital documents to have a place for a signor to initial and then click a check box attesting to whatever the document required and verifying that their signature was, in fact, their signature.
This format was certainly not secure, and the FDA has taken steps to rectify that situation. Today, the electronic signature required in 21 CFR Part 11 bears no resemblance to what came before.
The Components of an Electronic Signature
In contrast to earlier methods, today’s electronic signatures are comprised of multiple parts. These include at least three components:
· Username: The signature must include a valid username that is registered in the system to an individual of record, who has the authorization to access the information in question. The username must be unique, as well.
· Password: A password must be used to help verify and validate the username. Further, that password must be the one recorded and attached to the identifying records for the username in question (the username and password must match what the system records show for the person in question).
· Reason: A final requirement the FDA put in place is that all electronic signatures must include a reason for any action taken with electronic records. For instance, if a learner retakes a test they previously failed within your LMS, the reason for changing the recorded information must be provided. Every single change, even very simple ones like moving a record from one part of digital storage to another area, must be documented as part of the electronic signature.
Why Does It Matter?
For most, it is easy to understand the need for each person with access to an electronic system to have a unique username and password. Those are the two most common components of a digital identity. However, why does the FDA require a reason for change as part of an electronic signature?
It is very simple — doing so creates a defined, detailed audit trail that can be traced back. When every change that occurs with a digital document is connected to the person who made the change and why that change was made, it becomes much simpler to protect the information, ensure that it is being used properly, and to understand what went wrong in instances where mistakes occur. As noted by the FDA, “Audit trails can be particularly appropriate when users are expected to create, modify, or delete regulated records during normal operation.”
Additional Forms of Identity Verification
While electronic signatures must be comprised of at least the three components discussed above, the FDA allows, even encourages, stronger measures to be adopted. These additional safeguards help prevent unauthorized access or changes to the information stored digitally, including that within your learning management system.
Two Factor Authentication
Two-factor authentication is now being widely rolled out for use in securing many different types of digital accounts. For instance, Gmail now offers the option of two-factor authentication to help prevent hackers from gaining access to email accounts. This safeguard can also be found with many other digital systems.
Two-factor authentication is relatively simple to understand. When a user attempts to log in to an account, the system automatically generates an authentication code and sends that to the user’s smartphone. The user then types the code into the corresponding field on the device through which they are accessing the account, and access is granted.
There are variations of this, as well. For instance, some systems send a simple yes/no message to a user’s smartphone, asking if they are the ones trying to gain access to the account. If the user clicks yes, they are granted entry to the system. If they click no, the login session is terminated and the user is prompted to change their password.
Other Options
There are numerous other options available that can add security to electronic systems, such as your LMS, protecting sensitive information. Most of these fall under the heading of “biometrics”, and include the following:
· Fingerprint — A fingerprint reader can be installed that scans an individual’s thumb (or another digit) to verify identity by matching the print against the pattern stored in the system.
· Iris — Iris scanners can offer a similar level of protection as fingerprint scanners and work in much the same way.
· Facial Recognition — Facial recognition is becoming more widespread today and plays an important role in securing access not just to digital systems but to entire devices, such as smartphones and tablets.
Protecting Your Learning Management System
While life science organizations must protect sensitive information in all digital systems, your learning management system may be overlooked. However, because of the data stored here, it falls under 21 CFR Part 11. You must take as much care when creating electronic signatures and related policies and procedures for your LMS as with any other digital system used in the organization.
At eLeaP, we offer a fit-for-purpose LMS designed with 21 CFR Part 11 compliance in mind. We understand how critical it is to safeguard access to sensitive information and provide a simple, effective solution. Contact us to learn more.
