When using an electronic data capture (EDC) system, it is important to ensure that all data entry modification, and deletion, as well as any access and sign-offs are done by authorized people. The most common approach is to authenticate users with a username and password. If the person who is logged in is authorized to manipulate the clinical trial data then there is no problem. The electronic signature is effectively the audit trail showing that it was this login account that made that change.
Recently, I have seen auditors starting to get uncomfortable with this simple approach to authentication: username/password. The concern is that there are increasing ways for accounts to be compromised using this type of authentication, that it is more plausible that someone will fake the electronic signature.
There are a number of solutions that have been proposed. The first is to use biometrics. A good example is a fingerprint reader that is installed on the computer of each end-user. This biometric can be used to login the EDC system. The major disadvantage here is cost. There are two elements to cost.
The first is the hardware. If a site has, say, three possible computers that can be used to access the EDC the three readers are needed. Now multiply this by the number of sites. Now assume that a certain percentage of these will fail or be damaged every year. For a large long-lasting trial these costs can add up.
The second element is IT support costs. Generally speaking, end-users are not able to install new software or hardware on their work computers. So the IT department has to do that for them. Most IT departments are stretched, so it may take them some time to install things. The only way to create an incentive for them to pay attention to your trial's IT needs is to pay them. Also, over the duration of the trial end-users will have questions or problems about the biometric system (eg, it is not working, too slow, a user cannot login, etc.). Therefore it is necessary to allocate support staff for the duration of the trial to remotely troubleshoot user problems with the biometric system.
An alternative approach is to use one time passwords. These can be very secure. This means that every end-user is issued with a small electronic device that generates a temporary passwords as needed. The end-user has to carry this with him/her all the time. From a hardware cost perspective, each person needs a device. There will be no site IT support costs here but the overall trial support cost can still be significant. This is because users lose those things (they are easier to lose than devices attached to a computer).
The second difficulty with one time passwords is that if a study coordinator is involved in multiple trials using different EDC systems and each requires them to carry one of these devices, it can become unwieldy.
I any case, if you have the budget the above are good options.
Two low budget solutions augment usernames and passwords: secret questions and out-of-band confirmation.
Many people have seen secret questions used, say by their on-line bank. It is the same idea here that when a user tries to login they are asked a secret question and if they the answer right then they are logged in. Typically the user will provide answers to multiple secret questions and the system will select one of these at random for the user to answer at each login. This approach also makes it more difficult, in theory, for someone to phish an EDC site because the user is expecting to be presented with one of their secret questions. If a phishing site presents them with a question that they never provided an answer to before the user may get suspicious.
There are two things to keep in mind with secret questions. First, relative or friends of an end-user will often know the answers to the most commonly used secret questions (pet's name, school name, favorite movie, etc.). So this approach is not safe from that kind of intruder.
The second issue is that users are often easily tricked to by-pass such controls. Experiments have shown that when presented with a "our secret question module is being upgraded / under maintenance" users will accept that and perceive nothing of it. So as a mechanism to alert users to potential phishing sites it may not be very effective.
Nevertheless, this additional level of authentication is an improvement over plain usernames and passwords, and entails only a small amount of additional effort on the user's side to login. But it is low cost (no hardware) and will provide additional assurance that the person manipulating the trial data is the owner of the account.
Another option is to let the user login as usual, but before you let them access the data you ask for a six digit PIN. That PIN is generated automatically and sent to the user by SMS or email. It would only be valid for say five minutes. So the user has to read the PIN from their SMS or email and enter it to login. This type of out-of-band communication makes it more likely that the person logging in is the account holder because it is difficult to intercept someone messages and it is unlikely that someone will deliberately give someone else their email or SMS account information.
Each of these latter two solutions is not bullet-proof. But when combined they provide an effective authentication mechanism to establish reliable electronic signature for the purpose of part 11.