We recently hosted a webinar on email security, authentication, and document signing solutions to protect sensitive information and help meet FDA and HIPAA compliance. While we handled a lot of compliance-related questions during the Q&A portion, we also got some good ones on digital signatures and email encryption in general.
Knowing that people outside of the webinar audience might be wondering the same things, I thought I'd share the wealth and post the questions and answers here for everyone's benefit.
Viewing Encrypted Emails after Certificate Expiration
If a user encrypts their messages with a certificate, can those emails still be read long after the certificate expires?
Yes, the emails can still be read after the certificate expires, as long as you still have the private key associated with the certificate. It's very important if you're are using S/MIME for secure email and encrypting messages that you save your certificate and corresponding private key even if the certificate itself has expired.
Note: this is not the case for digitally signed emails, which can be read after the certificate expires regardless of whether you still have the original signing certificate.
Public Key Exchange
Is there a way to streamline the initial certificate exchange for end users?
Before messages can be encrypted, the sender needs to acquire the public key of the recipient. A common, albeit manual, way to do this is by exchanged digitally signed emails. However, the exchange can be streamlined by using directories, such as Active Directory. Using an Active Directory integration with a CA, Active Directory can get and store a copy of every certificate issued from the CA. Senders can then reference Active Directory for public certificates whenever they need to send an encrypted email.
PDF vs. Office Signatures
You talked specifically about signing PDFs during the digital signing portion. Can you digitally sign other types of documents?
Our regular user certificates can be used to digitally sign Microsoft Office documents, however, we've found most organizations, especially in the healthcare/pharma/biotech field, choose the PDF Signing solution when they compare the two options. Two of the key differentiators for PDF Signing are:
Support of long term signatures, meaning the signature doesn't expire when the certificate does. This is key for meeting file retention and archival requirements. For example, I know of one company who was leaning toward Office signatures until they realized they needed to maintain their files for 7 years.
Inclusion of a trusted third party timestamp with the signature, rather than relying on the system clock. This key for maintaining audit trails for time-sensitive documents. System clocks can be altered, but using a trusted timestamp ensures that the time and date included with the signature is accurate.
Multi-purpose Certificates for FDA ESG
Okay, so this one is FDA-specific, but it comes up a lot, so I wanted to share it anyway!
Can the certificate for the FDA Electronic Submissions Gateway (ESG) only be used for the FDA ESG?
No, the certificate you need to submit to the FDA ESG is just a standard personal identification certificate (minimum class I, to be specific), which can be used for things like digitally signing and encrypting email, digitally signing Microsoft Office documents, and user authentication.
For more information on FDA- and HIPAA-compliant email security and document signing, check out the full recording of the webinar. We go into detail about how each of GlobalSign's offerings work and how they map onto the specific requirements outlined by the FDA and HIPAA. We also discuss the FDA'S recent cybersecurity guidelines for medical device manufacturers. Check it out and let us know what you think!