Signature/Record Linking — §11.70

Signature and Record Linking. Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means, in accordance with §11.70. The system shall implement the following controls to ensure the integrity of the link between signatures and records: (a) electronic signatures shall be cryptographically bound to the specific version of the electronic record at the time of signing, such that any subsequent alteration to the signed record will invalidate or be detectably inconsistent with the signature; (b) the system shall prevent the removal, reapplication, or transfer of an electronic signature from one record to another; (c) the link between the electronic signature and the record shall be maintained throughout the records retention period and shall be verifiable upon retrieval; (d) where digital signature technology is used, the signing certificate, the hash of the signed record, and the encrypted signature value shall be stored as an integral part of the record; (e) the system shall include controls to prevent the backdating or post-dating of electronic signatures; and (f) the integrity of signature-record linking shall be verified during system validation, including testing scenarios that attempt to tamper with or transfer signatures between records. Any failure of signature-record linking shall be treated as a critical system deficiency requiring immediate corrective action.