Last Thursday a bipartisan group of U.S. Senators and Representatives jointly introduced a bicameral bill that would significantly increase the criminal penalties for drug counterfeiting to as much as 20 years in prison, as reported by Phil Taylor in SecuringPharma (see the article for the details).  The house bill is called H. R. 3468, The Counterfeit Drug Penalty Enhancement Act.  The group of legislators include U.S. Senators Patrick Leahy (D-VT), Chuck Grassley (R-IA), Michael Bennet (D-CO), and Richard Blumenthal (D-CT) and U.S. Representatives Patrick Meehan (R-PA) and Linda Sánchez (D-CA).  Not surprisingly the responses from the Pharmaceutical Research and Manufacturers of America (PhRMA) and Pfizer were swift and supportive.

Raising the penalties for counterfeiting drugs to the point where they adequately reflect the widespread harm they can cause the public is a very good thing.  It should have the effect of making people think twice about selling counterfeit drugs to Americans through the internet or attempting to introduce them into the legitimate supply chain (brick-and-mortar and legitimate internet pharmacies).  It may even cause more people in the legitimate supply chain to think twice about buying drugs that have prices that seem too good to be true from sources that they aren’t quite sure about, so that they don’t inadvertently get caught up in a scheme to introduce counterfeits into the supply chain and risk prison or a large fine.  Maybe.

WHAT ABOUT DRUG FACILITY/CARGO THEFT AND PHARMACY ROBBERY?

Yes, significantly higher penalties for counterfeiting drugs are a good thing, but can’t we make the same argument to also justify higher penalties for drug theft from distribution centers and trucks, and robbery of pharmacies?  These crimes are also on the rise and they also result in a high potential for widespread harm to the public when these drugs are reintroduced into the legitimate supply chain.  These crimes can result in something that is just as bad as the harm that can come from counterfeiting.

Take, for instance, the recent successful cargo theft of a truck carrying 14 pallets-worth of Oxycodone tablets from Actavis last month as reported by SecuringPharma.  The heist also netted the thieves 16 pallets of other drugs too, but I want to focus on the Oxycodone.  Nobody is going to find these bottles showing back up in the legitimate supply chain.  Oxycodone is the generic name for the opiate-based prescription pain medication that most people know better by its brand name “OxyContin” used by the brand owner.

Oxycodone abuse in the U.S. has been rising steadily for at least the last dozen years.  It results in a particularly insidious form of addiction.  One that quickly becomes a major social problem in the small and large communities where it takes hold.  Here is a quote that says it all from U.S. Attorney Joseph Famularo during a February 2001 news conference as quoted in the March 13, 2011 article “OxyContin abuse spreads from Appalachia across U.S.” by Bill Estep, Dori Hjalmarson and Halimah Abdullah of McClatchy Newspapers:

“You could leave a bag of cocaine on the street and no one would touch it, but leave one OxyContin in the back of an armored car and they’ll blow it up to get at it.”

Along with the rise in Oxycodone abuse has been a rise in serious crimes committed by addicts desperate for whatever it takes to get more Oxy.  And now we have 14 pallets-worth more of it in the hands of those who will make sure that the number of those addicts increases.  If our law enforcement organizations are unable to recover that shipment then we are all going to see more of the kind of social destruction that results from the crazy crimes these desperate Oxy addicts commit.  The U.S. Drug Enforcement Administration (DEA) has been trying to control diversion of Oxycodone, but this single cargo theft represents a huge quantity that goes well beyond the “fraudulent prescriptions, doctor shopping, over-prescribing, and pharmacy theft” diversion that the DEA is focusing on.

HOW MUCH CAN A THIEF MAKE FROM A SINGLE CARGO THEFT?  MORE THAN YOU THINK.

Let’s try to figure out the approximate street value of just the Oxycodone in this cargo theft.  According to the SecuringPharma article, the thieves got away with about 70,000 units.  That’s about 5,000 bottles per pallet which is within reason for a 100 count bottle of small tablets.  I’ll assume that this shipment was evenly divided between the 30mg dose and the 15 mg dose.  According to the National Prescription Drug Threat Assessment 2009 conducted by the U.S. Department of Justice National Drug Intelligence Center, the average street value per milligram of Oxycodone in 2008 in the U.S. was $1.15.  With this data we can calculate that the estimated 2008 street value of just the Oxycodone in this cargo theft is

( ( (15mg + 30mg)/2 )*$1.15  * 100tabs per bottle ) * 70,000 bottles = $181,125,000.

$181,125,000 !

If this were the market value of a typical drug cargo theft where the drugs only have value if they are sold back into the legitimate supply chain the thieves would probably expect to receive much less than this when they sell the drugs.  But in this case, because the drugs have a higher street value than legitimate supply chain value, they can probably expect to sell this Oxycodone for even more than this value because it is now 2011 and I assume prices on the street only go up.

The estimated street value of this stolen drug is only one aspect of this particular cargo theft.  The cost to our communities of 70,000 more doses of Oxycodone being sold to addicts across the country in terms of family breakdown, job loss, and elevated petty and serious crime, makes this particular cargo theft something that we are going to be dealing with for a long time.

Those who introduced the bipartisan bill into Congress last week recognized the critical difference between the criminal counterfeiting of watches, purses and apparel, and of the much more serious crime of counterfeiting drugs because of the widespread harm they can cause.  That is the proper justification for significantly higher criminal penalties for drug counterfeiters.  If this bill is enacted, the penalties for drug counterfeiting will reflect this greater ability to harm.  But the penalty for pharmaceutical cargo theft should likewise reflect the widespread harm it can inflict on our citizens and our communities over and above non-drug theft.  The sponsors should make these newly enhanced penalties apply to these crimes as well while the bill is still in committee.  Counterfeit drugs are a problem, but so are drug cargo theft and the prescription drug abuse that can result.

A QUESTION FOR YOU, DEAR READER

So, dear reader, I have a question for you that has been banging around in my head ever since I read about the Oxycodone cargo theft I analyzed above.  As U.S. taxpayers–as the people who will foot the bill for the devastation to our people and our communities that will come as a direct result of this $181 Million crime–what kind of security practices should we expect the owner of a shipment that has a street value of $181 Million to use on that shipment?  What kind of security practices should we demand?  Please leave your answer in a comment below.

Dirk.

West-African countries have been under attack by drug counterfeiting criminals for decades with little resistance until the last one.  The result, in 2002 Mohammed Yaro Budah, then president of the Pharmaceutical Society of Nigeria, estimated that 70% of the drugs in Nigeria were fake or substandard.  That’s an incredible figure, but starting around that time the Nigerian National Agency for Food and Drug Administration and Control (NAFDAC) under the direction of Professor Dora Akunyili began fighting back.

Initially they focused on inspecting drug imports at the Nigerian ports and airports and they were able to bring the percentage of fake or substandard drugs to come down considerably.  More recently they have begun employing a number of Raman Spectroscopy-based devices called TruScan (recently acquired by Thermo Scientific) to inspect drugs and anti-viral medicines being sold in pharmacies during “unscheduled” visits.

Even more recently, a number of pharma manufacturers have begun to add low cost scratch-off stickers to the drugs sold in Nigeria that cover a random number that can be scratched off and checked for authenticity by patients and healthcare professionals using SMS text message-based technology from Sproxil.  The service was launched in 2010 on a single product but that number is growing quickly as a number of large U.S.-based drug companies add the scratch-off stickers to their products.  The service is sponsored by NAFDAC.

WOULD THESE TECHNOLOGIES WORK IN THE U.S.?

That is, would these technologies help to reduce the number of illegitimate drugs in the U.S. supply chain? I believe that the answer is flatly “NO”.  The reason Raman Spectroscopy and Sproxil’s system work so well in Nigeria and are so appropriate there is because the percentage of illegitimate drugs in that country is so huge.

In comparison, the World Health Organization (WHO) has “estimated” that the percentage of counterfeit drugs in “industrialized countries with effective regulatory systems and market control”—countries like the U.S.—is “less than 1%”.  In reality, this “estimate” is not based on any actual measurement but appears to be just a guess.  We know that tiny quantities of illegitimate drugs are sometimes found in the U.S. supply chain today and we know that, even in the early 2000’s when criminals found a window of opportunity that no longer exists, the percentage has never approached 1% by any measure, so it is technically true that “less than 1%” of our drugs are illegitimate/counterfeit.

And we know, based on seizures in postal facilities alone, that the number of counterfeit drugs arriving on our shores through illegitimate channels is growing fast.  That was the real story seemingly hidden in plain sight in the recent CBS “60 Minutes” video essay “The fight against counterfeit drugs”.  The flood of counterfeit drugs on our shores that was the topic of that segment is coming in through ILLegitimate channels (mainly through unlicensed criminal pharmacies on the internet), not the legitimate supply chain that supplies our pharmacies (including properly licensed and fully legal internet pharmacies).

Despite unfortunate occurrences where illegitimate drugs made it into the legitimate supply chain as I analyzed in “Lessons from “Drug Theft Goes Big”, the actual percentage of illegitimate drugs in the legitimate U.S. supply chain is so small that it is actually immeasurable.  In my opinion, to say that the value is “less than 1%” actually inflates the problem beyond reality by at least five orders of magnitude.

The number of illegitimate drugs in the U.S. legitimate supply chain remains “less than .00001%”, and it is not growing (other than small fluctuations that are due entirely to the tiny numbers involved). That’s my “guesstimate” and it is likely based on more thought and observation of the U.S. supply chain than the WHO put into their guess for “industrialized countries”.  (Notice that my guesstimate of “less than .00001%” fits well within the WHO’s estimate of “less than 1%” so it doesn’t actually counter their estimate!)

If my guesstimate is accurate, that means that Nigeria conservatively has more than 1,000,000 times more counterfeit drugs in their pharmacies than the U.S. has in theirs.  Finding a package of a counterfeit drug is easy in Nigeria, perhaps one out of every 5 to 10 packages.  With a properly configured Raman Spectoscope, or a Sproxil scratch-off authentication code, these illegitimate packages can be found and removed from the market before patients are harmed.  But if applied in the U.S., using my guesstimate and assuming an even distribution, you would have to check well more than 10 million packages before you found one that was illegitimate.

Because the illegitimate drugs that are found in the U.S. supply chain are found in pockets and are not evenly distributed, you could easily check billions of packages and not find a single illegitimate drug if you don’t check in the “right” places (or is it the “wrong” places).  Clearly, checking all those drugs manually by either aiming a Raman Spectrograph at it, or scratching off a patch and texting a code to an authentication service is totally impractical for addressing the problem in the U.S. supply chain.

THE SUCCESSFUL ANTI-COUNTERFEITING TECHNOLOGY IS THE ONE THAT FITS THE PROBLEM

Raman Spectroscopy and Sproxil work well in Nigeria because you counterfeit drugs are so easy to find there.  These technologies fit the problem.  We should all hope that the day arrives soon when Nigeria finds that their counterfeit drug problem has diminished so far as the result of the application of these technologies that they no longer fit the problem.  When that day arrives, even Nigeria will need another technology.

The E.U. is a collection of “industrialized countries” where the counterfeit drug problem is believed by the WHO to be “less than 1%”.  Again, the problem in the E.U. is really too small to accurately measure and the bulk of the problem never enters legitimate channels, but from press reports (one example), it appears that the occurrence of illegitimate drugs in the E.U. supply chain falls somewhere between my guesstimate of “less than .00001%” for the U.S. and the WHO’s estimate of “less than 1%” and is probably closer to whatever the real value is for the U.S. than it is to the 1% value.

The problem is different in the E.U. than it is in the U.S. however because parallel trade in pharmaceuticals, or what I refer to as  “economically motivated diversion”, is somewhat legal in the E.U.  That is, it is apparently legal for a wholesaler to import drugs into a member country that sets the purchase price at a lower value, repackage these drugs for sale in a different member country that sets the sales price at a higher value.

As I understand it, the repackaging step is usually necessary due to language and regulatory differences in the packaging between E.U. member countries.  It’s this frequent legitimate need for repackaging that can provide “cover” for criminals to introduce counterfeit drugs into the legitimate E.U. supply chain.  Repackaged drugs are harder to trace than drugs that remain in the original manufacturer’s package.

(For Dr. Adam Fein’s thoughts on the importance of the differences between the U.S. and ex-U.S. supply chains and how that would impact any legalization of drug importation in the U.S., see his recent excellent essay “Importation is back? Really?!?”.)

Now I’m no expert on the E.U. pharma supply chain so I expect to be challenged by parallel traders in the E.U., if they ever pay attention to statements made by U.S.-based and –focused bloggers.  The reason I bring up this apparent difference (and the reason I keep using the word “apparent”) is that the contribution to the introduction of counterfeit drugs into the legitimate drug supply chain in the E.U. has been a hotly debated topic there for some time with lots of people on both sides of the question.

The point is, the supply chain is significantly different in the E.U. than it is in the U.S. and that causes the problem to be different.  I think that difference leads to the need for a different solution. The solution that works in the E.U. will very likely be different from the solution that works in the U.S., just like the solution that works right now for Nigeria would not be appropriate for either the U.S. or the E.U.

IS “POINT OF DISPENSE” (POD) AUTHENTICATION THE SOLUTION FOR THE E.U.?

The European Federation of Pharmaceutical Industry Association (EFPIA), an industry organization, proposes a model that would only detect illegitimate drugs at the point of dispense (POD) in the pharmacy.  In this model, all drugs must be serialized in some standard way and the pharmacist must execute an internet-based check on the authenticity of that serialized ID at the time the drug is being dispensed to the patient.

I’m not a big fan of POD because it doesn’t really help find and stop counterfeiters, but when drugs can legally pass through a complex supply chain that includes one or more repackaging and movement from country to country, perhaps simple POD makes the most sense.  (I first discussed POD Authentication in my essay “What are Pedigree Laws Trying to Accomplish Anyway?”.)

ILLEGITIMATE DRUGS IN THE U.S. LEGITIMATE SUPPLY CHAIN:  NEEDLE IN A HAYSTACK

The real problem with selecting a technology for securing the U.S. supply chain from the introduction of illegitimate product is that the proportion of illegitimate product is so tiny compared with that of the legitimate product.  Mandating almost any technology to detect “the needle” will undoubtedly introduce inefficiencies that will result in increased costs to everyone for “the hay”.

I discussed this problem in my essay “Do We Even Need To Mandate Drug Pedigrees Anymore?”.  Interestingly, since I published that essay we have learned from Katherine Eban about how some stolen drugs made it back into the supply chain.  It appears that it may have allegedly been a combination of method #2 “Legitimate wholesalers who are unable to make the pledge to only buy directly from the manufacturer”, and method #4 “Criminal wholesalers and/or pharmacists/pharmacies”.  And counter to my point in that essay, electronic drug pedigrees would almost certainly have detected the criminal activity before patients were harmed, as I later pointed out in my more recent essay “Reliance on Trust in the U.S. Pharma Supply Chain”.

(Dr. Fein has published many essays on these topics in his Drug Channels blog.  Here is one from 2006 that has some pertinent thoughts:  “Our Demand Side Counterfeit Drug Problem”.)

The real questions now are, what less costly technology exists (less costly than a full ePedigree system) that would have detected that crime before patients consumed the drugs?  POD Authentication is one.  Is that the solution that best fits the problem here?  Is the extra cost of a full ePedigree system worth it to be able to find and prosecute the criminals?  If so, who should pay for it?

Dirk.

If you are a regular reader of RxTrace but you still haven’t read Fortune Magazine’s recent article, “Drug Theft Goes Big” by Katherine Eban, then I suggest that you stop reading this essay right now and spend the next 15 minutes absorbing her article carefully.  And then return here for my analysis.  It’s that good and that important.

Many of you will remember Katherine Eban as the author of the excellent book “Dangerous Doses, A True Story of Cops, Counterfeiters and the Contamination of America’s Drug Supply”.  See my comments on the book here where I point out that a lot has changed since the events that are documented so well in the book.

The new Fortune article is a great update on what drug supply chain criminals have been up to since “Dangerous Doses” was published back in 2005.  The greatest thing about the article is that it contains one answer to the question that is on the minds of so many people in the industry:

HOW COULD ILLEGITIMATE DRUGS END UP IN THE LEGITIMATE SUPPLY CHAIN?

I wondered about this myself in my recent essay “Do We Even Need To Mandate Drug Pedigrees Anymore?”.  But this new article shines a light on one explanation—based on the work of a seasoned investigative reporter—of how this allegedly happened in the instance of some of the Levemir that was stolen back on February 5, 2009.  We can use this explanation to figure out how a modern pedigree model might have worked to detect the stolen drugs in the supply chain before they could cause harm to patients.

Let’s construct a hypothetical sequence of events that matches the sequence that Eban’s article describes in her section titled “From Heist to Pharmacists”.  That way we can dispense with company names and we won’t have to worry about discussing something that is probably still under investigation and will likely result in future criminal charges.

We know that the drug was manufactured and it was stolen in North Carolina while it was en-route from the manufacturer (M) to some destination.  Eban describes how some smaller quantity of drugs that matched the NDC and lot of the drugs that had been stolen were delivered to a licensed wholesaler (W1) in South Carolina five days later.

(As an interesting aside, here is a Google Map that shows a driving route between the town where the real drugs were stolen and the town where the first wholesaler received drugs of the same description as documented by Eban, only 150 miles away.  It’s very interesting, but it’s not really important to our analysis of the hypothetical sequence of events.)

W1 quickly resold these drugs to another licensed wholesaler (W2).  W2 then sold part of its stock to a third licensed wholesaler (W3) in Maryland.  W2 supplied W3 with a “phony pedigree” that inaccurately indicated the drugs had been supplied by a well known national wholesaler.

I use quotes around the phrase “phony pedigree” because that’s what Eban calls it, but that phrase gives the concept of “pedigree” a bad connotation.  One might ask, “What good are drug pedigrees if they can be faked so easily?”.

WHAT GOOD ARE DRUG PEDIGREES IF THEY CAN BE FAKED SO EASILY?

A quick check of the state pedigree regulation map posted by the Healthcare Distribution Management Association (HDMA) shows that neither North Carolina nor South Carolina have any kind of pedigree regulation.  Coincidence?  Maybe, but because neither W1, W2 nor W3 appear to have been Authorized Distributors of Record (ADR’s) for the drug in question, these drug sales should have fallen under the pedigree requirements of the federal Prescription Drug Marketing Act (PDMA).  Even with the court ordered stay in 2006 of part of those requirements, it seems that some kind of pedigree should have been required in each of these sales transactions.

But as Eban discovered in her investigation, only the W2 to W3 transaction apparently included some kind of pedigree.  That transaction occurred between South Carolina (W2) and Maryland (W3).  According to the HDMA’s map, Maryland has a pedigree regulation.  Hmmm.  Interesting.  But it didn’t help because the pedigree was allegedly forged to look legitimate.

Almost certainly, the pedigree that was supplied by W2 would have been a paper pedigree.  A paper pedigree is about as easy to forge as a note from your mother excusing you from gym class, but it is legal in every state that currently requires a pedigree for drug sales of this kind.  The regulatory acceptability of a paper pedigree is little more than an invitation to criminals to make them up.  Most tragic of all, they lend an undeserved impression of legitimacy to this kind of transaction.  W3 apparently complied with Maryland’s pedigree law.  That is, they apparently received a pedigree along with the drugs.  But even so, patients were harmed later.  The pedigree didn’t do its job of protecting patients.

Continuing with the story, W3 sold part of their stock to a chain drug store (CDS) based in Ohio.  Eban doesn’t mention if a pedigree was provided with the sale, but Ohio is another state that has no pedigree regulation.  CDS apparently distributed these drugs to their pharmacies (Ph) in at least four states where they were later found on pharmacy shelves, but not before at least two of their customers had life-threatening adverse reactions.

WHAT DOES THIS HYPOTHETICAL SEQUENCE OF EVENTS TELL US ABOUT PEDIGREE MODELS?

We have to remember that the drugs in the real story were not serialized.  So unless every unit in the entire lot that the manufacturer produced was stolen, it is not possible to say that the drugs that were allegedly found to have caused adverse events were definitely the units that were stolen.  That’s why unit-level serialization is a given in any future pedigree model.  There’s really no question about it.

I’ve already pointed out that paper pedigrees are worthless for protecting patients.  Because they can be forged so easily and the forgeries are so hard to detect, legitimate buyers of illegitimate drugs may accept them and feel confident that the drugs are real.  At least these forged paper pedigrees can be used later to help discover who the bad guys are.  That’s why investigators would rather have a forged pedigree than none at all.  At least they can use the forgery to prosecute the bad guys.  The forgery becomes obvious only after a time-consuming investigation.

But shouldn’t pedigrees help protect patients?  Shouldn’t they help legitimate supply chain members detect when they are being sold illegitimate products at the time of the sale so they can confidently refuse to buy them and notify the authorities right away?  The paper pedigree in our hypothetical story didn’t do that because it couldn’t.  A pedigree model is only as protective as the buyer’s ability to validate pedigrees quickly, efficiently and reliably.  Paper pedigrees with hand written signatures fail all of those tests.

Now let’s assume that every sale from W1 through CDS included the passing of an electronic pedigree that would be capable of being validated quickly, efficiently and reliably.  But that’s still not enough.  Even electronic pedigrees can be forged.  The difference is that forgeries of electronic pedigrees should be very easy to detect—if the pedigree model includes that feature (not all do).

But that capability alone won’t automatically translate into every legitimate company in the supply chain validating every pedigree.  Electronic pedigree validation will still take some amount of CPU time, even if that process is quick, efficient and reliable.  If companies don’t have to check the validity of pedigrees, many probably won’t bother.  In that case, even with a pedigree model that would be capable of easily detecting a forgery, patients could still be harmed if the pedigrees aren’t checked.

Should companies be required to check every electronic pedigree for validity on receipt?  If every recipient had checked an electronic pedigree in our hypothetical sequence, the sequence would have stopped at W1 because they would have easily found that the pedigree they were given was forged.  The thief could not have constructed a pedigree without forging the necessary record that only M could have produced.  All W1 would have needed to do is check the pedigree and the forgery would failed validation.

Even if W1 had skipped pedigree validation, the next sale to W2 would have provided another opportunity to detect the forged M record.  The sale to W3 provided another opportunity and the sale to CDS another.  With the combination of serialization, an electronic pedigree model with the right features and each recipient validating each pedigree they receive, this hypothetical sequence of sales would have provided at least four opportunities to detect that the product was illegitimate before it was ever given to patients.  The first recipient to actually validate the pedigree would have detected the forgery and the stolen drug would have been stopped right there.

I am fascinated by the results of Eban’s investigation.  Can you see any other lessons from either the real or the hypothetical sequence?

Drawing by Zsuzsanna Kilian

A CHALLENGE TO THE CURRENT CONVENTIONAL WISDOM

Currently well over half of the U.S. states have a drug pedigree law of some kind either on the books, in the process of being enacted or proposed in their legislature.  No two laws are exactly the same.  That fact is quite painful for the national participants in the supply chain and it gets a little worse every time a new law is enacted or a change is made to an existing law.  For this reason, the conventional wisdom among many supply chain participants, industry organizations, solution providers, and even the regulators themselves is that a nationwide pedigree law would be better than 50 different local laws. 

Many of these entities are in favor of replacing those state laws with one administered by the U.S. Food and Drug Administration (FDA).  I don’t challenge that.  In this essay, I’m challenging the very need for any U.S. pedigree requirement at all.  Let me explain.

PEDIGREE LAWS ARE AIMED AT FIGHTING A WAR THAT HAS ALREADY BEEN WON BY OTHER MEANS

That’s right.  State pedigree laws are a response to the shocking crimes against the U.S. supply chain that occurred between the late 1990’s and 2005, primarily, though not entirely, in Florida.  Katherine Eban documented these crimes so well in her excellent 2005 book,  Dangerous Doses:  How Counterfeiters Are Contaminating America’s Drug Supply (also available in paperback as Dangerous Doses: A True Story of Cops, Counterfeiters, and the Contamination of America’s Drug Supply) that I highly recommend it to everyone.

Back during that time, it was common practice for legitimate wholesalers to buy small quantities of drugs on the secondary market—that is, these drugs were bought from someone other than the original manufacturer.  The assumption was that these drugs were for sale because the current owner had bought too much legitimate product and would not be able to sell all of it before the product became too close to the expiration date, so they chose to sell it in on the secondary market at a reduced price.  Buyers normally required some form of documentation to prove that the sellers had originally bought these drugs from a legitimate source to reduce the risk that they were buying counterfeit product.  This practice had been going on successfully and very profitably in the industry for many years.

As Eban documents, in the late 1990’s, criminals discovered that they could easily forge the documentation they needed to “prove” legitimacy and so they began selling more and more illegitimate drugs—that is, stolen, counterfeit, up-labeled, diverted and tampered drugs—to these legitimate wholesalers through this secondary market.  Those wholesalers then often merged those drugs with the stock of drugs that had been bought directly from the manufacturers and then these drugs were sold to unsuspecting legitimate customers.  Viola, a small but critically significant percentage of illegitimate drugs made it into the legitimate supply chain.

But the problems that Eban documents so well won’t happen in the U.S. so easily anymore.  A month before Dangerous Doses was published in May 2005, the Office of the Attorney General of New York State initiated an investigation into the secondary market for pharmaceuticals in the U.S. supply chain and that investigation culminated in a settlement with one of the large U.S. drug wholesalers.  I should point out that I don’t have any first-hand information or knowledge about this case or the settlement other than what I have read from public sources.

The agreement, signed in December 2006, required this particular wholesaler to cease all participation in the secondary market for pharmaceuticals, among other things (see the full text of the agreement at “ASSURANCE OF DISCONTINUANCE PURSUANT TO EXECUTIVE LAW §63(15)”).  While the settlement was only with one U.S. wholesaler it apparently scared the other large wholesalers enough that they also voluntarily stopped trading pharmaceuticals on the secondary market in 2005/2006.

This was a pivotal event because it was the secondary market—the “grey” market—where illegitimate drugs were able to make it into the legitimate supply chain that these wholesalers dominate.  By closing off this huge entryway, criminals were locked out.  With that one settlement, the Office of the Attorney General of New York ended the war with criminals that Dangerous Doses exposed with a decisive victory.  As a result, the criminals moved on.  The vast majority of the U.S. pharmaceutical supply chain is now clean at the wholesale level.

WHERE ARE THE CRIMINALS NOW?

Most of the criminal activity has moved out of the legitimate supply chain, mostly onto the internet.  You know, the internet, where criminals can sell drugs directly to the few consumers who are dumb enough to think that someone will sell them legitimate prescription drugs, but do so illegally by not requiring a prescription.  That is, they think that some faceless company would be willing to knowingly break one law, but could then be trusted to provide real pharmaceuticals at below market prices.  In the age of the internet, how do you protect people who are that gullible?

But there is still one place where criminals have been able to retain a toehold in the legitimate supply chain and this can expose U.S. consumers to illegitimate product even if they only fill their prescriptions at legitimate pharmacies—whether brick-and-mortar or legitimate internet.  That is, these consumers are doing everything right.  Somehow, stolen and counterfeit drugs (part of what I classify as, “illegitimate drugs”) are still being found, however rarely, in the inventories of legitimate pharmacies.  It’s a big mystery that Federal and State investigators are apparently currently pursuing.

And where are all of the stolen drugs going?  Cargo theft is on the rise in the U.S. and around the world.  You wouldn’t think that professional criminals like those would normally steal things unless they have a ready market to sell into.  Who is buying these drugs?  Are they all making it back into the legitimate supply chain?  Some have, but how?  That information isn’t being released yet for some reason.  (See Adam Fein’s excellent essay, “How did stolen GSK product end up in pharmacies?” and my earlier essay “How to Stop Pharmaceutical Cargo Theft”.)

If the wholesale segment of the U.S. supply chain is clean, how can this occur?  I don’t know, but I can’t wait for arrests to be announced because, for this situation to exist, there have to be criminals not too far behind it and their methods should be exposed so we can close whatever hole in the supply chain they are exploiting.  But please allow me to speculate on what could be happening.

HOW COULD ILLEGITIMATE DRUGS END UP IN THE LEGITIMATE SUPPLY CHAIN?

If the big wholesalers are only buying their drug supplies directly from the manufacturers, as they have pledged, it should not be possible for stolen or counterfeit products to just appear in their inventories.  A criminal is in business to get paid, so they wouldn’t just sneak it into the inventory of an unsuspecting wholesaler.  Besides, wholesalers have pretty good security in their facilities, so I don’t think it is likely that these drugs are entering the legitimate supply chain through any wholesaler who has made the pledge.

I also don’t think it’s productive to consider that the manufacturers might somehow accept counterfeit or stolen drugs.  After all, they make the drugs, they don’t buy them.  And even when the drugs are made on their behalf by a contract manufacturer, they have solid sampling and testing regimens in place that would detect anything like this long before it reached consumers.

There are only a few possible ways I can think of for this condition to exist:

1.  Legitimate wholesalers ignoring their pledge to only buy direct from the manufacturer

It is possible that wholesalers who have made the pledge to only buy their supplies directly from the manufacturer are sometimes quietly not following that pledge.  If this is happening, they would be buying some of their stock from someone other than the manufacturer and would therefore open up the possibility that they are moving illegitimate product into the legitimate supply chain.  Technically such a wholesaler would not be committing a crime as long as the “alternate source” they buy from holds a valid wholesaler’s license.

In my experience, it’s not hard to find people who believe this is exactly what is happening.  Indeed, the settlement that the one wholesaler signed with the New York Attorney General’s office expired this past January (see paragraph 33 in the settlement), presumably releasing them to return to their old practices if they so choose.

However, I don’t believe this is what is happening.  From my observation the wholesalers who made this pledge have a genuine interest in a secure supply chain and would not revert to the business practices that led to the problems documented in Eban’s book.  Am I biased?  Perhaps.  Time will tell, but for now I am at least willing to list it as a possibility.

BTW, there are a small number of specialty drugs that even these wholesalers cannot buy directly from the manufacturer due to exclusive distributor arrangements.  I’m not including those drugs in this category and you shouldn’t either.  The “pledge” is that these wholesalers would buy drugs directly from the manufacturer when they can.

2.  Legitimate wholesalers who are unable to make the pledge to only buy directly from the manufacturer

Not all wholesalers have made the pledge to only buy directly from the manufacturer, because they can’t.  Regional wholesalers, or wholesalers who service niche markets often sell volumes of some drugs that are too small to meet the minimum purchase requirements of some pharma manufacturers so they are not able to make a pledge like the high-volume, nationwide, full-line wholesalers can.

If these legitimate companies want to serve their pharmacy customers with a wide selection of pharmaceuticals, they may be forced to buy some of their stock from one or more other wholesalers and thus cannot pledge to only buy direct.  It is possible that some of these wholesalers may buy drugs on the secondary market where there is still a chance they could fall prey to the kind of criminal activity that Eban documented in her book.  If that were to happen, these companies could unwittingly distribute illegitimate drugs to their customers.

3.  Returns through a legitimate wholesaler

For this scheme to work, a criminal needs to buy a significant amount of legitimate product from a legitimate wholesaler, then return those drugs for credit, but instead of physically returning the real product, the criminal ships back the counterfeit or stolen product and the unsuspecting legitimate wholesaler then unknowingly redistributes the illegitimate product to other customers.  The criminal would then sell the good product to someone else.

But there are a number of reasons this is highly unlikely.  First, to make enough money to justify the crime, the criminal would have to be licensed as a wholesaler, otherwise they wouldn’t be able to sell the good drugs to someone else in volume.  If they were a pharmacy, they could dispense those drugs to unsuspecting customers, but the volume would be too low to be very profitable.

Second, if the criminal has a ready buyer for the good drugs they would receive from their original legitimate purchase, why would they bother with the return? Why wouldn’t they just sell the illegitimate drugs directly to that buyer?

4.  Criminal wholesalers and/or pharmacists/pharmacies

In all 50 states it is a crime to purchase regulated pharmaceutical supplies from any company who doesn’t hold a valid license as a drug wholesaler in that state.  Any wholesaler, pharmacy or pharmacist who buys drugs from an unlicensed source is a criminal subject to prosecution, prison time and/or fines.  It is possible that any illegitimate drugs found in the inventory of a given wholesaler or pharmacy could have arrived there because the business owner, or an employee has actually crossed the line and become a criminal themselves.  This is not an unknown occurrence.

Take for example the case of Pamela Arrey of Glenelg, Maryland who pled guilty earlier this year to a number of charges, one of which was that she bought drums of expired medicines from an unlicensed source and dispensed them to patients out of two pharmacies she owned in the Baltimore area.  This sad story shows just how far a licensed pharmacist went into the dark once she made the conscious decision to step across that line and become a criminal.

I’m not the only person who is wondering where all the drugs stolen recently in cargo thefts are going.  In a CBS BNET blog post over the summer (“Stolen Advair Shows How Pharmacies Are the Crime-Infested Ghettos of the Drug Business”, pharma industry blogger Jim Edwards explains his theories about where it is going.  Unfortunately he quotes heavily from a CIO Magazine article from 2007 which contains quotes from people who relate stories from the early 2000’s, right back in the era before the wholesale segment was cleaned up.  It’s no surprise then that the stories are scary and that Edwards’ opinion is so blunt.  Katherine Eban already covered those stories, and did a better job of it.  I’d like to hear about the results of more recent investigations.

WHAT EFFECT WOULD DRUG PEDIGREES HAVE ON THESE POTENTIAL PATHS OF ENTRY?

If drug pedigrees are to put an end to the movement of illegitimate drugs into the legitimate supply chain, they would have to block all four of the potential paths of entry into the legitimate supply chain that I listed above, and maybe others I haven’t thought of.  I listed these four potential paths, not because I believe all of them are currently resulting in that movement, but because these are the only ways I can think of that could possibly result in it.  If only one of these ways turns out to be the actual path that these drugs have taken into the supply chain, then drug pedigrees would have to be able to block that one path.  Because we don’t yet know which path or paths it is, pedigrees would have to be able to block all four.  So would they?

Here is my list again with my thoughts on what effect pedigrees might have on them.

1.  Legitimate wholesalers ignoring their pledge to only buy direct from the manufacturer

I think a truly solid drug pedigree mechanism would prevent legitimate drug wholesalers from unwittingly buying and then redistributing illegitimate drugs because the criminal would not be able to forge pedigrees that appear to be “clean”.  Rather than exposing themselves to possible discovery, criminals would probably stop offering their illegitimate product for sale to a legitimate wholesaler (one who has chosen to ignore their pledge, that is).  However, if the buying wholesaler is known to not routinely bother checking the validity of the pedigrees for the product they buy, then pedigrees might not have any impact on this potential path.

2.  Legitimate wholesalers who are unable to make the pledge to only buy directly from the manufacturer

Just like the first path above, I think a truly solid drug pedigree mechanism would also prevent these legitimate wholesalers from unwittingly introducing illegitimate product into the supply chain, but with the same caveat as above.

3.  Returns through a legitimate wholesaler

Just as the two paths above, as long as the pedigree mechanism is solid and the legitimate wholesaler involved checks the validity of the pedigrees of the returned product, I think this potential path would be blocked.

4.  Criminal wholesalers and/or pharmacists/pharmacies

Here is where it gets interesting.  If a wholesaler, or one of their well-positioned employees, is a criminal, they could theoretically introduce illegitimate product into the wholesaler’s inventory by circumventing the pedigree check.  But that wholesaler would not be able to sell that product to a legitimate pharmacy customer as long as the pedigree mechanism is solid and the pharmacy checks the validity of the pedigrees for the drugs they buy.  So for wholesalers, pedigrees would do their job by blocking or exposing the criminal act.

But what if the criminal is a pharmacist or a well-positioned employee of a pharmacy?  Think of a situation like that of pharmacist Pamela Arrey that I mentioned above.  In that situation the illegitimate drugs would be knowingly bought by the employee and introduced into the “supply chain”.  It’s not much of a supply chain considering that the bad drugs are introduced right at the endpoint.  In fact, I personally don’t consider the pharmacy alone to be “a supply chain” so, to me, illegitimate drugs introduced there should not be considered to be introduced into the supply chain.

How would pedigrees help here?  The single opportunity for a pedigree validity check would be with the pharmacy, but in this instance, that’s where the criminal is.  A criminal is not going to bother checking any pedigrees because they already know they won’t check out.  The consumer who is dispensed the illegitimate drugs will never know because pedigrees are supply chain technologies that are not passed on to them (they wouldn’t know how to interpret them anyway).  Supply chain pedigrees stop at the pharmacy…in this case, at the criminal.

At the very least, in this kind of situation, pedigrees—or the lack of them if mandated—could be used to make it much easier to prosecute the criminal(s).  But if they won’t help detect the crime, easier prosecution might not matter very much.

Without the benefit of a pedigree mandate, when an investigator asks a criminal in a pharmacy where they bought the illegitimate drug that was just found in their inventory, they will certainly say they bought it from a wholesaler, even when they know they actually bought it illegally.  It would be quite easy for the criminal pharmacy worker to tell that lie, because they will certainly have some documentation that shows that they have bought that same kind of drug from one or more legitimate wholesalers in the past.  Since there are currently no serial numbers or even lot numbers indicated on shipping documents or invoices, no one can tell whether those documents refer to the illegitimate drug package being investigated, or some other one that has already been dispensed.

Here a drug pedigree would help to focus the investigation on the actual criminal, but only after the illegitimate drug was detected by some other means.  Without pedigrees in this situation, the criminal would be able to cast doubt into the mind of the investigators and erroneously implicate the innocent wholesaler.

Also, without pedigrees the wholesaler would have no way to definitively prove that they did not supply the illegitimate product, further casting doubt about who is the actual criminal.  Considering the history of criminal wholesalers and the unknowing complicity of legitimate wholesalers who once traded in the secondary “grey” market in the early 2000’s–all of which is so well documented by Katherine Eban–it may not be surprising if an investigator holds some suspicion of that wholesaler today.

I would also like to note to the proponents of Point of Dispense (POD) authentication that a POD approach would not prevent this kind of criminal attack on the supply chain.  Would the criminal bother to authenticate drugs that they know to be illegitimate?  No.

DO WE EVEN NEED TO MANDATE DRUG PEDIGREES ANYMORE?

A full pedigree mandate for all drugs in the U.S. supply chain would carry a heavy price tag throughout the supply chain.  As long as the mandate included the requirement that all buyers validate the entire pedigree, and as long as the technology used enables a rigorous validity check, I think that drug pedigrees would effectively block all of the paths of entry of illegitimate drugs into the U.S. supply chain, except when the criminal is in the pharmacy. 

The question is, which of the four paths of entry I have listed are actually taking place today?  I don’t know, but I hope investigators from the FDA and the California Board of Pharmacy have a better idea and that they use that information to drive decisions about pedigree mandates from here on. 

If it turns out that these drugs are entering “the supply chain” directly at pharmacies, then pedigrees will contribute no value in detection, and only some value in the prosecution of the criminals.  Is that worth the cost?

Four years ago the GS1 EPCglobal Software Action Group (SAG) Drug Pedigree Messaging Work Group was wrapping up the standard specification for the GS1 Drug Pedigree Messaging Standard (DPMS, aka GS1 Pedigree Ratified Standard).  That standard was developed through collaboration between U.S. pharmaceutical supply chain members, industry associations, solution providers and GS1.  DPMS 1.0 was ratified by the EPCglobal Board in early January 2007.

DPMS has many benefits.  It results in a self-contained, self-secure electronic document that clearly shows the chain of ownership and/or custody of a given drug package (or a set of packages if they all have the same history).  It works equally well with serialized and non-serialized products.  The security of DMPS documents comes from within the electronic documents themselves rather than just from a security layer wrapped around a given server.  A self-contained, self-secure document model should work well as evidence in a criminal trial.

But even before DPMS was ratified people were raising questions and concerns about it.  Those concerns were:

1. While it is great for providing a “trace” of a drug through the supply chain–that is, it provides a supply chain history to each buyer of a drug–DPMS does not provide any mechanism for “track”–that is, providing a downstream view of the supply chain history to previous owners including the manufacturer.  This would be important for some non-regulatory applications of track and trace.
2. As DPMS pedigrees move down the supply chain, they get bigger, and thus the storage burden gets bigger as they move.  This is because the chain of ownership/custody is longer and so more data is contained in each pedigree.  Because DPMS electronic documents are complete and self-contained, trading partners near the end of the supply chain, pharmacies in particular, must hold larger documents than trading partners near the beginning.  While this is partly offset by the fact that manufacturers will need to store pedigrees for many many more drug units than pharmacies, wholesalers fall somewhere in the middle.
3. The DPMS pedigree model results in duplication of data across the supply chain.  That is, most of the data contained in a pedigree that a pharmacy holds will also be held by the wholesaler, and some of it will also be held by the manufacturer.  This duplication would help investigators figure out exactly what happened to a given drug as it moved through the supply chain, but it results in greater data storage requirements for all non-manufacturer trading partners than would exist in a distributed pedigree model.  In theory, this duplication lowers the risk that a given trading partner would be falsely accused of criminal activity by allowing them to hold their own copy of the clean pedigree as they received it and as they sent it to their customer.  They would not need to rely on a third-party to keep their pedigrees secure.
4. Because an electronic document must be passed from the buyer to the seller in every distribution of a drug, a data communications channel must be established between each seller and each of their customers.  This represents a huge increase in the number of channels that are in use today.

Faced with these challenges just as DPMS was being ratified I drew up an alternative approach to pedigree and presented it in an EPCglobal Joint Action Group (JAG) meeting in Orlando in January 2007.  I called the idea “A Semi-Centralized, Semi-Distributed Track and Trace Pedigree System”.  My goal was to eliminate or reduce the magnitude of the problems raised over DPMS, but I also wanted to retain its benefits.

The only alternative to DPMS that has been proposed by others is what I call the “distributed pedigree“, where no one would hold the complete pedigree unless a regulatory inspector demands to see it.  In that case, a local system would query all of the prior owners of the drug for their part of the pedigree.  These partial pedigree components would be collected and then pieced together to form the complete pedigree, just for the inspector.  

In my view, this distributed pedigree fails to secure the supply chain because it turns the pedigree validation step into a rare, after-the-fact activity instead of an automatic and routine activity performed every time a drug is acquired from a supplier.  We lose the ability to monitor for the introduction of illegitimate drugs into the legitimate supply chain at every step and it becomes the responsibility of the government to monitor the supply chain.  On the other hand, DPMS keeps the complete pertinent data set in the hands of each member of the supply chain and distributes the responsibility for monitoring supply chain integrity to all trading partners.  In the distributed pedigree concept, the data is distributed and the responsibility for monitoring it is centralized with the government.

My goal was to retain the centralization of the data but keep the ability for validating the pedigree at every step.  I recognized the need for a central repository for pedigree data, but not a single, massive and impractical ”database in the sky”.  Because the central repositories would need to be very high performance, highly available and disaster recoverable, they would be costly.  The pedigree model would need to include a way to pay for these costs.

SEMI-CENTRALIZED, SEMI-DISTRIBUTED

My idea started with the requirement that each drug manufacturer establish a contract with a pedigree service provider that would host all of the supply chain pedigree data for the drugs that the manufacturer introduces into the supply chain.  They would pay for this service and all downstream trading partners would be given controlled access at no additional charge to allow them to deposit their part of the pedigree whenever the drugs of the associated manufacturer are sold.  In this way, the pedigrees are semi-distributed across all manufacturers, but they are also semi-centralized in that all pedigrees of a given manufacturer would be in one place.

Access to the data would be tightly controlled by the pedigree service provider so that no one, including the manufacturer who is paying for the service, could see the data contributed by other parties unless they currently own  the drug, or did so in the past.  And then, they could only see the supply chain history prior to their owning the drug.  Any trading partner could request a full pedigree, rendered in a DPMS document, that would show their ownership of the drug and all prior owners (a “trace”).  A view the other direction, down the supply chain (a “track”), would be allowed only when data sharing agreements are in force between trading partners, thus enabling non-regulatory uses of supply chain history data.

Each time a seller sells a drug to a trading partner the seller and the buyer would provide data about the transaction to the pedigree service provider of that drug.  When the service provider receives the data they would run a validation check to make sure that the pedigree is complete and consistent.  If it is not, all pertinent parties would be notified.  This includes the buyer and seller and could include the manufacturer and/or regulators.

FUNDING

The funding model of any given pedigree model is very important.  A pedigree model might sound great, but if it can’t be funded fairly, it won’t work.  For my proposed model, the cost to the manufacturer for the pedigree service would depend on the volume of drugs that the manufacturer introduces into the supply chain.  That payment would cover pedigree data services for the life of the product so that if the manufacturer goes out of business, the pedigree service for the product made and sold prior to that would already be paid for and would continue.  This cost would be added to the cost of the drugs and governmental drug pricing administrators would need to acknowledge and allow these true costs to be added. 

Each trading partner would need to contract with a single Connectivity and Information Exchange service provider that would provide services to seamlessly connect them to the pedigree service providers of all drug manufacturers.  The trading partner would pay for this service.  These fees should be much smaller than those paid by the manufacturer and so these costs would be absorbed by each trading partner.  It would become an additional cost of doing business in the pharmaceutical supply chain.  This is a fair and equitable way to fund supply chain security.

THE TECHNOLOGY

I envisioned that trading partners would make use of a data repository based on GS1′s Electronic Product Code Information Servicers (EPCIS) standard to hold their part of the pedigree data.  Because they would provide this data to the pedigree service provider, the official copy of the data would be the one held by that third-party and there would be no need for directly querying another trading partner’s EPCIS.  Each trading partner’s pedigree system would need to be able to understand the DPMS document format as well since that would be the format that a complete pedigree would be rendered in by the pedigree service provider whenever it is needed.

(Click on image to enlarge)

The pedigree service provider’s system would likely be partly based on the EPCIS interfaces but this software would be specialized to understand DPMS as well since it would need to construct DPMS pedigrees on demand.  The data would not be stored as DPMS pedigrees to avoid the duplication of data.  The digital signatures of each trading partner contained in a DPMS pedigree could now be replaced with a digital signature applied by the pedigree service provider as a way to stamp it as having been produced by the official service provider for that drug.  The EPCIS events contributed by each trading partner could also be digitally signed to provide DPMS-like non-repudiation, but only the pedigree service provider would need to validate those signatures so they would not appear in the DPMS pedigree report.

I don’t see any need for GS1′s Discovery Services, but others may see a place for it.  Back in 2007 I created a series of drawings that steps through the operation and it made use of GS1′s Object Naming Service (ONS) for each trading partner (via their connection and info exchange service provider) to find the pedigree service provider that is handling the pedigrees for each unit by serial number (EPC, that is).

THE KEY FEATURES

In 2007 I listed these key features of my design:

• Third-party hosts Pedigree Repository Services (Semi-Centralized)
• Pedigree Repositories distributed across multiple Service Providers (Semi-Distributed)
• Enables competition for Pedigree Repository Services and Connection & Info Exchange Service contracts
• Concentrates the need for High Availability and Disaster Recovery in service provider organizations rather than trading partners
• Minimizes the number of “hops” necessary to obtain the pedigree (also, # of hops does not grow)
• Enables optional item authentication at the same time pedigree is updated
• Data Security is maintained by service providers who are under contract
• GS1 ONS prevents counterfeiter from serving bogus pedigree and enables data to be moved from one service provider to another, preventing vendor “lock-in”
• Provides a practical and flexible data visibility control mechanism based on contracts
• Third-party is responsible for deleting pedigree data only after expiration of the longest legal deadline of the last pedigree transaction

WHAT EVER HAPPENED TO THIS IDEA?

What happened?  In short, nothing.  At the meeting where I presented this approach, a number of solution providers had joined forces to pitch the EPICS plus Discovery Services model and the distributed pedigree concept was born.  Since that time GS1 has pursued the development of Discovery Services, which is still far from completion. 

I continue to believe that my Semi-Centralized, Semi-Distributed Pedigree idea is still the most viable alternative to a pure DPMS pedigree model but the idea won’t progress any farther than this unless others in the supply chain recognize its strengths in comparison to either a pure DPMS or a distributed pedigree model based on EPCIS.

Does the supply chain itself make any contribution to patient safety?  The legitimate pharmaceutical supply chain is that complex web of companies that move drugs from the manufacturers to the pharmacies that dispense them to patients.  The supply chain always includes both of those end points (manufacturer and pharmacy) and, in the U.S., normally also includes at least one wholesaler.  The supply chain is typically viewed as “Manufacturer to Wholesaler to Pharmacy”, whether the pharmacy is within a hospital, clinic, retail independent, chain store, grocery store, or mail order.  The great majority of prescription drugs arriving in the hands of U.S. patients have passed through this supply chain.

So what contribution does this chain make toward the safety of those patients?  In my view, it comes in three ways:

1. Supply Chain Integrity
   This includes the responsibility of each supply chain company—and by extension to each of their employees—to be ever vigilant for attempts by criminals to introduce illegitimate drug products into the legitimate supply chain.  Trading partners should know their suppliers very well (to prevent the introduction of counterfeit, tampered or stolen drugs) and they should also know their customers (to detect and stop diversion).  The protection of patients here is fairly obvious.  They can trust that the prescriptions they receive at any legitimate pharmacy in the U.S. will contain exactly the legitimate drug their Doctor or Pharmacist prescribed.  When supply chain integrity breaks down, very sad things happen.
2. Recall Execution
   This includes extremely fast (near instant?) blockage of any shipment of units covered by a recall, communication of the recall notice to supply chain customers who have been shipped the recalled units any time in the past, and a tight quarantine of the recalled units to ensure that they cannot make their way back into regular stock.  Once a recall is issued—especially a safety recall—there should be no way for these units to move forward in the supply chain again.  Patients are protected by the immediate removal of a large pool of the recalled items from their availability, thereby reducing the problem to those remaining units that have already been dispensed to patients by pharmacies (and those drugs are outside the supply chain).  When this breaks down, patients may end up being dispensed prescriptions that contain the recalled medicine even after the recall has been issued.
3. Data Quality
   This includes the use of accurate data about each drug by every company in the supply chain.  The drug manufacturer creates this data and each successive owner in the supply chain must ensure that they are using that exact data as part of their buying, selling and dispensing.  Patients are protected mostly by their pharmacy’s use of accurate data, but because the supply chain arm of a pharmacy company may rely—at least in part—on data received from their supplier, in those instances, the quality of the data supplied will have a direct impact on patient safety.  When this breaks down there is a slight, but unnecessarily elevated risk that a patient somewhere could receive the incorrect dosage, the incorrect drug entirely, or a drug that is covered by a known recall.

Interestingly, all of these contributions to patient safety become much easier to implement and are much more reliable in execution when the drug packages are serialized and all companies in the supply chain make use of those serial numbers to maintain pedigrees.  For downstream trading partners to be able to make use of these serial numbers it is essential that manufacturers also supply two types of data for each product they serialize:  Supply Chain Master Data (SCMD) for each Stock Keeping Unit (SKU), and Instance Data (IData) for each serial number.

SUPPLY CHAIN MASTER DATA SYNCHRONIZATION

SCMD is the data that describes each product that is traded in the supply chain.  The synchronization of that data requires the creator (with a lower case “c”…I’m referring to the drug manufacturer here, not God) to pass it to every potential supply chain owner of their products, and keep it up-to-date, so that they always have the correct information.  The product code is the identifier that is used by supply chain members to link to, and reference, the SCMD.  In the case of drugs in the U.S., that product code is the NDC.

As you might expect, GS1 has a series of standards that can be used to implement SCMD.  They include the Global Trade Item Number (GTIN) and Global Data Synchronization Network (GDSN) standards.  In the pharmaceutical supply chain a GTIN can be composed from the combination of an FDA-issued Labeler Code and FDA-registered Product Code (the two components of the NDC) as a base, although manufacturers are expected to register with GS1 and pay a fee before doing so.

GS1’s GDSN is a standard that can be used by supply chains to communicate SCMD to all of the companies who participate in it.  Generally, its use requires all trading partners in a given supply chain to subscribe to a GDSN-conformant Data Pool service provider.  Unilateral adoption of GDSN by a single company doesn’t make any sense.  It’s a high bar for a large and complex supply chain to achieve through voluntary means.  Right now the pharma supply chain in the U.S. has not achieved it and so the quality of SCMD in the supply chain is currently dependent on ad hoc relationships and data passing.  Some of this includes manual data entry into the local master data systems at many points in the supply chain. 

INSTANCE DATA COMMUNICATION

Instance data is data that describes the unique and specific identity of individual units, or a relatively small collection of units of a given SKU.  For the pharmaceutical supply chain this always includes the lot and expiration date of each unit, but in the future it could also include covert security elements that could vary and therefore could be unique by the individual unit.  Like SCMD, only the creator (again, the manufacturer, but also repackagers) can create the instance data.  The unique identifier—typically composed of the product code plus a serial number—is the identifier that is used by supply chain members to link to, and reference, the instance data.  Some instance data, like information about individualized covert security elements, are not shared with downstream trading partners but are kept by the creator for use in their product or package authentication system, but data like lot and expiration date must be shared with downstream trading partners.

Again, as you might expect, GS1 has a standard to help supply chains exchange instance data.  The Electronic Product Code Information Services (EPCIS) standard can be adopted by supply chains for this purpose.  Unlike GDSN, there may be reasons a company can find value in applying EPCIS unilaterally, but the adoption of EPCIS for communicating instance data with trading partners only makes sense if all of your trading partners agree to adopt it as well.  So far the pharma supply chain in the U.S. has not yet adopted EPCIS widely for the purpose of exchanging instance data, but the standard has caught the attention of a number of the larger corporations within the supply chain.  Some of those companies are working with GS1 U.S. to figure out how this instance data can be exchanged in an interoperable way.  Currently there is no widely adopted alternative approach for communicating instance data because serialization, the enabling prerequisite technology, is only just now starting to be deployed on a handful of products in the supply chain.

MOTIVATION FOR ADOPTION

Deploying applications that serialize units, synchronize SCMD and communicate instance data through the supply chain is expensive.  Generally, companies look for hard financial returns on any investments they consider.  It’s nearly impossible to find a positive ROI from serialization and the associated data synchronization and communication.  That is, depending on how you measure “return”, and that depends on your motivation. 

Richard Feldman, Vice President of Trade and Product Safety at EMD Serono, a manufacturer of biopharmaceuticals, and Ron Bone, Sr. Vice President, Distribution Support at McKesson, a U.S. pharmaceutical wholesaler, both spoke about motivation as it relates to adoption of this type of technology at the Track and Trace Technology Seminar held by the Healthcare Distribution Management Association (HDMA) this past December.  Feldman spoke about his company’s high-level commitment to patient safety and how that commitment motivated the corporation to view funds spent on technologies designed to protect the supply chain as sound investments.  They measured the return on their investments differently than those who looked only for the hard financial returns that are so hard to come by.  Bone spoke of a similar commitment at McKesson.  Both referred to understanding and support from the highest levels of the company leadership. 

These are true supply chain organizations who realize that their very existence as participants in the pharma supply chain comes with a responsibility to contribute to its integrity.  The “return” on those investments may be immeasurable because it is most directly collected by their ultimate customers—the patients.  The result is a more secure supply chain, and a more secure supply chain is a healthier one.  One that will continue to operate well, and that ensures their ongoing participation in it.  Now that’s a “return” that every company should recognize and embrace.

Several people I know from the traceability solution provider community like to tout the similarities between the food supply chain and the pharmaceutical supply chain.  They see similar track and trace regulation in the futures of both chains.  After all, both supply chains are regulated by the same agency (FDA, although food is also regulated by the USDA) and they see them as having similar problems.  But I don’t buy all that.  My friends see the use of common tools (their products, of course) and I might give them that, but these two problems only seem similar on the surface and so, if track and trace regulation is needed for both, the two regulations ought to have only high-level similarities.

THE FOOD SUPPLY CHAIN

The increasing frequency of the scariest problems in the food supply chain are related to accidents—like unintended contact with surfaces or organic matter that contaminate the food with nasty things like E. coli or salmonella—or food that has spoiled as the result of improper storage somewhere in the supply chain—like refrigerators or freezers that aren’t doing their job.  Consumers would benefit from the use of food track and trace in situations like these only when the contamination or spoilage isn’t detected until after the product is split up and distributed down multiple paths.  The track and trace system would improve the speed of the recall and the confidence in its completeness.

Generally, food is distributed to retail outlets inside containers that are packed by the manufacturer or processor.  I’m not an expert here so those of you who are, please correct me, but I don’t think food distributors normally break down cases and ship individual saleable units to retailers.  I think they normally ship full cases, bins and pallets.  For this reason, item-level serialization is not critical to end-to-end track and trace.  However, container-level serialization-based track and trace would be a major benefit to this supply chain.

There is one more thing about the food supply chain that I think is significant for this discussion.  Many of the trading partners at the start of the supply chain are small, independent and technically unsophisticated.  Most of the trading partners at the end of the supply chain are just the opposite:  large corporations with big IT budgets.

THE PHARMACEUTICAL SUPPLY CHAIN

On the other hand, the scariest problems in the pharmaceutical supply chain are more often related to intentional acts by criminals—like counterfeiting, tampering, up-labeling, theft and diversion.  Added to those are the fairly recent and increasingly frequent recalls that result from the allegedly intentional “forgetting” to document the inclusion of a regulated pharmaceutical ingredient inside an over-the-counter (OTC) “supplement”.  I’ve received notices of this last type of recall from the FDA’s recall notice service in just the last few months that included the following undocumented ingredients in OTC products sold on the internet:

• ED drugs in male enhancement supplements
• Steroids in muscle-building supplements

Of course, recalls of drugs that are the triggered by accidents do still occur.

Unlike food wholesalers, drug wholesalers, more often than not, break open the manufacturer’s casepack of product and ship individual units to their customers (pharmacies).  Container-level track and trace won’t get you as far as it would in the food supply chain because most containers only make it one hop in the multi-hop supply chain.  To obtain a benefit as comparably “major” in the drug supply chain as container-level serialization would enable in the food supply chain, you would have to serialize at the unit-level.

Also—just the opposite of the food supply chain—the trading partners at the start of the drug supply chain are often corporations that have significant IT resources, while the independent pharmacies at the end are larger in number and they have little IT sophistication.  Of course, there are many pharmacies that are owned by technically sophisticated large corporations, but I think the differences between the food and drug supply chains are still significant when viewed this way.

DIFFERENT PROBLEMS NEED DIFFERENT SOLUTIONS

In my view, the sum total of these differences are significant enough to warrant different approaches to the solutions.  It seems to me that the problems in the food supply chain could be adequately solved through the combination of container serialization and tracing at that level.  Recalls could be made at the lot or container serial number levels.  Since the lot number of contents of each container would be known, a lot-level recall could be translated into specific container serial numbers.  This type of recall would be much more efficient and instill a lot more confidence that the recall’s progress was known at any given time.  It would also enable much more fine-grained, limited-scope recalls to occur—down to a single container if that fit the given situation.

As I’ve already pointed out above, pharmaceuticals would require unit-level serialization to provide the greatest value.  Because the problems being solved in the drug supply chain are more likely than in the food supply chain to be related to activities that are intentional, and because sometimes great efforts have intentionally been applied to keeping the evidence of criminal activity hidden, traceability of drugs should be approached differently than it is for food.  To understand this, you have to think about how an anomaly would be detected in each supply chain.

In foods, the traceability system itself has no ability to detect the anomaly.  That’s because the triggers would come from chemical/biological tests of the products themselves, or after a group of people become ill after consuming some of the food.  The traceability system would only jump into action after-the-fact to help get the product off the market and out of the hands/stomachs of consumers as quickly as possible.

You could do the same thing with pharmaceuticals because detection can occur through the same two processes I just outlined for food, but the traceability system itself could also be used to actually detect the type of activities that criminals would prefer to remain hidden—and it could trigger suspicion long before anyone is harmed by the illegitimate product.  This is what would result if every drug purchased within the legitimate supply chain included a check of the drug’s full certified chain of ownership up to that point.  This is exactly what is embodied in the Florida and the California Pedigree Laws.

THE DEPUTIZED SUPPLY CHAIN

Do you see the difference?  With food, there really isn’t a need to check the full certified chain of ownership each time the food product changes ownership because the purpose of the track and trace system would be to help expedite a recall should the food ever be found to be contaminated.  But in the drug supply chain, the purpose of the chain of custody would be to help expose, as early as possible, any criminal activity within the supply chain.  To do that, you would want to check the chain of ownership at every transaction point.

But that’s hard.  It takes time, technical sophistication and a lot of data flying around everywhere.  Plus, the introduction of illegitimate drugs into the supply chain is believed to be very small in the U.S.—so small that when compared to the number of legitimate drugs that pass through the supply chain, the number of illegitimate drugs is almost imperceptibly small.  Left up to their own choices, most trading partners in the drug supply chain would probably choose not to bother checking each transaction in this way.  And that’s why the Florida and California Pedigree Laws mandate that it be done.  They effectively “deputize” each legitimate trading partner to help watch for the introduction of illegitimate products.

Deputizing trading partners in the drug supply chain makes sense to regulators who are too understaffed to be able to monitor even a fraction of the supply chain transactions that occur every day.  This model of business regulation is fairly new but could become increasingly common as state and federal budgets come under increased pressure.  It allows a relatively small agency to do the work of a huge one, because all of the regulated companies are deputized to do some of the monitoring.  Perhaps the program most similar to the type of self-monitoring found in the Florida and California Pedigree Laws can be seen in the Suspicious Order Monitoring (SOM) programs that have recently been imposed on drug wholesalers by the U.S. DEA (Drug Enforcement Agency).  This is another way that drug wholesalers have been deputized to assist a regulatory agency.  It also, by the way, is more confirmation that the participants in the pharmaceutical supply chain are responsible for supply chain security.

TARGETED TRACK AND TRACE

I think that supply chain participants would be more open to deputization if the number of products being monitored started out small before growing over time.  The California Pedigree Law attempted to do something like that by requiring item-level serialization of only 50% of each manufacturer’s product line by 2015.  But the problem is, the remaining 50% must be serialized only one year later.  That’s too fast to be meaningfully helpful to most companies.  It may make more sense to target track and trace monitoring on a select number of products initially, taking a risk-based approach when selecting which products to start with.  Then, over time (more than one year) start expanding the number and/or type of products that would be serialized and traced.  This is a very rational approach that would achieve most of the goals of the pedigree laws, but without causing wild transitions in business practices—going from not-serialized to serialized for all products over a very short period of time— in the supply chain.

I only raise this idea now because the FDA has been given the authority to develop a track and trace standard that could be imposed by later regulation (a future adoption of the Buyer-Matheson proposal perhaps).  Could it include another deputization?  Perhaps we’ll find out sometime after the FDA gets the final Serialized Numeric Identifier (SNI) guidance out of the way in the next two months.  Stay tuned for new announcements by the FDA at that time.

There are a number of important misunderstandings out there related to exactly how illegitimate pharmaceuticals get into the hands of unsuspecting consumers and patients. We need to understand all there is to know about the subject, especially those who are responsible for protecting the public against criminal activity and those who are contemplating new laws aimed at elevating the integrity of the supply chain. In this post, I want to define and differentiate the legitimate and the illegitimate pharmaceutical supply chains.

Extracting the meanings we are looking for, Wiktionary defines the adjective “legitimate” as:

1. Accordant with law or with established legal forms and requirements; lawful
2. Conforming to known principles, or accepted rules; valid
3. (obsolete) Authorized; real, genuine

and the adjective “illegitimate” as:

1. Illegal; against the law

I don’t think there is any surprise here since these words are in fairly common use, but let’s apply these adjectives to the pharmaceutical supply chain. We could deduce:

The Legitimate Pharmaceutical Supply Chain: The chain of pharmaceutical supply that conforms to known and established legal forms, principles and requirements; the lawful supply chain; the valid supply chain; the real, the authorized, the genuine supply chain.

The Illegitimate Pharmaceutical Supply Chain: The illegal supply chain

Again, no surprises here.

We need one more definition: supply chain.

Wikipedia defines “Supply Chain” as:

“A supply chain is the system of organizations, people, technology, activities, information and resources involved in moving a product or service from supplier to customer. …”

For pharmaceuticals, the supply chain begins with the manufacturer and ends with the consumer, or patient. (For logistical purposes we often talk of our supply chain beginning with the drug manufacturer and ending with the pharmacy, but in actual fact, it ends when the product is irreversibly consumed by the patient.)

We have a single legitimate pharmaceutical supply chain in the United States–filled with complexity, but singular nonetheless. I’ve heard people make the claim that “their [pharma] supply chain is secure”, as if there were many pharma supply chains and it is no concern of theirs if anyone else’s supply chain might not be secure. For security purposes we should treat the U.S. supply chain as a single entity. Martin Luther King famously once wrote, “Injustice anywhere is a threat to justice everywhere”. Similarly, in the pharma supply chain, it could be said that insecurity anywhere is a threat to security everywhere.

Likewise, I believe we have only one significant illegitimate supply chain: the internet. That’s a topic all on its own.

Both the legitimate and the illegitimate supply chains end with the consumer/patient. Interestingly, illegitimate drugs (counterfeit, stolen, diverted, up-labeled, adulterated) can reach the consumer/patient from both the legitimate and the illegitimate supply chains.

Here is perhaps the first surprise in this essay. If we have already separated the legitimate and the illegitimate pharma supply chains, how is it possible for illegitimate drugs to make it into the legitimate supply chain? Wouldn’t they only exist in the illegitimate supply chain?

The answer to the second question is “No”. I selected the adjectives “legitimate” and “illegitimate” for supply chains and for the drugs that pass in them. Just because the adjective is the same doesn’t mean that the subjects are bound to each other.

The answer to the first question is less intuitive. How do illegitimate drugs make it to consumers/patients through the legitimate supply chain? The answer is well documented in Katherine Eban’s book, “Dangerous Doses” already discussed in an earlier post. Look at the case of Timothy Fagan. His parents did not order his Epogen from a website. They bought it (in New York in 2002, prior to the crackdown on criminals in Florida…don’t miss my comments on how much has changed since then) from their favorite national chain pharmacy, a very solid participant in the legitimate pharma supply chain. But the Epogen was “counterfeit” (actually up-labeled and spoiled due to storage at improper temperatures) and Timothy nearly lost his life as the result.

In her book, Eban follows the path of the Epogen from manufacturer to Fagan. It’s a very interesting case. A legitimate drug started out in the legitimate supply chain and it was transformed into an illegitimate drug on its way to the consumer/patient. Did it exit the legitimate supply chain, get transformed by criminals and then get reintroduced, or was the transformation executed by criminals who had infiltrated the legitimate supply chain? The answer depends on whether all of the owners were properly licensed to buy and sell that type of pharmaceutical. If they were, then the drug did not exit the legitimate supply chain. Yes, one or more of the supply chain participants were criminal enterprises, but because they were licensed, they were a legitimate part of the legitimate pharma supply chain at the time.

The point is, individual or groups of criminals can infiltrate the legitimate supply chain at any point (even in big-name companies…read the book!). Once they do, illegitimate drugs can be introduced into the supply chain…easily.