I’ve been involved in a number of conversations lately that included differing opinions about what will be necessary to “certify” a drug pedigree in California after their pedigree law goes into effect (2015-2017, depending on your role in the supply chain). It’s a contentious issue, especially for those who wish that a distributed pedigree model would comply.
The California Law is fairly clear that the pedigree must contain, “A certification under penalty of perjury from a responsible party of the source of the dangerous drug that the information contained in the pedigree is true and accurate.” And that, among a list of other things, it must include “…the name and address of each person certifying delivery or receipt of the dangerous drug.”
In the California language, a “dangerous drug” is any drug that a patient can only obtain from a licensed pharmacist by presenting a valid prescription, also known as “prescription drugs”.
SO WHAT IS A “CERTIFICATION” AND HOW CAN I COMPLY WITH THE REQUIREMENT?
In January 2008, the California Board of Pharmacy published a draft document they called, “QUESTIONS AND ANSWERS RELATING TO THE CALIFORNIA ELECTRONIC PRESCRIPTION DRUG PEDIGREE LAW(S)”. This document contains some “frequently asked” questions and their answers about the Board’s interpretation of the pedigree law. It’s an important document for anyone wanting to get some insight into the thinking of the California Board of Pharmacy and how they might enforce the law. In the document, they touch on issues surrounding this certification language in eleven of the seventy-eight answers (Q10, Q21, Q22, Q23, Q25, Q58, Q64, Q67, Q68, Q72 and Q73), providing a glimpse into their thinking.
In the response to Q21, “What sort of certification of the contents of the pedigree does the law require?”, the board answered, in part, “The board anticipates that the required certifications, of delivery or receipt, and of the truth and accuracy of the pedigree, will be achieved by use of or in combination with digital signatures.” (See the document for the full answers.)
In the response to Q68, “Does the pedigree law mandate the type(s) of technology that must be employed?”, the board answered, in part, “The board has not yet provided specific directions or technological requirements regarding how to ensure interoperability, authenticity, integrity and non-repudiation of electronic pedigrees. It is the responsibility of the involved parties to meet these requirements.”
And, “The board expects that the trading partners will be sufficiently motivated by their shared interest with the board in security of the drug supply and protection of the public, as well as by their own responsibilities under the law to certify accurate delivery or receipt of drug products and the truth and accuracy of the pedigree data exchanged, that mandates on technology to ensure drug or data security, accuracy, integrity, interoperability and non-repudiation may not prove necessary. The board expects that industry best practices will develop optimal technology (or other) standards to control collection, transmission, and sharing of data independent of legal mandates. If this is not the case, the board reserves to itself the authority to step in as necessary to secure cooperation.”
The law itself does not specify any pedigree implementation technology. As I understand it, the Board did not intend for the Q&A document to mandate the use of any specific pedigree implementation technology either, although one could argue that they may have crossed that line with the statement: “The board anticipates that the required certifications, of delivery or receipt, and of the truth and accuracy of the pedigree, will be achieved by use of or in combination with digital signatures.” But I’m also told that’s why they will always keep the document in “draft” form. In draft form, they can’t be held to it and they can readily acknowledge that there may be “errors” in the document. (Hey, it’s just a draft!)
Only a court of law can really interpret the meaning of the language found in the law itself. That’s why companies facing the law should rely on their legal counsel to help them identify their options in responding to the law at a level of risk that is acceptable to their business. My perception is that, so far, few companies have involved their legal departments in helping them assess the risks.
No one I know disagrees that digital signatures can be used to comply with the pedigree certification requirement in California, but some people feel that they are too complex and their use for that purpose is too “heavy”, requiring too much data storage for each signature. Perhaps the biggest complaint against digital signatures for pedigree certifications in general is that they must be generated with digital certificates that are assigned to, or “owned” by, an individual rather than the corporation.
The California law says that the certification must be made by a “…responsible party…”—presumably someone who has the authority to bind the corporation to an oath “…that the information contained in the pedigree is true and accurate”. Depending on your interpretation of that language, that might eliminate all but the topmost individual in a modern pharmaceutical wholesaler distribution center in the U.S., and that person isn’t routinely present in the warehouse to observe these operations and then make those certifications. In some organizations, few people below a certain rank have that kind of authority, “…under penalty of perjury…”.
The California Q&A document seems to say that the Board of Pharmacy expects digital signatures to be used—at least in part—for the certifications (…by use of or in combination with…”), but I’ve heard recently that they, perhaps, didn’t mean to go that far, and that they currently may be open to reasonable proposals for alternate approaches that are more light-weight, but which retain an acceptable level of information security and non-repudiation. (Remember, it’s just a draft!) Let’s just call it an unsubstantiated rumor right now. I’ve asked for confirmation or clarification but have not yet received a response. This rumor apparently came through Virginia Herold’s (Executive Officer of the California Board of Pharmacy) presentation at GS1 US’s recent 2015 Readiness Program Workshop in San Francisco. I was not present but I spoke with a number of people who were there.
But “non-repudiation” and “light-weight” seem to be two contradictory terms. Digital signature technology was specifically designed to have the property of non-repudiation, but I have to assume that the designers were not intentionally trying to create something that was “heavy”. (For more on the history of digital signatures and the law, see these excellent resources.) Can someone tell us about some method to secure pedigree information using a “light-weight” approach without losing the property of non-repudiation? That’s what would be needed if the Board and supply chain companies are to be mutually satisfied.
WHY IS ‘NON-REPUDIATION’ SO IMPORTANT?
Why is “non-repudiation” so important to the Board? My assumption is that they believe that an oath…I mean a “certification”…would be meaningless unless they could make it “stick” to a given individual, and, because that person would be a “…responsible party…”, therefore to the corporation. That is, make it stick in court. Let me demonstrate.
Here is a certification that does not have the property of “non-repudiation”:
“I, President Barack Obama, certify that I will pay Dirk Rodgers of RxTrace.com $1,000,000 on January 1, 2011”.
Do you think I will collect? Do you think it would stand up in court? No and No. Why? Because, no matter how much I claim that President Obama typed that “certification”, there is no way I could possibly prove that he did. No one would believe me because President Obama could simply refute that he typed it and it would be his word against mine. You can tell just by looking at it. He could easily “repudiate” that he ever made the “certification”, so no court would even bother trying it.
Even if President Obama actually had typed the “certified” statement just like it appears above, it would still be worthless for the same reason.
Even if I wrapped the statement with a forged digital signature (one that used a private key that I made up), it still wouldn’t stick because I could not demonstrate that President Obama generated the digital signature. My forgery would be just as obvious—or even more so—than if there were no digital signature at all.
But if President Obama had wrapped the certification above with a digital signature generated using his private key, he would not be able to repudiate it (it would be “non-repudiable”) and I should be able to use it as evidence against him in court if he failed to pay me the $1,000,000 by the deadline.
“Certification” of a drug pedigree using any technique that doesn’t include the property of non-repudiation will be just as worthless as the fake “certification” above. It might look good, but it would have no value. And why should the industry be forced to deploy a costly pedigree system that results in worthless documentation–documentation that is no better than my…ahem, I mean, President Obama’s… worthless fake “certification” above? How would the public be protected by something so worthless?
WHERE TO WE GO FROM HERE?
So where do we go from here? Well, the GS1 Drug Pedigree Messaging Standard (DPMS) was designed to comply with all existing pedigree laws in the U.S., which means that it uses digital signatures for all necessary certifications. Digital signatures are known to comply, giving DPMS users confidence that they are covered regarding any certification requirements.
And just for the record, compliant “certifications” is just one of the “complex features” that GS1 US (or GS1 Global for that matter) has not yet figured out how to do in a “distributed pedigree” approach, or even in an alternate non-distributed approach. Someone could probably create an alternative, non-distributed, approach to pedigree that is based on the GS1 Electronic Product Code Information Services (EPCIS) standard which used digital signatures for certifications, but that would result in something that is even more “heavy-weight” and unwieldy than DPMS, so no one is seriously pitching an approach like that.
So if you have any ideas for producing an electronic certification that has the property of non-repudiation, but requires less overhead than digital signatures, let me know. I know a group of folks who are looking for exactly that. But, while we wait for that, luckily, the industry already has DPMS for certifying pedigrees compliantly.