Certifications In A California-Compliant Drug Pedigree

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.I’ve been involved in a number of conversations lately that included differing opinions about what will be necessary to “certify” a drug pedigree in California after their pedigree law goes into effect (2015-2017, depending on your role in the supply chain).  It’s a contentious issue, especially for those who wish that a distributed pedigree model would comply.

The California Law is fairly clear that the pedigree must contain, “A certification under penalty of perjury from a responsible party of the source of the dangerous drug that the information contained in the pedigree is true and accurate.”  And that, among a list of other things, it must include “…the name and address of each person certifying delivery or receipt of the dangerous drug.”

In the California language, a “dangerous drug” is any drug that a patient can only obtain from a licensed pharmacist by presenting a valid prescription, also known as “prescription drugs”.

SO WHAT IS A “CERTIFICATION” AND HOW CAN I COMPLY WITH THE REQUIREMENT?

In January 2008, the California Board of Pharmacy published a draft document they called, “QUESTIONS AND ANSWERS RELATING TO THE CALIFORNIA ELECTRONIC PRESCRIPTION DRUG PEDIGREE LAW(S)”.  This document contains some “frequently asked” questions and their answers about the Board’s interpretation of the pedigree law.  It’s an important document for anyone wanting to get some insight into the thinking of the California Board of Pharmacy and how they might enforce the law.  In the document, they touch on issues surrounding this certification language in eleven of the seventy-eight answers (Q10, Q21, Q22, Q23, Q25, Q58, Q64, Q67, Q68, Q72 and Q73), providing a glimpse into their thinking.

In the response to Q21, What sort of certification of the contents of the pedigree does the law require?, the board answered, in part, “The board anticipates that the required certifications, of delivery or receipt, and of the truth and accuracy of the pedigree, will be achieved by use of or in combination with digital signatures.”  (See the document for the full answers.) 

In the response to Q68, Does the pedigree law mandate the type(s) of technology that must be employed?, the board answered, in part, “The board has not yet provided specific directions or technological requirements regarding how to ensure interoperability, authenticity, integrity and non-repudiation of electronic pedigrees. It is the responsibility of the involved parties to meet these requirements.”

And, “The board expects that the trading partners will be sufficiently motivated by their shared interest with the board in security of the drug supply and protection of the public, as well as by their own responsibilities under the law to certify accurate delivery or receipt of drug products and the truth and accuracy of the pedigree data exchanged, that mandates on technology to ensure drug or data security, accuracy, integrity, interoperability and non-repudiation may not prove necessary. The board expects that industry best practices will develop optimal technology (or other) standards to control collection, transmission, and sharing of data independent of legal mandates. If this is not the case, the board reserves to itself the authority to step in as necessary to secure cooperation.”

The law itself does not specify any pedigree implementation technology.  As I understand it, the Board did not intend for the Q&A document to mandate the use of any specific pedigree implementation technology either, although one could argue that they may have crossed that line with the statement:  “The board anticipates that the required certifications, of delivery or receipt, and of the truth and accuracy of the pedigree, will be achieved by use of or in combination with digital signatures.”  But I’m also told that’s why they will always keep the document in “draft” form.  In draft form, they can’t be held to it and they can readily acknowledge that there may be “errors” in the document.  (Hey, it’s just a draft!)

Only a court of law can really interpret the meaning of the language found in the law itself.  That’s why companies facing the law should rely on their legal counsel to help them identify their options in responding to the law at a level of risk that is acceptable to their business.  My perception is that, so far, few companies have involved their legal departments in helping them assess the risks.

No one I know disagrees that digital signatures can be used to comply with the pedigree certification requirement in California, but some people feel that they are too complex and their use for that purpose is too “heavy”, requiring too much data storage for each signature.  Perhaps the biggest complaint against digital signatures for pedigree certifications in general is that they must be generated with digital certificates that are assigned to, or “owned” by, an individual rather than the corporation.

The California law says that the certification must be made by a “…responsible party…”—presumably someone who has the authority to bind the corporation to an oath “…that the information contained in the pedigree is true and accurate”.  Depending on your interpretation of that language, that might eliminate all but the topmost individual in a modern pharmaceutical wholesaler distribution center in the U.S., and that person isn’t routinely present in the warehouse to observe these operations and then make those certifications.  In some organizations, few people below a certain rank have that kind of authority, “…under penalty of perjury…”.

The California Q&A document seems to say that the Board of Pharmacy expects digital signatures to be used—at least in part—for the certifications (…by use of or in combination with…”), but I’ve heard recently that they, perhaps, didn’t mean to go that far, and that they currently may be open to reasonable proposals for alternate approaches that are more light-weight, but which retain an acceptable level of information security and non-repudiation.  (Remember, it’s just a draft!)  Let’s just call it an unsubstantiated rumor right now.  I’ve asked for confirmation or clarification but have not yet received a response.  This rumor apparently came through Virginia Herold’s (Executive Officer of the California Board of Pharmacy) presentation at GS1 US’s recent 2015 Readiness Program Workshop in San Francisco.  I was not present but I spoke with a number of people who were there.

But “non-repudiation” and “light-weight” seem to be two contradictory terms.  Digital signature technology was specifically designed to have the property of non-repudiation, but I have to assume that the designers were not intentionally trying to create something that was “heavy”.  (For more on the history of digital signatures and the law, see these excellent resources.)  Can someone tell us about some method to secure pedigree information using a “light-weight” approach without losing the property of non-repudiation?  That’s what would be needed if the Board and supply chain companies are to be mutually satisfied.

WHY IS ‘NON-REPUDIATION’ SO IMPORTANT?

Why is “non-repudiation” so important to the Board?  My assumption is that they believe that an oath…I mean a “certification”…would be meaningless unless they could make it “stick” to a given individual, and, because that person would be a “…responsible party…”, therefore to the corporation.  That is, make it stick in court.  Let me demonstrate.

Here is a certification that does not have the property of “non-repudiation”:

“I, President Barack Obama, certify that I will pay Dirk Rodgers of RxTrace.com $1,000,000 on January 1, 2011”.

Do you think I will collect?  Do you think it would stand up in court?  No and No.  Why?  Because, no matter how much I claim that President Obama typed that “certification”, there is no way I could possibly prove that he did.  No one would believe me because President Obama could simply refute that he typed it and it would be his word against mine.  You can tell just by looking at it.  He could easily “repudiate” that he ever made the “certification”, so no court would even bother trying it.

Even if President Obama actually had typed the “certified” statement just like it appears above, it would still be worthless for the same reason.

Even if I wrapped the statement with a forged digital signature (one that used a private key that I made up), it still wouldn’t stick because I could not demonstrate that President Obama generated the digital signature.  My forgery would be just as obvious—or even more so—than if there were no digital signature at all.

But if President Obama had wrapped the certification above with a digital signature generated using his private key, he would not be able to repudiate it (it would be “non-repudiable”) and I should be able to use it as evidence against him in court if he failed to pay me the $1,000,000 by the deadline.

“Certification” of a drug pedigree using any technique that doesn’t include the property of non-repudiation will be just as worthless as the fake “certification” above.  It might look good, but it would have no value.  And why should the industry be forced to deploy a costly pedigree system that results in worthless documentation–documentation that is no better than my…ahem, I mean, President Obama’s… worthless fake “certification” above?  How would the public be protected by something so worthless?

WHERE TO WE GO FROM HERE?

So where do we go from here?  Well, the GS1 Drug Pedigree Messaging Standard (DPMS) was designed to comply with all existing pedigree laws in the U.S., which means that it uses digital signatures for all necessary certifications.  Digital signatures are known to comply, giving DPMS users confidence that they are covered regarding any certification requirements.

And just for the record, compliant “certifications” is just one of the “complex features” that GS1 US (or GS1 Global for that matter) has not yet figured out how to do in a “distributed pedigree” approach, or even in an alternate non-distributed approach.  Someone could probably create an alternative, non-distributed, approach to pedigree that is based on the GS1 Electronic Product Code Information Services (EPCIS) standard which used digital signatures for certifications, but that would result in something that is even more “heavy-weight” and unwieldy than DPMS, so no one is seriously pitching an approach like that.

So if you have any ideas for producing an electronic certification that has the property of non-repudiation, but requires less overhead than digital signatures, let me know.  I know a group of folks who are looking for exactly that.  But, while we wait for that, luckily, the industry already has DPMS for certifying pedigrees compliantly.

7 thoughts on “Certifications In A California-Compliant Drug Pedigree”

  1. The pedigree law is 20+ years old and the technologies have advanced well beyond the paper based model. Why do we need digitally signed pedigrees? All we need is for each supply chain member to be able to deliver to authorities standard electronic documentation for receipt and shipment of each serialized product. The combination of serialized product and standard electronic documentation (that the company will attest to its accuracy) will greatly improve safety.

    The law should change in order to keep up with the times.

    1. Anonymous,
      Thanks for your comment. The purpose of my essay is to explain what would be necessary to comply with an existing law (California) using some of that modern electronic technology (digital signatures) that you refer to. One of my points is that you can’t “attest to its accuracy” without the property of non-repudiation regardless of which electronic pedigree technology you use. And, by the way, the California pedigree law is only about 6 years old. You may be thinking of the Federal Prescription Drug Marketing Act (PDMA) which was enacted in 1988 and is pretty archaic in comparison to the current incarnation of the California law.

      Dirk.

  2. Dirk – If you break the California law into three pieces:

    1. Unit-level serialization
    2. Electronic Pedigree
    3. Certification

    Obviously serialization is the most expensive. But certification could offer the biggest challenge to processes.

    In your opinion, does certification by an individual “pierce the corporate veil” and carry personal liability for that individual?

    I did not read it like that – thinking any liability is with the company, but am interested in your opinion. If that is the direction, I suspect line inspection salaries might climb…

    1. Brian,
      Thanks for your comment. I agree with your thought that certification could offer the biggest challenge, even greater than those posed by serialization itself. I also agree with your thought that the need for digital signatures to be assigned to an individual will make them personally liable for any illegitimate product that could possibly slip into a shipment or receipt.

      It will be interesting to see where this goes. Will this cause digital signature technology to be totally rejected for pedigree certifications? (Remember, it is the law that requires a certification under penalty of perjury by a responsible PERSON, and not the technology.) Will the regulators be willing to release the individual from liability in favor of elevating it to the corporation (this is the least likely of all these questions)? Will a company officer be needed on the shipping and receiving docks of supply chain companies just so they can certify each shipment and receipt? These are all very pertinent questions that someone needs to answer. I don’t think enough people who will be impacted by this situation are currently aware of these issues.

      Dirk.

  3. In an EPCIS model, the query would require a company to company authentication via digital certificates. Certainly a company could not repudiate that they provided the information for a serialized item whose information was queried. In the same way you can’t repudiate that you sent an invoice to your partner over an AS2 connection.

    We shouldn’t constrain ourselves to the document based model established by PDMA.

    1. Anonymous,
      Thanks for your comment. The digital certificate used in AS2 is used purely to encrypt the message to prevent unauthorized viewing of the content. This may be technically very similar to the use of digital certificates for digitally signing a message for the purpose of certifying it, but it is a totally different application and would clearly not fulfill the California law. California requires a certification under penalty of perjury by a responsible individual, not a corporate-level message encryption certificate. Like I pointed out to Brian in my previous comment, this requirement comes from the law, not the technology. Fortunately, digital signatures can be used to accomplish exactly what the law requires, but you have to follow a much more rigorous key management and security in that application than you do for use in encryption. DigSigs are proposed as the technical solution only because they fit the legal requirement perfectly. A few people have an arguement with requirements in the law, but prefer to attack the technology instead. That’s not going to be a productive approach.

      Check out the links I placed in the essay that cover the use of digital signatures for legal certifications. You will find that the American Bar Association has an extensive set of information on how digital signatures can be used to turn electronic documents into legal documents…exactly what California is expecting in an electronic pedigree.

      One more thing. Most people know DPMS as a “document model pedigree”, but EPCIS events and DPMS pedigrees are both composed of XML documents. The only difference is that a DPMS pedigree is always represented in a single XML document, where EPCIS events are typically spread across many separate XML documents that would need to be strung together to represent the equivalent information. I contend that this single document approach makes for a better legal document. A few people also mis-interpret this as meaning that the data is “locked” inside of the document and therefore is not accessible for use in other applications. But DPMS pedigrees, just like EPCIS events, are only intended to be used as the way of encasing the pedigree data when it is exchanged between companies, or when it is outside the four-walls of the owner. A normal database should always be used to hold the data of both EPCIS events and DPMS pedigrees while they are held in storage.

      Dirk.

  4. There are EPCIS based pedigree management systems available now that offer digital signature support. What approach have these systems used?

Comments are closed.