pedigree certification, security

Electronic Message Security and More on Certifications

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.

Digital electronic messages can be transmitted from one party to another using a wide range of communications technologies.  Today, businesses that make use of the internet to transmit their business messages to and from their trading partners make use of standards-based Electronic Data Interchange (EDI) message formatting.

EDI messages are typically transmitted point-to-point, from one business to one other business.  There are a large number of EDI message types defined but in the pharmaceutical supply chain the most common messages are purchase orders, purchase order acknowledgments, invoices and advance shipment notices (ASN’s).  (While I have the chance, I’d like to point out that ASN’s are not pedigrees for multiple reasons that I will not cover in this essay.)

In the U.S. pharma supply chain AS2 is the most common communications protocol in use for EDI message exchange.  AS2 provides generalized message security to ensure that the messages cannot be understood or tampered with by unauthorized parties during movement from sender to recipient.  According to Wikipedia, these are achieved through the use of digital certificates and encryption.  Messages can optionally be digitally signed by the sender to provide non-repudiation within the AS2 payload context.

Electronic pedigrees as defined by the states of Florida and California are messages that contain fairly complex legal documentation which describe the chain of custody or ownership of a given package of drugs, but they also contain several types of legally required certifications.  I’ve written about these certifications in the past (see “Certifications In A California-Compliant Drug Pedigree” and “Digital Signatures”) and I have more to say about them below.

Electronic pedigree messages need to be transmitted from point-to-point over the internet just like traditional EDI documents and so they have the same need for secure transmission.  In fact, AS2 is one of the protocols that has been used for transmission of pedigrees that take the form of GS1 Drug Pedigree Messaging Standard (DPMS) documents.  AS2 is also one of the protocols specified for business to business exchange of GS1 Electronic Product Code Information Services (EPCIS) events which may someday be used as components of electronic pedigrees.

In RxTrace I usually discuss the kind of digital electronic messages that contain drug pedigree information, but in reality, almost any digital electronic business-to-business messages could have needs that are similar to pedigrees.  In this essay I want to take a closer look at the certification requirements and discuss some of the technical implications that result.

WHAT IS A “CERTIFICATION”?

The Merriam-Webster dictionary defines the word “certification” this way:

cer·ti·fi·ca·tion  noun \ˌsər-tə-fə-ˈkā-shən\

  1. the act of certifying : the state of being certified
  2. a certified statement

It defines the word “certify” this way:

cer·ti·fy  verb \ˈsər-tə-ˌfī\

  1. to attest authoritatively: as
    1. confirm
    2. to present in formal communication
    3. to attest as being true or as represented or as meeting a standard
    4. to attest officially to the insanity of
  2. to inform with certainty : assure
  3. to guarantee (a personal check) as to signature and amount by so indicating on the face
  4. to recognize as having met special qualifications (as of a governmental agency or professional board) within a field <agencies that certify teachers>

If these words are specifically defined in the California statues I haven’t been able to find them, so when those words are used in their pedigree regulations and the Board of Pharmacy’s document, “QUESTIONS AND ANSWERS RELATING TO THE CALIFORNIA ELECTRONIC PRESCRIPTION DRUG PEDIGREE LAW(S)”, I think the first definition of “certification” and definition 1.3 for “certify” are the what they mean.  I’ve bolded those definitions above.  Let me know in a comment if you disagree with my choice.

The dictionary definitions above strongly imply that it is a person or organization that is doing the certifying.  For that reason, for a certification to be performed, it must be bound to the person or organization that is executing it.

The California law says that each owner of a drug must include in the pedigree for that drug “A certification under penalty of perjury…that the information contained in the pedigree is true and accurate.”  Pedigrees must also include “…the name and address of each person certifying delivery or receipt of the…drug.”

These appear to be two different kinds of certifications.  The first is certifying that “the information contained in the pedigree” is “true and accurate”.  The second is certifying the “delivery or receipt of the drug”.  It’s an open question if these two or three certifications per owner can be combined into the execution of a single technical certification.

HOW DOES DPMS IMPLEMENT THESE CERTIFICATIONS?

In DPMS pedigrees, certifications are implemented through the use of digital signatures that use X509 certificates to bind the identity of a person or organization as the “signer” to a given range of data within the pedigree message.  These digital signatures provide non-repudiability of the signer’s identity and they break the signature if someone later modifies the portion of the pedigree that was signed.  X509 also defines a way to revoke the authorization of a certificate holder to sign future pedigrees.

DPMS requires the signer to identify the “signatureMeaning” of the digital signature they are applying.  This “signatureMeaning” is the magical element that converts digital signatures in DPMS pedigrees from a collection of data that simply identifies the signer and associates him/her/it with a range of chain-of-custody/-ownership data, into the true “certification” of the target range of data that is being signed by the signer.  The “signatureMeaning” provides context to the signature by allowing the signer to clearly indicate their intent when they apply their signature.  In DPMS the “signatureMeaning” may be one of the following values (this list is extendible):

  • “Certified”  when certifying the content added to a pedigree
  • “Received” use by recipient after receiving the item against the pedigree
  • “Authenticated” used by recipient after successfully authenticating the pedigree
  • “Received and Authenticated” used by the recipient after successfully authenticating a pedigree and receiving the item against the pedigree

HOW CAN CERTIFICATIONS BE APPLIED TO A COLLECTION OF EPCIS EVENTS?

That’s the million dollar question—one that has stopped efforts to move forward with an EPCIS-only pedigree solution in the past.  The question remains unanswered.  Fortunately there is another group of very bright people who are now working to answer the question.  DPMS can be used as a reference model but the goal of this group is not to simply recreate DPMS using EPCIS events.  The use of digital signatures in DPMS is the thing that is most often cited as the reason people wish to look for an alternate solution to the pedigree regulations.

But to implement an acceptable certification without using digital signatures is a tall order.  You will need to come up with some way to clearly document the identity of the individual or organization (and provide non-repudiation of it) and then bind them to the set of events that describe the part of the pedigree that they need to certify.  Of course, once certified the certifier will demand that the set of events they just certified cannot be modified in any way without breaking their certification.  Otherwise they could be held legally liable for a change to the events that they did not authorize.

So let’s see.  The certification will need to…

  1. Provide a mechanism to clearly document the certifier’s identity (with non-repudiation…and also with a way to revoke their authorization to certify),
  2. Tightly bind the certifier to a specific set of EPCIS events, and
  3. Prevent unauthorized modification of the same set of events.

Hmmm.  So far it sounds just like a digital signature to me.  Oh, but I need to add …

4.  Require less space overhead and less complexity than a digital signature.

I’m not saying it can’t be done.  Chances are you can do any two or three, but to do all four will be really hard.  In fact, if the group is successful it would mark a huge leap forward in digital technology and it would open doors to its use in many other types of legal documents and business transactions.

For EPCIS-only to work as a pedigree system this problem will have to be solved.  Watch for the results of this effort in the next few years.