Reliance on Trust in the U.S. Pharma Supply Chain

Trust plays a big role in today’s U.S. pharmaceutical supply chain.  Patients trust that their doctors know what they are doing when they prescribe a medicine and they trust their pharmacist to fill their prescriptions with real medicines that were:

  • manufactured to tight quality specifications,
  • are well within the expiration date,
  • have not been tampered with,
  • have always been kept within recommended environmental tolerances,
  • and have been in the control of companies who have a strong interest in supply chain integrity and in the safety of the drugs within the supply chain.

When we receive our little amber bottles of repackaged drugs from our pharmacist, we aren’t given any way to check on any of those things ourselves.  We trust that the pharmacy has done something to ensure all that.  And fortunately in the U.S., we are almost always justified in that trust.  We enjoy the safest supply chain in the world.


But, now if the pharmacy doesn’t get the drugs directly from the manufacturer, they trust that their wholesaler will supply them with drugs that have those characteristics too.  And if the pharmacy’s wholesaler doesn’t get the drugs directly from the manufacturer, they trust that their wholesaler’s wholesaler provides them with drugs like that too.  And if the pharmacy’s wholesaler’s wholesaler doesn’t get the drugs directly from the manufacturer, they trust that their wholesaler’s wholesaler’s wholesaler provides drugs like that too.  And so on up the supply chain until we reach the manufacturer.

“But wait a minute”, you say, “That’s a lot of trust built on top of trust.  Is that really safe?

I’m not trying to alarm you.  Please keep in mind that the vast majority of all drugs sold in the U.S. pass through only one wholesaler on its way from the manufacturer to your pharmacy.  Only a very tiny fraction of the drugs pass through more than one wholesaler.  But, for example, in the case that I dissected last week in “Lessons from “Drug Theft Goes Big”, based on the Fortune Magazine article “Drug Theft Goes Big” by investigative reporter Katherine Eban, there are—very rarely—occasions when drugs that are sold by reputable pharmacies allegedly may have passed through criminal hands on their way through the supply chain.  In these very rare cases, the whole trust-thing collapses and bad things can result.


Here is how the “chain of trust” worked in Eban’s story.  First, the pharmacy, Ph, had no means to see who had owned the drugs prior to their wholesaler, W1, so they trusted that the drugs were legitimate.

According to Eban’s story, W1 was allegedly given a pedigree by their wholesaler, W2, so rather than blindly trusting that the drugs were legitimate, they instead trusted that the pedigree they were given was legitimate.  But, unfortunately, it was allegedly forged, and because W1 had no efficient way to verify the authenticity of the pedigree they were allegedly given, all the pedigree did in reality was to remove suspicion and doubt from W2.  So in effect, W1 blindly trusted W2 because they blindly trusted the pedigree they were allegedly given.

I think the alleged forged pedigree that W2 allegedly passed to W1 will turn out to be the “smoking gun” that implicates W2, but we’ll have to see how it turns out in court.  So for now, I’ll ignore it and just say that W2 had no accurate means to see who had owned the drugs prior to their wholesaler, W3, so they trusted that the drugs were legitimate.  But, AH HA!, now we see that W3 allegedly acquired the drugs from someone who was either a thief, or who themselves acquired them from a thief.  The drugs allegedly matched those that had been stolen a few weeks before and only 150 miles away…allegedly.

This appears to be a case where the “chain of trust” collapsed because criminals exploited it.


The supply chain visibility model that is in use here, and throughout the supply chain today, is what is known as the “one up, one down” model.  Each trading partner can tell you where they acquired the drugs (one up) and where they sold them (one down).  For example, W1 can report that they bought the drugs from W2 (one up), and they sold the drugs to Ph (one down).  That’s it.  That’s all they can tell you.

Now someday, once all drugs are serialized at the unit level, this “one up, one down” visibility model may appear to be safer than in today’s non-serialized supply chain, but in reality it will just be easier to keep track of “one up, one down” accurately.  It wouldn’t have allowed W1 to know anything more about the legitimacy of the drugs in their possession.  They would still need to trust that they are legitimate.

The “one up, one down” visibility model relies totally on the “chain of trust” because it doesn’t provide any way for buyers to check the full supply chain history of the drugs they buy.  They are forced to trust their supplier.  But in reality, it isn’t a “chain of trust”, rather, it is a “chain of blind trust”!

No!  In fact, it is a “chain of blindness”.  Each trading partner is blind to where the drugs came from prior to their immediate supplier.  The “one up, one down” visibility model is not a “visibility” model at all.  It simply describes everything that today’s supply chain participants know about their drug supply and nothing more.  Not much is really visible, and in these rare cases, what is visible is insufficient to tell if the drugs are legitimate or not.


One way to build a true chain of trust and significantly decrease the ability for criminals to hide within the supply chain is to eliminate the blindness in the trust relationships.  This can be done by providing full upstream visibility of supply chain history to each participant (or to their contractual agent).  That way each buyer of drugs can see everyone who has owned the drugs they are about to buy.  In short, trust, but verify.

With unit-level serialization this could happen automatically before the drugs arrive at each stop.  Any discrepancy or unexpected aberration in the supply chain history would be exposed and that would inform the buyer who could then refuse to accept the shipment.  Of course, the concept that would enable this is electronic pedigree, whether implemented with something like the GS1 Drug Pedigree Messaging Standard (DPMS) or with a Network Centric ePedigree (NCeP) architecture like the one that GS1 is currently working on.


As you all know, I’m a big fan of the electronic pedigree concept because of its ability to remove the blindness that exists in today’s supply chain.  But I’ve recently become convinced that neither DPMS nor an NCeP can be deployed throughout the entire supply chain in a “big-bang” approach within the timetable of the California Pedigree law.  They are too complicated.

Fully automated supply chain upstream visibility must be the ultimate goal, to be sure, but the job is just too big and complex to be achievable by every company in the supply chain, big and small, by 2015-2017.  I now think what we need is a phased approach that has a series of security “plateaus”, but which eventually gets us to the ultimate goal.  Others have been saying mostly the same thing for some time now.  I finally get it…and, I think I can explain it.

I’ll have more to say about this over the next few months, including my idea of a realistic roadmap and timeline.  Please stay tuned.


7 thoughts on “Reliance on Trust in the U.S. Pharma Supply Chain”

  1. Dirk,
    3 points to ponder as you prepare for your next essay:
    A. Criminal penalties
    B. Enforcement
    C. Plug demand (internet&pharmacies)
    Bonus question: Why do grocery stores verify $20 bills during check out?
    Thank you for well thought out and informative blog.

  2. Steve,
    Thanks for your comment. I will ponder your suggestions but here is my immediate response to each one.
    A. Criminal penalties. Could be a good topic for a future essay,
    B. Enforcement. Another good potential future topic,
    C. Plug demand (internet&pharmacies). Not so good for RxTrace.

    Regarding C, my interest is primarily the security of the traditional supply chain because people who buy their drugs at a traditional pharmacy (physical, mail-order or legitimate internet) should be able to trust the drugs they are given every time.

    On the other hand, people who buy their drugs at a clearly illegitimate internet pharmacy should not expect the drugs that they receive to be legitimate. In fact, they should know that they will be either counterfeit, stolen, expired, tampered, adultered or otherwise illegitimate.

    My desire is to help ensure that the normal, legitimate U.S. supply chain can always be trusted by patients. For now, the illegitimate supply chain on the internet will remain mostly outside of the focus of RxTrace.

    Thanks for reading.


  3. Dirk,

    Good essay. Glad to see RxTrace is still going!

    I find it interesting that the major pharmacy trade associations (NACDS and NCPA) remain firmly opposed to unit serialization and track-and-trace.

    Until the Ph box in your flowchart gets involved, visibility will remain a fantasy. Katherine Eban missed this point in her article, as I note in Drug Theft + Diversion Gets Bigger.


  4. Dirk,

    I enjoy and follow closely your posts, they are very useful.

    My interests, apart from building software, lie in security, such as in “Cyber War” by Richard Clark and “Fatal System Crash” by Joseph Menn. Is that in any way applicable to Track and Trace?

    Thank you,

    1. Mark,
      Thanks for following RxTrace and for your comment. I haven’t read those books but I suspect that there are two different aspects to Cyber War that would intersect with pharmaceutical track & trace. First, a system where drugs cannot be bought and sold in the supply chain unless data stored outside each company’s four walls can be written and read could certainly be susceptible to Distributed Denial of Service attacks and other kinds of cyber attacks. If an enemy wanted to reek havoc in the US pharma supply chain they could somehow block access to these critical servers and thus drugs could not move through the supply chain. This assumes that regulators impose rules that don’t allow movement of drugs without receiving, passing and/or checking a pedigree or some kind of supply chain security information for each drug or each shipment, like the California pedigree law.

      The other aspect is the potential for servers holding supply chain track and trace data becoming the target of a cyber break-in where data is deleted or changed so that illegitimate drugs look like they are now legitimate, and/or legitimate drugs look illegitimate. This would require a highly targeted attack by very knowledgeable people. Our job is to produce a track and trace system design that doesn’t leave an opening to this kind of attack.

      We should include the analysis of the susceptibility to these kinds of attacks of each Network Centric ePedigree model that is now under consideration.


  5. Dirk,

    I can’t wait to hear more about these “plateaus” that you refer to. Where do you start? Is it authentication at point of dispense and work backwards or do you start at the beginning of the supply chain?

Comments are closed.