Last week I published an overly long essay about how the supply chain provisions of the new U.S. Federal DQSA will and won’t protect the pharma supply chain. Believe it or not, I had more to say on the subject, but because that essay was already too long, I withheld my additional thoughts until now. Part 1 took another look at a number of supply chain crimes that have occurred over the last 5 to 6 years and attempted to determine how the new Drug Supply Chain Security Act (DSCSA) that is contained within the DQSA will add new protections that will or won’t help prevent crimes like them in the future.
In this Part 2 essay I want to look at the issue in a different way. I’d like to compare the approach that the California pedigree law was going to take with that of the new DSCSA, and also compare them with the authentication at the point of dispense (PoD) approach that has taken hold in Europe and perhaps elsewhere. From this comparison we can learn something important that is not immediately obvious. First, California.
HOW THE FORMER CALIFORNIA PEDIGREE LAW WOULD HAVE PROTECTED THE SUPPLY CHAIN
The California law was to require unique serial numbers on every drug package that was distributed into the State by 2015 and 2016. Just to be clear, it has now been preempted by the Federal DQSA/DSCSA and so it now longer exists. I am only looking at it in retrospect to explain the way it was designed to protect the supply chain. That protection did not come so much the unique serial number—that was only needed as a database lookup key to assist with finding and updating the epedigree associated with each package—it came from the fact that each company who bought drugs were expected to check the validity of the pedigrees they received. The protection came from that check. California pedigrees protected the supply chain by securing the transaction history documented within the pedigrees. The transaction histories were to be secured through digital signatures (the same technology that makes Bitcoins impossible to counterfeit by the way).
Criminals could easily copy the serial numbers from legitimate drug packages and apply them to their counterfeit packages, but they couldn’t copy the epedigrees without easy detection by the buying company when they performed their check. You can’t counterfeit a digital signature unless you have the owner’s private key, which they are obligated to keep secret (see the Wikipedia article, “Public-key Infrastructure”).
But companies didn’t like the idea of having to check every digital signature on every epedigree, which could have been one for every drug package in the supply chain. That’s a lot of checking and a lot more CPU cycles. So when the DSCSA language was being debated by Congressional staff and the industry, through the Pharmaceutical Distribution Security Alliance (PDSA), a different way of protecting the supply chain was sought.
HOW THE DSCSA WILL PROTECT THE SUPPLY CHAIN
The DSCSA will begin requiring unique serial numbers on every drug package throughout the U.S. supply chain in late 2017. The law does not require the use of digital signatures or the protection of the contents of the transaction histories that must be passed from the seller to the buyer. Instead, the seller must provide a transaction statement which asserts that the history is accurate and has not been knowingly modified. There is no such thing as a check of the transaction history.
But there is the concept of product identifier authentication (PIA), called “verification” in the DSCSA. Anytime someone in the supply chain becomes suspicious that a drug might not be what it seems, a supply chain member or regulator can exercise the manufacturer’s verification system to check the validity of the NDC, lot number or serial number. The DSCSA mandates the deployment of the manufacturer’s verification system by late 2017, although it does not place any technology requirements on that service so it could be based on a manual/visual lookup/response, or an internet-based automated lookup/response. The drug manufacturer will have 24 hours to respond to any request for verification so there is no realtime response requirement for at least the first 10 years. The main reason a manufacturer will want to automate this service is because of the potential volume of requests.
In my opinion, the protection of the supply chain by the DSCSA comes from the ability to prosecute those who are found to have violated their assertion that they did not knowingly modify the transaction history they provided the buyer. Criminals probably won’t fear that very much because there is no way for the buyer to check its truthfulness, so that alone probably won’t have much of an effect on their willingness to forge transaction histories. If a criminal can copy the serial numbers on legitimate drug packages and forge the transaction histories, it might take a while before anyone becomes suspicious of the counterfeits and that might provide the criminal enough time to get paid and get away.
One way to thwart these criminals is to make it difficult to figure out which serial numbers are legitimate. Under the California law it was not really beneficial for companies to randomize their serial numbers because the protection came from securing the transaction histories within the pedigrees. But without a way to secure the transaction histories, the only thing left is to randomize the serial numbers. As long as the counterfeiter does not have access to a large number of valid serial numbers, they would only be left to guess which numbers are real and which are not. Randomizing in a way that ensures that you can’t figure out which serial numbers are valid, even if you know one or even a handful of valid serial numbers, would enable the manufacturer’s PIA service to detect any serial numbers that were just guessed at. This relies on the fact that there are many times more possible invalid serial numbers than there are valid serial numbers. Of course, this still requires someone to get suspicious of something before they are required to request the PIA check (the “verification” check, to use the language of the DSCSA).
So why does the DSCSA not require randomization of serial numbers? I don’t know, so it is up to each manufacturer to recognize that it is to their own advantage as a brand protection mechanism to randomize their serial numbers. Companies who were not planning to randomize for California should change their direction and add randomization capabilities to their serialization solutions before the 2017 date.
WHAT ABOUT THE E.U.?
This is exactly the mechanism the E.U. Falsified Medicines Directive (FMD) will use to protect the drug supply chain when it becomes effective in the next few years as well (see Mark Davison’s recent essay, “Transatlantic Alignment”). The FMD and the associated Delegated Act (to be enacted in 2014) will require randomization of serial numbers because the authors recognized that serial number non-determinism is critical to the success of their approach. Both China and Brazil also require serial number randomization for the same reason. Anywhere authentication of the drug identifier and serial number at the point of dispense is employed, serial number randomization will be essential to blocking and detecting criminal activity.
SERIAL NUMBER RANDOMIZATION
California did not need randomization because the primary protection mechanism was going to be the immutability of the epedigrees themselves. Regulatory approaches that do not require immutable pedigrees will then need to use randomized serial numbers as their primary protection mechanism.
So what exactly is a random serial number and how do you create them? Those are topics for future essays. Stay tuned as we take a closer look at serial number randomization including a special interview with GS1 standards expert Ken Traub.