DSCSA: Congress Should Have Mandated Randomization

iStock_000015967853SmallerCongress should have mandated randomization of drug serial numbers, but they did not, so it is up to each manufacturer to recognize the importance it would bring to the protection of their brands and of the supply chain.  Let me explain.

The text of the Drug Supply Chain Security Act (DSCSA) was developed last year by Congressional staff in consultation/negotiation with various lobbying organizations—primarily the Prescription Drug Security Alliance (PDSA).  The effect of the legislation is to create a way of protecting the U.S. pharmaceutical supply chain that relies primarily on product identifier authentication (PIA) (see “Product Identifier Authentication” and “The Aggregation Hoax and PIA”) for at least the first 10 years and possibly beyond.

Manufacturers must be capable of responding to “requests for verification” using the lot number and expiration date or the Standardized Numerical Identifier (SNI) by November 27, 2017, but because wholesale distributors are not required to perform verification of saleable returns and “suspect product” using the SNI until November 27, 2019, the verification service offered by manufacturers may not be heavily loaded until about that time.  Dispensers must begin making use of that service using the SNI to verify at least 10% of the homogeneous cases or individual packages of suspect product, beginning in November of 2020.

Because wholesale distributors and dispensers must eventually make use of PIA to verify the small subset of products that are in situations believed to have the greatest risk of illegitimacy, PIA is the mechanism being relied upon most to protect the supply chain under the DSCSA.

PIA CAN BE “GAMED”

The problem is, criminals can easily “game” a PIA system if they are able to accurately guess which serial numbers are valid.  If a counterfeiter knows which SNIs are valid, they can simply apply those serial numbers to their illegitimate packages and homogeneous cases.  Whenever a wholesale distributor or dispenser verifies one or more of the serial numbers on the counterfeit products, the PIA service would confirm that the SNI matches one that the manufacturer or repackager originally applied to a real package or case.  This would defeat the protective nature of the PIA mechanism because supply chain members would no longer be able to count on the PIA service to differentiate between good and bad packages and cases of that product.

OmegaDesignProtectYourBrand
Omega Design supports cancer research. Click here to learn more.

How would a counterfeiter be able to figure out which serial numbers are valid?  If a drug manufacturer assigns the serial numbers of their drug packages that are aimed at the U.S. market sequentially, it is pretty easy.  All a criminal would need to do is get ahold of one or more real drug packages and make note of their serial numbers.  Getting access to more than one would give them a pretty good clue, if the serial numbers are within a few dozen of each other, that the numbers are likely being assigned sequentially.  If the criminal had access to a large amount of product—say, as an undercover criminal posing as a legitimate employee of a manufacturer’s, wholesaler’s or chain pharmacy’s warehouse; or even getting a real job there for a few days, just to collect valid serial numbers—they could be very confident that the numbers are, or are not being assigned sequentially.

Once the criminal determines that a given drug’s serial numbers are assigned sequentially they can assign their serial numbers within the range observed.  Now whenever someone uses the manufacturer’s simple PIA service to verify the product identifier, the response for the counterfeiter’s product will be “valid”.

PSEUDO-RANDOMIZATION STRENGTHENS PIA

How do you eliminate this problem?  One way to strengthen the PIA approach to supply chain protection is to randomize the serial numbers.  That makes the criminal’s job a lot harder because, to reproduce valid serial numbers they would need to literally read the serial numbers on as many valid drug packages as they intend to produce, and then reuse only those specific serial numbers.  Now the kind of access to valid packages a criminal would need would be pretty long and private, so they would not be observed scanning a large number of drug packages.

And full randomization is not necessary to thwart this kind of criminal.  Any approach that results in sparseness and some amount of pseudo-randomness will be sufficient.

For more on randomization, see:

The European Federation of Pharmaceutical Industries and Associations (EFPIA) understood this problem when they threw their support behind Point of Dispense (PoD) Authentication, and they understood this solution when they recommended the use of randomization techniques to result in 1:10,000 odds of guessing a valid serial number.  But Congress didn’t understand this subtlety and only mandated PIA through the verification services requirement.  So it is up to drug manufacturers to recognize the deficiency and voluntarily randomize the serial numbers applied to their drug packages, and perhaps to their cases as well.  Not doing so would elevate your risk of becoming a target of this kind of crime in the future.

And now is the time to begin randomizing your serial numbers, not in 2019.  That’s because you will have the full range within a given serial number length to generate random numbers, without the need to skip over the range that contains your initial sequential numbers.  Of course, there are ways to deal with that issue as well.

Randomization seems to add another level of complexity, and it does, but most, if not all, of the companies who sell serial number management solutions include some way to meet the EFPIA randomization requirements without much difficulty.  I highly recommend that you apply that capability on your U.S. products as well.

Dirk.

2 thoughts on “DSCSA: Congress Should Have Mandated Randomization”

  1. I do not want to rattle any cages but, I do not think Randomization helps in any way. I have a patent pending great way to randomize alpha numeric strings but I do not believe in Randomization helping much because of its inherent requirement of having a server ready to authenticate the product 24/7, and the flaw of not defining who pays when counterfeit is identified. I am already working on a system being available 24/7 but I know how impractical its to have a system owned by Government to be running 24/7. I am not a great fan of UniqueID system where details which are already printed on the package are stored in a 2D barcode .
    To create a counterfeit in a Randomized system what all the counterfeiter needs is one correct number and they can create and send in Counterfeits before the original is dispensed. After the original is dispensed who will pay for the cost of the counterfeit held up at the dispensing points? Yes you guessed it right.
    I support what FDA is doing because they got it partially right. FDA’s system will track the item from Manufacture to dispense and easily identify where the counterfeit got into the supply chain. Its right for the party where the counterfeit got included into the supply chain to pay for the inclusion.
    I am sure this reply of mine will not be posted after review like the previous ones of mine but I will keep my voice being heard until someone gets it right.

  2. Just wanted to post the demo URL of generating 99.99% Random strings here so as to show that Alpha numeric Randomization is possible and not that complicated as many think.
    FDA’s recent guidelines mention use of numeric or alpha numbers and do not specify if they have to be serial or random. Manufacturers can choose between Random and sequential numbers as per their convenience.
    Here is an URL where you can generate limited Random numbers to your liking. I do not know if URL posting is allowed. Please feel free to delete if it is not allowed.
    http://www.upitag.com/apps/nurans_generator.weml
    Raja

Comments are closed.