Congress should have mandated randomization of drug serial numbers, but they did not, so it is up to each manufacturer to recognize the importance it would bring to the protection of their brands and of the supply chain. Let me explain.
The text of the Drug Supply Chain Security Act (DSCSA) was developed last year by Congressional staff in consultation/negotiation with various lobbying organizations—primarily the Prescription Drug Security Alliance (PDSA). The effect of the legislation is to create a way of protecting the U.S. pharmaceutical supply chain that relies primarily on product identifier authentication (PIA) (see “Product Identifier Authentication” and “The Aggregation Hoax and PIA”) for at least the first 10 years and possibly beyond.
Manufacturers must be capable of responding to “requests for verification” using the lot number and expiration date or the Standardized Numerical Identifier (SNI) by November 27, 2017, but because wholesale distributors are not required to perform verification of saleable returns and “suspect product” using the SNI until November 27, 2019, the verification service offered by manufacturers may not be heavily loaded until about that time. Dispensers must begin making use of that service using the SNI to verify at least 10% of the homogeneous cases or individual packages of suspect product, beginning in November of 2020.
Because wholesale distributors and dispensers must eventually make use of PIA to verify the small subset of products that are in situations believed to have the greatest risk of illegitimacy, PIA is the mechanism being relied upon most to protect the supply chain under the DSCSA.
PIA CAN BE “GAMED”
The problem is, criminals can easily “game” a PIA system if they are able to accurately guess which serial numbers are valid. If a counterfeiter knows which SNIs are valid, they can simply apply those serial numbers to their illegitimate packages and homogeneous cases. Whenever a wholesale distributor or dispenser verifies one or more of the serial numbers on the counterfeit products, the PIA service would confirm that the SNI matches one that the manufacturer or repackager originally applied to a real package or case. This would defeat the protective nature of the PIA mechanism because supply chain members would no longer be able to count on the PIA service to differentiate between good and bad packages and cases of that product.
How would a counterfeiter be able to figure out which serial numbers are valid? If a drug manufacturer assigns the serial numbers of their drug packages that are aimed at the U.S. market sequentially, it is pretty easy. All a criminal would need to do is get ahold of one or more real drug packages and make note of their serial numbers. Getting access to more than one would give them a pretty good clue, if the serial numbers are within a few dozen of each other, that the numbers are likely being assigned sequentially. If the criminal had access to a large amount of product—say, as an undercover criminal posing as a legitimate employee of a manufacturer’s, wholesaler’s or chain pharmacy’s warehouse; or even getting a real job there for a few days, just to collect valid serial numbers—they could be very confident that the numbers are, or are not being assigned sequentially.
Once the criminal determines that a given drug’s serial numbers are assigned sequentially they can assign their serial numbers within the range observed. Now whenever someone uses the manufacturer’s simple PIA service to verify the product identifier, the response for the counterfeiter’s product will be “valid”.
PSEUDO-RANDOMIZATION STRENGTHENS PIA
How do you eliminate this problem? One way to strengthen the PIA approach to supply chain protection is to randomize the serial numbers. That makes the criminal’s job a lot harder because, to reproduce valid serial numbers they would need to literally read the serial numbers on as many valid drug packages as they intend to produce, and then reuse only those specific serial numbers. Now the kind of access to valid packages a criminal would need would be pretty long and private, so they would not be observed scanning a large number of drug packages.
For more on randomization, see:
- Randomization—An Interview with Ken Traub—Part 1: GS1 Serial Number Considerations
- Randomization—An Interview with Ken Traub—Part 2: Properties of Randomization
- Randomization—An Interview with Ken Traub—Part 3: Threat Analysis
- Randomization—An Interview with Ken Traub—Part 4: The Algorithmic Approach
- Randomization—An Interview with Ken Traub—Part 5: Other Approaches
The European Federation of Pharmaceutical Industries and Associations (EFPIA) understood this problem when they threw their support behind Point of Dispense (PoD) Authentication, and they understood this solution when they recommended the use of randomization techniques to result in 1:10,000 odds of guessing a valid serial number. But Congress didn’t understand this subtlety and only mandated PIA through the verification services requirement. So it is up to drug manufacturers to recognize the deficiency and voluntarily randomize the serial numbers applied to their drug packages, and perhaps to their cases as well. Not doing so would elevate your risk of becoming a target of this kind of crime in the future.
And now is the time to begin randomizing your serial numbers, not in 2019. That’s because you will have the full range within a given serial number length to generate random numbers, without the need to skip over the range that contains your initial sequential numbers. Of course, there are ways to deal with that issue as well.
Randomization seems to add another level of complexity, and it does, but most, if not all, of the companies who sell serial number management solutions include some way to meet the EFPIA randomization requirements without much difficulty. I highly recommend that you apply that capability on your U.S. products as well.