When serialization of drugs was first being considered for pharmaceuticals back in the mid-2000s, I recall that it seemed to rattle the traditional brand protection vendors who offered package-level authentication technologies.  They were more than a little worried that drug companies would end up using serial numbers in place of their more traditional offerings, like holograms, specialty inks, micro-printing and other technologies.  Back then, some drug companies were looking at using Radio Frequency IDentification (RFID) tags to carry the serial numbers on their drug packaging, and perhaps these vendors feared that they would be left out.

I never understood what all the angst was about.  The purpose of government mandated drug serialization, then and now, is completely different than the purpose of package-level authentication technologies.  Drug serialization was being considered as a means to meet government mandates for unique identifiers.  Unique identification within an end-to-end supply chain that includes hundreds of thousands of independent companies requires everyone to align behind a single technology to ensure interoperability and efficiency.  So, to meet serialization mandates, every company in a given market would need to follow the same standards and apply the same technology to carry the unique identifier (the serial number).  For that to work, the standards and technologies used would need to be royalty-free, available through many sources, and therefore they needed to be non-proprietary.  I wrote about all this back in 2012, in an RxTrace essay I called “The Different Goals of Anti-Counterfeiting Technologies and Serialization”.

Characteristic	Serialization Mandated by Governments around the world	Package-Level Authentication Technologies
Cost per package	Low	High
Supply	Widely available	Single source
Usage	Non-proprietary	Proprietary
Payment	Royalty-free	Royalty built into the cost
Technologies	Single	Many available
Additive?	Yes	Yes
Answers:	How did this product get here?Where did this product come from?	Is this product genuine or fake?

All of those characteristics are counter to the traditional brand protection offerings, which are proprietary, very expensive, are available from limited sources, and use widely varying technologies.  In fact, the wide variety actually contributes to the success of brand protection because it raises the bar significantly against counterfeiters.  For example, if a counterfeiter wanted to copy a product that contains a traditional brand protection mechanism, let’s say color shifting ink, they would need to spend a lot of money to purchase the same ink that the brand owner uses, and from the same source because it is proprietary, and apply it properly so it produces the identical effect as the original product.  That takes time for trial and error and leaves an incriminating paper trail so a counterfeiter will likely move on to some other product that is not protected by such technology.  Even so, counterfeiters have successfully copied products that contain traditional brand protection technologies.

Brand protection companies had little to worry about back then because RFID was quickly found to be too expensive and unreliable for use in meeting the new serialization mandates.  It turned out that lowly barcodes were the technology used for all mandates around the world.  How boring when compared with holograms and color shifting ink.  The traditional brand protection vendors could relax.  They realized that barcodes could be easily copied and so they were a poor way of protecting against a determined counterfeiter.  They knew that, and so did their customers, who continued to invest in their proprietary technologies.

In the ensuing years drug serialization has been mandated in many of the top pharmaceutical markets in the world, including the United States, the European Union, China, Brazil, South Korea, Turkey and elsewhere, without changing the need for traditional anti-counterfeiting technologies on the most profitable medical products.  In those cases, companies need to apply the mandated serial number carrier technology to each package to meet the government mandates, and their chosen brand protection technology to block criminals.  That is, both needs result in something being added to the product packages, making them both “additive”, and therefore both adding to the cost of packaging.

The definitive source for knowledge about pharmaceutical anti-counterfeiting using brand protection technologies for physical authentication and serialization for digital tracking through the supply chain is the book “Pharmaceutical Anti-Counterfeiting:  Combating the Real Danger from Fake Drugs” by Mark Davison (see “Pharmaceutical Anti-Counterfeiting, A First-Rate New Resource“).  Davison points out that traceability, like the kind mandated by governments around the word lately, is useful for answering the question “Where did this product come from?”, while package-level authentication technologies are useful for answering the question, “Is this product genuine or fake?”.  Again, these are distinctly different questions.  Both are valuable for protecting patients, but you need both technologies to answer both questions.

In his book, Davison introduced the equation:

Physical Authentication + Digital Tracking = Enhanced Security

This is his way of explaining that the combination of both technologies will result in more protection than either technology used individually.  But, of course, to do both, requires more expense per package, which adds up pretty quickly for high volume products.  That’s because both types of technologies are additive on the product packages.

FINGERPRINTING

But there is an interesting technology presented by Davison which seems to combine anti-counterfeiting physical authentication with the simple serialization barcode mandated by governments around the world.  He calls the technology “Fingerprinting”, which,

“…use[s] innate physical characteristics of the product, or random features applied or printed onto the product, to derive a unique data set that can be converted to a numerical code and stored in a database.”  “…These data can be further associated (either directly by coding, or by association in a database) with another product identifier, such as a 2D code…”  “…The validation tools are also relatively low cost and portable.  Since there is no known processes that would allow the fabrication of copies of the fingerprint, these approaches have the potential to be very secure.”  “…The relatively low implementation costs and low marginal cost per item make fingerprint technologies attractive for some brand owners who wish to supplement compliance-driven serialization with proprietary tracking information.”

This attracted my attention because it breaks the traditional separation of serialization technologies from package-level authentication technologies as documented in my table above.  The key is that the fingerprint adds nothing to the product package itself, thus making the per package cost nearly zero.  The only reason it isn’t zero is because there is a infinitesimal cost per package to store the fingerprint data in a database for the life of the product.  Nothing beyond the mandated serial number needs to go on each package.  No special inks, no holograms, and no custom-spliced DNA—no nothing.  Yes, there are still system-level costs, but many of those are for the same equipment as those necessary to meet the various pharma serialization mandates around the world.

HERE’S HOW IT WORKS

After the government mandated 2D barcode is printed or applied to a package on a packaging line, a camera is used to verify that the proper label stock was applied to the package and that the barcode and the human readable text are properly printed and readable.  That is a standard cGMP quality check for pharmaceutical packages.  But in this fingerprinting system, that camera would also transmit the image to a system that would find the unique characteristics about the squares and bars that comprise the barcode, like a snowflake or a fingerprint, and convert those distinguishing characteristics to a number.

As Davison explains, this technique is based on “chaos”, the fact that even things that look uniform are actually composed of an infinite number of random deviations from uniformity which can be detected, measured and recognized later.  Of course, these deviations are all much smaller than those that are measured by a standard barcode reader, so even when two codes appear to that barcode reader to be identical, the fingerprint detector would find the unique pattern of deviations to differentiate the original from the copy…any copy.

What kind of sophisticated fingerprint detector do you need in the field to make this usable for anti-counterfeiting?  It turns out, a standard smartphone camera is sufficient.  That’s right, the technology we all have at our fingertips—the one that is connected to the internet via a high-speed wireless connection—is all you need to determine genuine from fake.  Any user can use a standard smartphone to take a picture of the barcode on a drug package, transmit it to a service that knows how to detect the unique pattern of deviations in the image, calculate the numeric fingerprint and look it up in the database to determine whether or not that particular package is present or not.  If it is present in the database, the package is the original one packaged by/for the brand-owner.  If it is not there, the package is an unauthorized copy—a fake—and the smartphone user can be notified what to do next.

Let’s add up the extra costs over and above those of meeting the government serialization mandates for a high-volume drug product.  Since nothing is added to each package to enable fingerprint detection, it doesn’t really matter what the volume is.  High volume or low volume—what’s the difference?  The camera used to collect the images on the packaging line is already built into the cost of meeting the government serialization mandates.  It is a necessary cost.  You are going to have one of those anyway.  The cost of the field detectors is nothing because smartphones are ubiquitous throughout at least the developed world.  The only remaining cost is that of the hardware and software to calculate and store the fingerprints, and present user interfaces.  This cost structure, which is minus per-package and per-reader components, leads to the realization that all drugs that are serialized under a government mandate really should also include this fingerprint brand-protection service.

This is a huge cost breakthrough that allows a tiny additional investment on top of the big investments necessary to meet the global serialization mandates and results in a fully operational anti-counterfeiting, brand protection technology.

This kind of service can be used for package authentication throughout the supply chain, on a routine basis, or just when there is a suspicion of illegitimacy.  But for drugs that are dispensed in the manufacturer’s pack, it can also be used by the physician and the patient to authenticate the drug package.  This ability to authenticate the package can be incorporated into voluntary patient loyalty and direct-marketing programs where the patient “scans” the barcode using a smartphone app supplied by the product manufacturer in exchange for discounts or other incentives, thus helping to detect counterfeit, diverted, stolen and other illegitimate products on a wide scale.  With this capability, pharma brands can become more important to patients than they have in recent years.  The value of these capabilities to drug manufacturers and to patients is bounded only by your imagination.

For all of these reasons, I think we are going to start seeing this kind of service made available to brand-owners.  For example, Systech has just begun to offer such a service they call UniSecure.  In my view, this technology will revolutionize the anti-counterfeiting technology landscape for pharmaceuticals and other products.

BUT WAIT, IT DOESN’T EVEN REQUIRE SERIALIZATION!

Now let me blow your mind.  According to Systech, their service doesn’t even require serialization to be successful.  Their solution can detect enough “chaos”—enough unique pattern deviations—from any static UPC barcode on any product to be sufficient for determining genuine from a unauthorized copy.

This really makes sense if you think about it.  The fingerprint of a specific 2D barcode that contains a unique serial number is simply providing the fingerprint calculator with a certain number of distinct points that define its unique fingerprint.  That’s independent of the contents of the 2D barcode.  What Systech has found is that there are plenty of deviations in any set of UPC barcodes on a non-serialized product.  In effect, the UPC barcode just becomes a standardized place to collect the “chaos” that is just below the level of the recognizable barcode.  It is an easily recognizable target on each package to tell the user to aim their smartphone camera.  Whether that place on the package is a serialized barcode or a non-serialized static barcode doesn’t make any difference.  There are always distinguishable characteristics that a counterfeiter cannot reproduce.

Calculating and storing a unique number from the UPC barcode area for every package of a non-serialized product effectively results in the “serialization” of that product, without actually adding all of the printing technology necessary to put the serial number into a barcode.  The unique fingerprint value becomes the “serial number”.  Now, you can’t use that “serial number” to meet a serialization mandate, but for your own purposes, you have a unique identifier for every package.

This costs so little that you can easily image that even products like your toothpaste might be “serialized” in this way in the near future.  Why not “serialize” everything in this way?  Can’t you figure out some creative way of using the data provided by the consumer when they voluntarily scan the barcode with their smartphone to get points toward a discount, all while you monitor for illegitimate products in the supply chain at the same time?

I think you will agree, this is revolutionary.

Dirk.

Full Disclosure:  I am currently working under a consulting contract with Systech, but this essay is not part of that work and these are my own thoughts.