How to Stop Pharmaceutical Cargo Theft

Most of us who work on developing and deploying technologies designed to protect the supply chain usually focus on anti-counterfeiting. But that’s only one of the elements in the list of illegitimate activities that can cause damage to the health of patients and the profitability of legitimate businesses who participate in the U.S. pharma supply chain. I include the following activities in that list:

  • Counterfeiting
  • Diversion
  • Theft
  • Tampering
  • Up-labeling

These activities have all been detected from time to time in the U.S. supply chain for quite a few years, but the frequency of some of them has been on the increase over that same period of time. The question is, how much of each activity should we, as a society, tolerate before we step up counter-measures that are targeted directly on one or more of them?

THE RISE OF PHARMACEUTICAL CARGO THEFT

Over the last 18 months the U.S. has experienced an unprecedented rise in the value of drugs stolen in thefts of entire truckloads as they are being transported from point to point (also see this). I’ve heard lots of theories about who is behind it (organized criminals/gangs, of course) and where the product ends up (outside the U.S., most people think). Continue reading How to Stop Pharmaceutical Cargo Theft

Use of GLN and GTIN for Pedigree Regulatory Compliance

I am fortunate to have so many friends and colleagues who work in end-user and solution provider companies and who are impacted by the issues I cover in my blog. After each post I often exchange emails and phone calls with some of them and we discuss/debate what I’ve written about. These are great conversations because they sometimes confirm my opinions and sometimes challenge them, but I almost always come away with a more refined understanding of the technology or regulation we discussed. That is, I learn something.

This is exactly what has been happening with my recent series on Supply Chain Master Data (SCMD). As I’ve defined it, SCMD is just like regular old Master Data (MD) except that the identifier and the full data set behind each instance of SCMD has a single owner, and all parties in the supply chain who may encounter the identifier must have a way of obtaining the full set of data from the owner so they know what the identifier means. But this assumes that only the identifier will be used in supply chain data communications in place of the full data set that the ID refers to.

GLN’s On Electronic Invoices

Let’s take GS1’s GLN (Global Location Number), for example. You can use GLN’s in two ways: as true SCMD, or in a non-SCMD way.

An example of using GLN’s as SCMD in an invoice application would result in an electronic invoice that did not have any explicit addresses in it–no customer billing address, no customer shipping address and no “remit payment to” address. Instead, it would simply include the customer’s billing GLN, the customer’s shipping GLN and the “remit payment to” GLN. Each party in this example would have already obtained the full addresses from their respective owners in some way, either through a registry (like GS1 U.S.’s GLN Registry for Healthcare), or directly from the owner, so there is no need to include that data on each invoice between these parties.

The non-SCMD use of GLN’s occurs when a company uses a GLN identifier as a way of obtaining their trading partner’s full address, and then they would put the full address on each of their invoices for that partner. This approach makes use of GLN’s to “synchronize” the address master data that each trading partner keeps locally. Continue reading Use of GLN and GTIN for Pedigree Regulatory Compliance

PDMA Lawsuit Resolved?

I recently read in Pharmaceutical Commerce online magazine about the apparent resolution of the RxUSA lawsuit that had delayed implementaton of a couple of the pedigree provisions of the Federal PDMA (Prescription Drug Marketing Act).  While Pharmaceutical Commerce did its usual great job of providing historical context, I thought it might be an appropriate topic for the RxTrace blog.  But before I had time to document the history of the PDMA in my own words, Brian Daleiden beat me to it in the Supply Network Blog.  So rather than writing my own version, I gladly refer you to his post.  Between the Pharmaceutical Commerce article and Brian’s post, I have nothing more to say right now.

The Supply Network Blog is a fairly new publication of TraceLink, the successor to SupplyScape, my former employer.  I look forward to hearing more from their blog in the future so I recently subscribed.  Check it out and see what you think.

What are Pedigree Laws Trying to Accomplish Anyway?

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.Conversations about the merits of various pedigree and authentication models usually start from dissatisfaction with some characteristic of the current GS1 DPMS pedigree model. I maintain that the design of DPMS—including its perceived flaws—is merely a reflection of the current state and federal pedigree laws and regulations. Characteristics that people don’t like—like digital signatures, a growing document as drugs move down the supply chain, and the fact that Supply Chain Master Data is not used by DPMS—are actually all characteristics of the laws and/or regulations, so any alternate pedigree model that would truly be usable for compliance would need those characteristics too.

But that’s not exactly what I want to discuss in this essay. Instead, I wanted to explain my theory of what U.S. pedigree laws are trying to accomplish in the first place. Forget about how they do it for now. What were the goals of those who wrote these laws and regulations? I’ll agree that this is impossible to know for sure but I think I can construct a pretty convincing theory. I don’t know any of the legislators or congresspeople who wrote these laws, but I have studied their work for over four years now. I have made the following observations.

  1. The highest priority goal of the Florida and California laws appears to be to detect the introduction of illegitimate drugs (counterfeit, stolen, up-labeled, diverted, etc.) into the legitimate supply chain as early as possible, preferably at the very first transaction. These laws accomplish this by requiring companies buying drugs within the supply chain to receive the full supply chain history of those drugs at the time of the purchase (contained in a “pedigree”), and, most importantly, by requiring them to verify the legitimacy of those prior transactions. In Florida that verification can be performed by direct contact, such as a phone call, email, fax, etc., or, optionally, through the use if digital signatures. In California, this verification can only be performed through the use of digital signatures. The federal PDMA, on the other hand, does not appear to obligate the buyer to do any verification of the information provided on pedigrees they receive.Finally, Florida and California both require the recipient of the shipment to confirm that the physical drugs they received match those described by the pedigrees they received. That seems obvious, doesn’t it? Why would any legislative body require all or some supply chain participants to go through all the expense to generate and pass pedigree information but stop short of requiring anyone to actually look at it? Well, oddly, the federal PDMA appears to do just that.
  2. There is a clear attempt in the laws to help identify who participated in the introduction of the illegitimate product. This is important if your goal is to efficiently and quickly investigate the suspected crime. This would aid in shutting down the criminals as quickly as possible before they are able to spread bad medical products very deeply into the supply chain. Continue reading What are Pedigree Laws Trying to Accomplish Anyway?

Pedigree Models and Supply Chain Master Data

Important Notice To Readers of This Essay On November 27, 2013, President Barack Obama signed the Drug Quality and Security Act of 2013 into law. That act has many provisions, but one is to pre-empt all existing and future state serialization and pedigree laws like those that previously existed in California and Florida. Some or all of the information contained in this essay is about some aspect of one or more of those state laws and so that information is now obsolete. It is left here only for historical purposes for those wishing to understand those old laws and the industry’s response to them.Right now there is only one industry standard that can be used to comply with the various drug pedigree laws in the United States. That’s the GS1 Drug Pedigree Messaging Standard (DPMS), which was created in 2006 by a group of technology experts and participants from nearly all segments of the U.S. supply chain culminating in GS1 ratification in January 2007. Many of those companies began using DPMS even before it was ratified because the Florida Pedigree Law went into effect in July 2006. Since then, companies are using it to comply with other state pedigree laws as well as for the pedigree provisions of the federal government’s Prescription Drug Marketing Act (PDMA) of 1988 (stayed until December 2006). Interestingly, a few companies have chosen to require DPMS pedigrees today for trading partner risk mitigation even where there is no existing regulatory requirement to do so.

A few months after GS1 ratified the DPMS standard, they ratified the Electronic Product Code Information Services (EPCIS) standard. This is a more general purpose standard intended for use in all supply chains that have a need to track and trace serialized products. Everyone acknowledges that it doesn’t make sense to try to use it for compliance with PDMA, Florida or other state pedigree laws because they do not require serialization, but in 2015 the California Pedigree Law will go into effect and one of its unique provisions requires item-level serialization.  Some see this as an ideal place to apply EPCIS.

There are lots of ways to contrast these two standards and their use for pedigree law compliance, but probably the most striking difference is how they each treat Supply Chain Master Data (SCMD). I defined SCMD in a previous post as “…that persistent, non-transactional data that defines a business entity for which there is, or should be, an agreed upon view across the supply chain.

GLN as SCMD

Addresses are an example of a “business entity” that can be treated as SCMD. GS1 defines a location identifier they call a Global Location Number (GLN) that can be used to refer to an address. A GLN is a structured series of digits that can be assigned to refer to a single address (among other things). Refer to the GS1 General Specification for the details. Continue reading Pedigree Models and Supply Chain Master Data

“The State of Healthcare Logistics”

Earlier this year The Association for Healthcare Resource & Materials Management (AHRMM) and the Center for Innovation in Healthcare Logistics (CIHL) at the University of Arkansas published the results of a survey they conducted in 2008 titled “The State of Healthcare Logistics”. The survey polled 1381 healthcare supply chain professionals regarding their “perceptions of cost and quality efficiencies and improvement opportunities within their organization”. I’m always a little skeptical (alright, I’m a lot skeptical) of “perception surveys”, but since this one was focused on the specific supply chain that I’m a member of, I took some interest. This survey included a series of questions about the respondent’s perception of Data Standards, which really caught my eye.

In fact, I’ve been doing a little investigating myself into the competing standards that are related to supply chain master data. My career experience in this area has almost solely dealt with GS1 standards, but that may be because the healthcare part of my career has centered on the pharmaceutical distribution corner of the full healthcare supply chain. If it had been centered on the distribution of medical devices, I would have been much more familiar with HIBCC (Healthcare Industry Business Communications Council) supply chain data standards. I’ve been trying to figure out if the industry needs multiple competing data standards and, if not, which one is a better set: GS1 or HIBCC? And should I consider some other set of standards that I just don’t know about? Are there good reasons to continue the use of either or both sets of standards in our supply chain?

In this light, I turned my attention to the AHRMM/CIHL survey results, hoping to gain some valuable insight. I quickly got stuck on their very first survey question in the Data Standards section (on page 15 of their report):

A. Is your organization moving towards the adoption of a data standards system (such as GS1) in the next five years?

Now this is an amazingly bad survey question that wouldn’t even pass a “survey questions 101” class. It is a classic example of a leading question. One where the desired answer is provided directly in the question itself. But look at the choice of answers!

  1. Yes – GS1
  2. Yes – Other
  3. No
  4. Don’t Know

Continue reading “The State of Healthcare Logistics”

Master Data, Supply Chain Master Data and Instance Data

We need to make a clear distinction between traditional Master Data (MD), Supply Chain Master Data (SCMD), and Instance Data (IData). This will help us understand some important differences in various supply chain track and trace technologies.

Master Data

Wikipedia defines “Master Data” like this today:

“…Master Data is that persistent, non-transactional data that defines a business entity for which there is, or should be, an agreed upon view across the organization.”

This isn’t detailed enough for me. MD must include a data element that serves as an identifier. An identifier that refers to a given MD record must be unique within the organization.

Good candidates for MD are customer information, location information, product information and employee information. The characteristic these all have in common is that the data behind them rarely change. For example, I have been issued an employee number by my company. My employee number is the unique identifier for the MD that describes me to the company. My mailing address, phone number, marital status, social security number rarely change.

Most organizations make use of MD so that they can maintain the definition of these entities in a single place, and they can simply refer to these definitions through the corresponding unique identifier. The identifier provides a quick way to get to the full set of information. In many cases, the identifier can serve as a stand-in for the full set of information.

Supply Chain Master Data

Wikipedia doesn’t yet have a definition for Supply Chain Master Data. I’ve coined the term to describe something that is similar, but distinctly different than Master Data as described above. I’ll define it like this:

“Supply Chain Master Data is that persistent, non-transactional data that defines a business entity for which there is, or should be, an agreed upon view across the supply chain.” Continue reading Master Data, Supply Chain Master Data and Instance Data

Who’s Responsible for Global Supply Chain Security?

My favorite pharmaceutical supply chain blog is DrugChannels by Dr. Adam J. Fein (PhD). Dr. Fein started his blog in May 2006. I became a subscriber and regular reader sometime later that year. The focus of DrugChannels is “Pharmacy economics and the pharmaceutical supply chain”, which has often included very rational opinions on the economic viability of various pedigree laws.

My RxTrace blog has only been around for a short time and its focus is “the intersection between the pharmaceutical supply chain, track and trace technology, standards and regulatory compliance”. This is almost the inverse of DrugChannels. I’d like to think they are complementary but I suppose we can’t judge that until I generate quite a few more posts. Either way, I owe quite a lot to Dr. Fein and DrugChannels because they provided me the inspiration for starting this blog.

In a recent email exchange, Dr. Fein drew my attention to the FDA document, “Safer Medical Products: Investments for Supply Chain Safety and Security”, a 22-page apparent explanation for an increase of $166,433,000 and 346 FTE’s in the FDA’s FY 2010 budget proposal. Part of the increase “…includes investments that will allow FDA to implement new approaches to effectively regulate the safety and security of the supply chain of medical products …”. “Medical products” include human drugs, vaccines, blood and other biological products, medical devices, animal drugs and medicated feed.

New Approaches

The biggest driver of the need for the increase is the rapid globalization of the supply chain for medical products that end up in the medicine cabinets of Americans.

“The priorities proposed in this initiative will assure the safety and security of foreign and domestic sources of ingredients, components, and finished products at all points in the supply chain…”.

“Supply Chain Safety and Security relies on risk-based prevention with a verification-focused approach to hold all segments of industry accountable for ensuring that their products meet U.S. safety standards, with FDA verifying compliance with standards.”

“FDA will increase medical product safety and security by enhancing oversight of entities in the supply chain.”

The proposal promises to hire more experts and modernize FDA information technology. But it also includes funds to fight internet drug fraud, and to allow FDA to develop policy options related to drug importation.

“FDA will develop policies to implement the Administration’s policy of allowing Americans to buy safe and effective drugs from other countries.”

So is the FDA Responsible for Global Supply Chain Security?

Lots of interesting content for everyone to mull over. Daniel R. Matlis, president of Axendia, has done just that in a post on the PharmTechTalk blog. In his post he uses the FDA document to question whether securing the global medical products supply chain should be the FDA’s responsibility or the industry’s. It’s an interesting question and Matlis juxtaposes the FDA paper against comments reportedly made by Gerald Migliaccio, Vice President of Quality, EHS and Agility at Pfizer Global Manufacturing at a recent joint session of the PharmTech Conference and the Manufacturing Execution System in Life-Sciences Congress. Migliaccio believes that, “Supply chain security is the responsibility of all parties involved in procurement/ sourcing, manufacturing, packaging and distribution of raw materials, intermediates and final product.”

Matlis concludes that industry and regulators have different roles in securing the supply chain and that we all benefit by their efforts. After raising such a provocative question, I felt let down by such a milquetoast conclusion. Like Gerald Migliaccio, I believe the responsibility for supply chain security falls squarely on every participant in that chain, global or domestic. FDA is an arm of our government—that which is of, by and for…us, the consumers, the patients. To me, it seems backwards to make the consumer/patient responsible for the safety and security of the supply of products that are advertised as being safe and beneficial to our health and wellbeing.

I’m not arguing against the existence of the FDA, only the argument that it is up to the FDA to ensure the safety and security of the supply chain. What we need from the FDA are standards that ensure that illegitimate supply chain activity can be detected automatically by the supply chain participants themselves. Arming each buyer in every purchase transaction in the supply chain with the means to reliably, quickly and independently verify each prior transaction back to the original manufacturer would accomplish exactly that. I’ll explain how that can be done in future posts.

DISCLAIMER: RxTrace contains some of the personal thoughts, ideas and opinions of Dirk Rodgers. The material contained in RxTrace is not legal advice. Dirk Rodgers is not a lawyer.
The reader must make their own decisions about the accuracy of the opinions expressed in RxTrace. Readers are encouraged to consult their own legal counsel
and trading partners before taking any actions based on information found in RxTrace. RxTrace is not a vehicle for communicating
the positions of any company, organization or individual other than Dirk Rodgers.

RxTrace, a comprehensive exploration of the intersection between healthcare supply chains, track and trace technology, standards and global regulatory compliance.
Contact Us | Privacy Statement
Copyright © 2009-2017 Dirk Rodgers Consulting, LLC. All Rights Reserved.
RxTrace is a registered trademark of Dirk Rodgers Consulting, LLC
L, A, S, C
SiteLock