The text of the Drug Supply Chain Security Act (DSCSA) was developed last year by Congressional staff in consultation/negotiation with various lobbying organizations—primarily the Prescription Drug Security Alliance (PDSA). The effect of the legislation is to create a way of protecting the U.S. pharmaceutical supply chain that relies primarily on product identifier authentication (PIA) for at least the first 10 years and possibly beyond.
Manufacturers must be capable of responding to “requests for verification” using the lot number and expiration date or the Standard Numerical Identifier (SNI) by Nov. 27, 2017, but because wholesale distributors are not required to perform verification of saleable returns and “suspect product” using the SNI until Nov. 27, 2019, the verification service offered by manufacturers may not be heavily loaded until about that time. Dispensers must begin making use of that service using the SNI to verify at least 10% of the homogeneous cases or individual packages of suspect product, beginning in Nov. 2020.
Because wholesale distributors and dispensers must eventually make use of PIA to verify the small subset of products that are in situations believed to have the greatest risk of illegitimacy, PIA is the mechanism being relied upon most to protect the supply chain under the DSCSA.
PIA can be “gamed”
The problem is, criminals can easily “game” a PIA system if they are able to accurately guess which serial numbers are valid. If a counterfeiter knows which SNIs are valid, they can simply apply those serial numbers to their illegitimate packages and homogeneous cases. Whenever a wholesale distributor or dispenser verifies one or more of the serial numbers on the counterfeit products, the PIA service would confirm that the SNI matches one that the manufacturer or repackager originally applied to a real package or case. This would defeat the protective nature of the PIA mechanism because supply chain members would no longer be able to count on the PIA service to differentiate between good and bad packages and cases of that product.
How would a counterfeiter be able to figure out which serial numbers are valid? If a drug manufacturer assigns the serial numbers of its drug packages that are aimed at the U.S. market sequentially, it is pretty easy. All a criminal would need to do is get ahold of one or more real drug packages and make note of their serial numbers. Getting access to more than one would give them a pretty good clue, if the serial numbers are within a few dozen of each other, that the numbers are likely being assigned sequentially. If the criminal had access to a large amount of product—say, as an undercover criminal posing as a legitimate employee of a manufacturer’s, wholesaler’s or chain pharmacy’s warehouse; or even getting a real job there for a few days, just to collect valid serial numbers—they could be very confident that the numbers are, or are not being assigned sequentially.
Once the criminal determines that a given drug’s serial numbers are assigned sequentially they can assign their serial numbers within the range observed. Now whenever someone uses the manufacturer’s simple PIA service to verify the product identifier, the response for the counterfeiter’s product will be “valid.”
Pseudo-randomization strengthens PIA
How do you eliminate this problem? One way to strengthen the PIA approach to supply chain protection is to randomize the serial numbers.That makes the criminal’s job a lot harder because, to reproduce valid serial numbers they would need to literally read the serial numbers on as many valid drug packages as it intends to produce, and then reuse only those specific serial numbers. Now the kind of access to valid packages a criminal would need would be pretty long and private, so they would not be observed scanning a large number of drug packages.
And full randomization is not necessary to thwart this kind of criminal. Any approach that results in sparseness and some amount of pseudo-randomness will be sufficient.
The European Federation of Pharmaceutical Industries and Associations (EFPIA) understood this problem when they threw their support behind Point of Dispense (PoD) Authentication and they understood this solution when they recommended the use of randomization techniques to result in 1:10,000 odds of guessing a valid serial number. But Congress didn’t understand this subtlety and only mandated PIA through the verification services requirement. So it is up to drug manufacturers to recognize the deficiency and voluntarily randomize the serial numbers applied to their drug packages, and perhaps to their cases as well. Not doing so would elevate your risk of becoming a target of this kind of crime in the future.
And now is the time to begin randomizing your serial numbers, not in 2019. That’s because you will have the full range within a given serial number length to generate random numbers, without the need to skip over the range that contains your initial sequential numbers. Of course, there are ways to deal with that issue as well.
Randomization seems to add another level of complexity, and it does, but most, if not all, of the companies who sell serial number management solutions include some way to meet the EFPIA randomization requirements without much difficulty. I highly recommend that you apply that capability on your U.S. products as well.