There have been some good discussions occurring as of late on LinkedIn, Twitter and other discussion groups on the relative strengths and weaknesses of product Serialization for pharmaceuticals. The debate sometimes centers on real value of serialization. Does it or does it not improve patient safety? Let’s assume for a moment it does, or will once the systems are in place and the markets are flush with serialized products. We need to look closer at where strength is derived from serialization and harden respective areas against attack.
We know counterfeiters need only two things to be successful – a Market and a Means. The Market is of course made for them whether legitimate or illegitimate. The legitimate global pharmaceutical market is hundreds of billions annually. The illegitimate is in the tens of billions annually, so far as we can tell. The Means, in a serialized world, is only one step beyond what is the norm for pharmaceutical production and distribution today – the exchange and verification of data at the individual unit level. It’s not a particularly huge step or hurdle for a counterfeiter who already has the means with non-serialized product. It is essentially eCommerce at a more granular level with a few extra handshakes for verifications. That’s it!
The sophisticated counterfeiter already has the means of duplicating product, packaging, coding, overt security measures and pedigree. We can harden the coding by inserting randomization and a number of proprietary security measures. However, aside from randomization, the other means of hardening are not public or shared amongst trading partners. Thus they aren’t directly capable of preventing fake or stolen products from reaching patients. At best they simply serve to authenticate after the fact – after a suspect product has been identified. I’ve seen some really impressive counterfeits of pharmaceutical products throughout my career. It is really quite remarkable. I was both angered and impressed when one of the bad guys got the upper hand on my technology set. The technology we insert into coding to harden and deter and prevent the counterfeiter will be overcome.
As we move into a serialized world the secure databases of product and event information that trading partners will use to comply with regulations will be the target for the counterfeiters.
The database will be the “Holy Grail” quest for the sophisticated counterfeiters. By sophisticated I mean those interested in injecting large quantities of falsified medicines into a legitimate supply chain. We refer to this in the industry as a “systemic” problem. The converse is an “instance” problem. Even in a post-serialized world most agree that counterfeits will still enter the legitimate supply chain in specialty and niche areas. If history tells us anything it’s that there will always be a human being, or several, willing to game the system for personal advantage.These instance events are essentially par for the course for our supply chain. No matter how strong our laws and regulatory enforcement there will always be someone willing to break them and look the other way to make a buck.
To reiterate, the counterfeiters have continually demonstrated they have the means of duplicating product, packaging, coding and overt security measures. We have to introduce theft into this equation as well. The growing trend now is theft. More and more counterfeiters simply chose to steal the product and then attempt to sell it back into legitimate channels or divert to gray and black markets. Will serialization help prevent stolen product from re-entering the legitimate supply chain? Perhaps.
The problem with most regulations on serialization is that they derive almost all of their strength from the use of a database of products, events and secure handshakes. Everyone in the supply chain needs to be using the system, it requires mass adoption. With respect to the US DSCSA and the EU FMD, the database(s) don’t impart any significant strength until everyone along the supply chain is using them. And the run up in time to when that is the case will be an opportunistic time for the counterfeiters. With adoption of this technology comes uncertainties and exceptions as products move. We already have a fair amount of uncertainty and exception handling in our supply chains. Stack on top of that a complicated product authentication and tracking system and our problems will compound for many years until we’ve had time to systematically fix them one at a time. The less sophisticated counterfeiters will leverage this complexity to their advantage. The more sophisticated will revel in the complexity that allows them to go undetected.
To be fair the regulators of both the DSCSA and FMD have taken into account the learning curve the industry will traverse. In the case of the DSCSA a fully traceable supply chain isn’t required for many years, i.e., October 2023. A good thing because the system as envisioned is complex. For the EU the time frame is 2017, but the system is initially just an authentication at point of dispense model – less complex than full track and trace.
The only defense left standing in this type of post-serialized world is the database. It will be the grand target for the sophisticated illegal operator or falsifier. And they won’t have to look far for the expertise necessary to break into those databases and inject or modify information so that no one is the wiser. Have a look at Chris Drake’s or Keren Elazari’s TED Talks if you doubt this.
The database is where the strength is derived and the area we need to harden if it truly is to deliver patient safety. If I’ve stolen a truck full of medicines my new major hurdle to that 1st point of sale back into a high paying legitimate market is going to be the database. Once the manufacturer or wholesaler of the stolen product has updated the database with the status of “stolen” for the serialized product, I just need to hack into that database, say a few weeks or months later, and change the record back to “salable”. I’m not sure this type of crime would ever be detected unless someone with knowledge of the specifics of the product and its status checked into the database at a later date.
If I’m a counterfeiter making wholly falsified product, again just hack into the databases, create false records of my serialized products and then offer it up for sale. As the product moves from trading partner to trading partner they simply add legitimacy to my original falsified database record. Could we detect it?Perhaps. If we suspected there was an issue the regulator could inquire directly with the manufacturer. But if their records are also hacked?
In closing there’s something very healthy about the debate on improved patient safety with the implementation of serialization. But let’s focus that debate on understanding the weaknesses and areas of risk that will be exploited by the counterfeiters. Plug the leaks and mitigate or prevent the risks – that is what will ensure we improve patient safety.