2015 Product Security Report

Meeting the compliance deadlines of the Drug Supply Chain Security Act has the attention of many in biopharma product and brand security


serialization barcodes
Fig. 1. Even with a global push for unit serialization via barcodes, there are national variations.

The land rush is on. After years of wrangling over compliance requirements for serialization and traceability in the US pharma supply chain, manufacturers and their trading partners now have definite deadlines to meet (including a May 1 deadline hitting just as this report goes to press). The first movers and pioneers are already gaining experience on meeting the current compliance deadline, and are moving forward with a next milestone, in 2017, for unit-of-use serialization.


Traceability is a key component of product security and brand integrity for the US pharma industry going forward; but already the US is playing catch up with the rest of the world, which moved forward even while US legislators and lobbyists wrangled over the details of the Drug Supply Chain and Security Act (DSCSA), which was passed, in a rare instance of Congressional bipartisanship, in late 2013.

The investment that manufacturers are making is substantial: estimates range from $150,000 to $500,000 to install the serialization machinery (bar-code printers, machine vision systems and the like) on a single packaging line; and additional sizable costs are incurred for the site- or enterprise-level IT systems necessary to collect, store and deliver the traceability data. The number of pharma packaging lines, worldwide, is somewhere between 5,000 and 10,000 (although no one is expecting all lines to be fully DSCSA-compliant any time soon).

DSCSA is the centerpiece of a national effort to secure the pharma supply chain from the entry of counterfeit products, diversion from one distribution channel to another (which can affect the integrity of the products, as well as revenues for trading partners), and, through tighter licensure and FDA inspections, the ability of companies to handle life-saving medical products with appropriate safeguards. It parallels, to a degree, FDA’s own emphasis on better product quality, as evidenced by the opening of the Office of Pharmaceutical Quality at the beginning of this year.

But supply chain integrity is only one aspect of the overall effort. Manufacturers and their service providers are clamping down on cargo theft, which, besides the obvious loss of the product itself, can impact the safety of all of the inventory of a branded product in distribution. And while manufacturers have long employed a variety of authentication or anti-counterfeiting measures in their packaging, there is a noticeable uptick in use of these countermeasures, especially for products in global circulation.

Videojet 8610
Fig. 2. DSCSA compliance begins at the packaging line, with barcoding equipment like this Model 8610 from Videojet.

Mention of globalization brings attention to e-commerce, and the ease with which products can be marketed in one country and sold in another. The biggest gap in total product security remains the Internet, which, in the US, remains partially open for consumers to purchase products (whether FDA-approved or not, and whether authentic or counterfeit) relatively easily. There are significant efforts in this regard as well, notably the capability that the National Assn. of Boards of Pharmacy (NABP), under the aegis of the Internet Corporation for Assigned Names and Numbers (ICANN), to regulate the use of “.pharmacy” as a domain-name extension, which began late last year. In theory, going forward, all legitimate online pharmacies will have a “dot-pharmacy” name, and consumers will only use those for online purchasing.


Brand security begins with the physical products themselves, and the anti-counterfeiting measures manufacturers employ. For years, technology developers, and contract packaging organizations that partner with them, have been offering such techniques as microprinting, holograms, invisible inks and other printing and mechanical methods to add anti-counterfeiting measures to paperboard cartons, syringes or vials. At best, these techniques (which add some cost to the packaging) have been used in perhaps 10% of pharma packages (although in some categories it reportedly goes as high as 40%). Industry experts harp on the theme of “multilayer” security—by which logic, more than one technique should be used. The other guideline is to identify anti-counterfeiting methods by application: overt (visible to the end user); covert (locatable only with specialized knowledge); or forensic (for validation in the field or laboratory).

The rap against these security measures is that they can be defeated by the sophisticated counterfeiter, or that the verification methods simply get ignored by careless purchasers of the products. But technology developers continue to roll out additional methods, with the current focus on optical or Internet-based methods.

Advances in near-infrared spectroscopy are one of the drivers for InfraTrac, whose president, Dr. Sharon Flank, presented at the Healthcare Compliance Packaging Council’s RxAdherence meeting this spring (see p. 22). InfraTrac uses a combination of conventional wet chemistry and spectroscopy to create unique fingerprints of products and materials; the fingerprint can be made from excipients or additives already in a pharmaceutical formulation, and the spectrograph of the resulting scan, stored in a digital library, provides the in-field authentication. Whereas conventional spectroscopy requires laboratory equipment and considerable testing time, Flank says that the spectrograph can be performed in the field with a hand-held device.

Optics are also the foundation of Alpvision, which encodes a microdot pattern, called Cryptoglyph, on packaging that can be read with cameras and even smartphones. This authentication step is backed up with an online platform, Krypsos, to streamline in-field authentication.

In the Internet arena, Sproxil has won considerable attention with its method of providing a product code, on a scratch-off panel, that can be checked with a simple text message. The company’s technology is in use in several African countries; the company claims that 15 billion consumer packages (pharmaceuticals as well as other products) have been authenticated through early 2015.

Incorporating lot-level serial data into a packaging line is not especially challenging from a technology perspective—manufacturers have been doing this for a long time (although the reporting requirements of that are now changing), notes Rich Nemesi, global vertical marketing manager, life sciences, at Videojet, a major supplier of barcoding and serialization equipment. But the right perspective is to look ahead, to coding requirements globally (which have a variety of requirements) and make capital investments with the future in mind. To that end, Videojet offers a variety of coding technologies (continuous ink-jet; thermal transfer, thermal ink-jet and laser methods) which, in turn, can handle most types of substrates. Most recently, the company introduced the 7810 ultraviolet-laser marketing system, which avoids the need for a “knockout window” on the substrate that has a coating to react to the laser light. Additionally, the company is introducing an online service to enable customers to have printers serviced remotely, from a central Videojet engineering facility. “Few packagers have marking-equipment engineers on hand, so when there’s a problem, we often need to send a service engineer out on a call,” says Nemesi. The remote service could save money, at least on routine servicing, for both Videojet and the client.

SICPA Securink Corp. is a major player in global banknote and security-document authentication, offering both online code-verification schemes as well as on-product inks and taggants for product authentication. In October, the company joined in with a World Bank-organized pilot project involving several international nongovernmental organizations to fight counterfeit medicines in the developing world. “There is interest from pharmaceutical brand owners to protect their products and consumers from counterfeiting and diversion but that this is taking a back-seat currently as stakeholders work towards serialization compliance,” the company tells Pharmaceutical Commerce. “While the US pharma supply chain is perceived as relatively safe compared to others globally, there have been incidents of counterfeited and diverted product over the last several years and we feel this will continue until the pharma industry adopts multi-layered security solutions.”

Currently, the main activity of pharma manufacturers has been to upgrade their packaging lines’ coding capabilities, both to improve lot-level data generation (to meet current DSCSA requirements) and to prepare for the eventual unit-level serialization, due to take effect in 2017 in the US, and already a factor in Turkey, China, Brazil and elsewhere. Under the Falsified Medicines directive in the European Union, a similar requirement—and deadline—is looming, with packagers based in Germany already installing the unit-level machinery.

This has made substantial business for such companies as Optel Vision, which opened a new operations center in the Netherlands, Systech International, Seidenader (part of Korber Group), Mettler Toledo PCE, Antares-Xyntek and others. Coding technology itself comes from Videojet, Domino, Epson America, and Zebra Technologies, among others.

At last month’s Interphex exhibition (New York, April 21-23), a trio of companies demonstrated how all this is coming together for manufacturers and contract packagers. The iTech15 laser barcode printer, from Domino Amjet, is paired with packaging machinery from Omega Design, and assembled for use by 3C! Packaging, a contract packager. This grouping calls to mind the collaborations and partnerships that were in the winds during the 2005-2008 period, when the possibility of using RFID technology (instead of, or in addition to, barcode technology) was being touted; although that technology failed to get broad acceptance so far in pharma, it emphasized the need to have a unified, interoperable system among packaging technology providers.

“Impending regulations such as DQSA and UDI are driving a flurry of compliance activity in both Pharma and Medical Devices,” said Mark Shaffer, Domino business development manager, in a statement released before the show (DQSA refers to the Drug Quality and Security Act, of which DSCSA is a part; UDI refers to “unique device identification,” a parallel serialization effort in the medical device community). “These are fixed timelines that aren’t changing. Couple that with similar global regulations in Europe and other parts of the world, and you’ll see it’s more important than ever to work with partners that are well-versed in the regulations, global in scope to scale solutions across the world, and are well-respected by both end users and the OEM partners.”

Lonart
Fig. 4. Sproxil’s scratch-off code is used, with SMS texting, by consumers to authenticate products. Credit: Sproxil

At the enterprise level
Successfully encoding packages, at the lot or unit level, is the first step to meeting the compliance requirements of DSCSA, but the next step—communicating that information to trading partners, simultaneously with delivering actual product—is a next and bigger challenge. As of May 1, all products being sold in the US are supposed to go from a manufacturer (or its agent) to an authorized distributor, and be accompanied by documentation (in most but not all cases) detailing the Transaction Information, Transaction History and Transaction Statement (aka TI/TH/TS, also as 3T). DSCSA allows for these to be delivered in paper form, but wholesalers, balking at the mountains of paperwork that would be involved, are insisting on electronic delivery. Without 3T information, a shipment cannot go into commercial distribution and would be quarantined at the wholesaler until the documentation shows up.


All this is supposed to occur in a likewise manner with dispensers—pharmacies and hospitals—by July 1. While some dispensers, particularly the chain drug stores, are ready for this, many in the supply chain are not. The likelihood is that the major wholesalers will be offering to record and store the data, especially on behalf of independent pharmacies to whom they are suppliers; there’s also a better-than-even chance that FDA will delay implementation, as it did for five months at the end of 2014 for manufacturers.  

A survey conducted at the beginning of this year by Frequentz, one of the companies developing software in this area, indicated that 80% of manufacturers were ready for DSCSA’s May 1 deadline, and that 10% are ready for the 2017 unit-level requirement in 2017; of a small number of retail-pharmacy respondents, however, readiness was doubtful.

To a considerable degree, transmitting the lot-level data to trading partners is a marginal upgrade of what they’ve been doing for years, although the need to have actual product shipment align with documentation precisely is a challenge. Many manufacturers and wholesalers are exchanging data via the fairly standard Advance Shipping Notice component of electronic data interchange (EDI); the Healthcare Distribution Management Assn. was instrumental in developing guidance for aligning ASN with the requirements of DSCSA over the past couple of years. But it’s a big additional step to incorporate 3T data into ASN, and for that reason, most trading partners are looking at the adoption of the EPCIS standard from the GS1 organization. (EPCIS stands for “electronic product code information standard,” and was developed originally for RFID communications, to which it is still applicable).

With EPCIS, protocols are established to record and store events, such as the movement from a packaging line to a warehouse, or a warehouse to a retailer; this information is meant to accompany shipments as part of the 3Ts.

According to Gena Morgan, director of implementation and services at GS1 Healthcare US, EPCIS is ready to go for developers to write software and for clients to put to use; EPCIS has also been identified by FDA as a suitable framework for meeting DSCSA requirements. Even so, there are working groups within GS1 Healthcare US developing protocols for, among other things, handling exceptions to conventional transactions, and GS1 Healthcare US is planning to publish an updated implementation guidance document later this year. A third, ongoing element of GS1’s activities is to set up a certification process for IT vendors who want to claim that their technology is “EPCIS certified.” (Several vendors make this claim already; how relevant it is to the current state of the art in EPCIS and DSCSA requirements is unclear.)

EPCIS
Fig. 5. The basic structure of GS1’s EPCIS standard: matching a product identity with ‘events’ that occur. Credit: GS1

The competitive environment in EPCIS traceability for pharma is hot and getting hotter, with claims and counterclaims flying back and forth among vendors. Arguably, a market leader currently is TraceLink, whose founders have been involved in pharma traceability since the early 2000s (see p. 11). Shabbir Dahod, founder and president, says that more than 100 manufacturers or distributors have implemented TraceLink’s cloud-based technology, and they, in turn, have brought more than 100,000 trading partners (from big wholesalers to the local corner pharmacy) into the TraceLink network. A key capability is that once an entity is logged into the system, that entity becomes available to any other TraceLink client—a network effect that could propel widespread connectivity in traceability (and make a lot of business for TraceLink).


TraceLink has also made a substantial commitment to broad-based cloud computing, and is aligned with the technology and resources of Amazon Web Services. “The scaling issue becomes very important in this context,” he says. A typical mid-tier manufacturer will develop hundreds of millions of records of EPCIS events over the course of a year, and that gets into the billions range when the data is stored over time. Merely to have data-storage capacity, let alone the access to that data, becomes a challenge. “We have a very interesting dialogue with pharma clients when we’re talking about cloud-based computing. They are already committed to cloud-based computing for IT needs; they are looking for business partners who can go with them to where they need to be.”

“By leveraging the thousands of companies already configured on the TraceLink Network, a single link to the Life Sciences Cloud ensures that we can quickly and securely connect to our large and diversified trading network for on-time DSCSA compliance,” said Patrick Schmidt, CEO of FFF Enterprises, a drug distributor that announced its selection of TraceLink this fall. FFF is notable for having its own “guaranteed channel integrity” service in place since the early 2000s to protect against the intrusion of counterfeit or diverted products into its supply chain.

Other traceability IT vendors are critical of the ability of a generalized cloud-computing company like AWS to meet pharma’s specific needs, and of the approach taken by TraceLink, even while they offer variations on the all-in cloud-based service. Axway, for one, puts an emphasis on security in DSCSA transactions, by including an API gateway service that backs up the security of communications between trading partners. rfXcel offers a cloud-based traceability service called rfXchange, a “verified event network” that is said to verify transaction data before it is delivered to a trading partner, to ensure that it is compatible with that partner.

“Pharma companies we’ve talked with are very careful about how vital trading-partner data is exchanged,” notes Atif Chaughtai, director of healthcare solutions at Axway. “They want assurance that their data will not be exposed or their databases hacked by outsiders.”

Frequentz, which arose originally from the InfoSphere Traceability technology acquired from IBM, offers the Information Repository & Intelligence Server (IRIS), which Haris Kamal, VP, Life Sciences says has been updated for DSCSA compliance, and has analytics capabilities layered on top of the communication protocols. He also makes the point that a public cloud-based, multitenant service (TraceLink doesn’t quite characterize itself this way) has all clients updated at the same time whenever the software is updated, “and that could create problems for pharma companies that want to control the scheduling of their updates.” A related problem is how pharma manufacturers would meet the software validation standards of FDA (which normally requires a software user to carry out operational and performance testing before commissioning the software), although it’s far from clear that FDA has itself worked out these steps.

Systech International, which has been developing both packaging-line serialization technology and middleware for communicating transaction information for years, puts an emphasis on setting up an enterprise-level system correctly. “Some vendors want to set up systems where each packaging line communicates with the enterprise-level server, but the more reliable approach is to include a site-level system between the packaging line and the enterprise,” says Dave DeJean, EVP at the company.

All of these vendors claim varying degrees of compatibility with SAP, a popular enterprise-software vendor throughout life sciences. At press time, word was trickling out that the company was about to announce a dedicated pharma traceability solution, based in part on two existing SAP products: Auto-ID Infrastructure (AII) and Object Event Repository (OER), which have been around for years and which are being used in some installations now. Potentially, an SAP traceability solution would streamline connectivity between the serial-date generation and recording process at the packaging line, and the enterprise-level data reporting that resides within SAP systems. But SAP has competition both from other enterprise software vendors, and from solution partners that offer their own plug-in software to SAP. An enterprise-level competitor is QAD, which announced a DSCSA-compliant traceability solution last fall. Oracle, also a widely used enterprise-software provider in life sciences, has a serialization and traceability solution, as does JDA Software.

Drug distributors (as well as manufacturers or logistics providers with large warehouses) have specialized needs when it comes to DSCSA, in that the pick, pack and ship events defined by DSCSA occur there. ROC-IT Solutions is one vendor that has made warehouse operations a focal point. “For a while to come, distributors will have to deal with serialized and non-serialized products, which is a challenge from an IT perspective,” notes Larry Hall, VP, sales and operations. Other companies competing in this space include Acsis, Inc. International Business Systems and a number of warehouse-management software providers.

Bringing the cloud-computing question around again, SAP has its own impetus for cloud-based computing (both to provide its software and to provide data-storage services to clients). Given the rapid pace with which cloud computing is taking over more and more business-software applications, it’s a tough bet to make against where its security, connectivity and upgrading capabilities will be by the time the full DSCSA requirements are in place, which won’t happen in the US until 2023. 

Cargo security stiffens
This year, the book begins to close on the largest pharmaceutical cargo theft in history—and one of the largest thefts of any sort, ever—the Enfield, CT robbery of an Eli Lilly warehouse in 2010. In February, the five gang members all pleaded guilty to the crime, estimated at $80 million, and will receive sentences ranging from one to five years. They weren’t caught until two years after the theft, as they began to try to sell the stolen drugs to undercover law enforcement agents.

The Enfield burglary was a milestone in pharmaceutical cargo theft; but the more mundane robberies of last-mile pharmacy deliveries, and of truckloads in transit from warehouses to distribution centers continues, month by month and around the world. Data from Freightwatch, a subsidiary of Sensitech, finds that pharmaceuticals represented 1% of cargo thefts in the US, by number of incidents, but the value is relatively high: around $200,000 on average. A survey conducted by Freightwatch together with Marvin Shepherd of the University of Texas College of Pharmacy (and president of the Partnership for Safe Medicines) found that indirect costs from a theft (for quarantining product, replacement value and other components) is at least $566,000, and goes well over $1 million if a comprehensive product recall is necessitated by the theft.

According to Chuck Forsaith, head of the Pharmaceutical Cargo Security Coalition (PCSC), cargo thefts have dropped dramatically in the past five years, from 45 in 2010 to 9 in 2014, due in no small part to the coordination PCSC provides with local law enforcement in the US, and its advocacy of using electronic monitoring systems of cargo in transit (a service provided by Freightwatch and others). Average value, however, jumped to an estimated $1 million during the year. The cat-and-mouse game between thieves and carriers continues to evolve: Freightwatch reports that it is becoming more common for thieves to use electronic jamming devices to subvert the tracking systems (one piece of simple advice: don’t put the tracker prominently on the roof of a truck; thieves simply tear it off).

“We, as an industry, have made significant strides in protecting our products in ‘full-trailer’ delivery scenarios—as well as preventing warehousing burglaries like what had occurred to Lilly, GSK and Bayer in the past,” says Forsaith. “I also feel reasonably confident that a similar downward trend, although probably not as dramatic, will eventually be shown in the last mile portion of our industry’s supply chain.” While noting that PCSC has started a sub-group dedicated specifically to last-mile deliveries, and also to product-returns movements.

Another cargo-related development in 2014 was the rescheduling of hydrocodone-containing combination products (such as Vicodin) from Schedule III to Schedule II under the Controlled Substances Act managed by the Drug Enforcement Administration. That, together with the high volumes of controlled substances prescribed in the US (painkillers are the No. 1 most-prescribed drug), has led to a surge in the construction of walled vaults at drug distribution centers (a DEA requirement for Schedule II inventories). Custom Vault, one of the leading vendors in this area, has broadened its product offerings to include HighBay vaults (which can go up several stories), MegaVaults (with modular concrete slabs for the floor, walls and ceiling of the vault) and a Double-Leaf Door that allows for forklift movement into the vault. “There doesn’t seem to be a limit to the volumes that need to be contained,” says Michael Elliot, EVP at the company. “Vaults just keep getting bigger.” 

Online pharmacy regulatory gap
While manufacturers themselves can exert relatively little control on the online pharmacy scene, they, together with pharmacy regulators, law enforcement and public interest groups, are pushing hard to corral this distribution channel. Online pharmacies, like many other types of online businesses, can exist in one country or region while marketing their products globally. (Famously, many of the “Canada” online pharmacies that have special appeal to US consumers actually exist in other countries.) The National Assn. of Boards of Pharmacy (NABP) has taken a key step forward in this area by winning authorization from ICANN to manage the “.pharmacy” top-level domain name, both in the US and in other countries through collaboration with regional bodies. NABP has called attention to the online pharmacy chaos through its regularly updated survey of online pharmacies that meet US drug-dispensing standards; of almost 11,000 sites reviewed as of the end of 2014, 96% were found to be out of compliance, mostly due to selling drugs without an accompanying doctor’s prescription; another common factor was selling foreign or non-FDA-approved drugs (and how many of these are actually counterfeits is anyone’s guess).

For the past several years, NABP has managed a Verified Internet Pharmacy Practice (VIPPS) accreditation for online pharmacies in the US; the number receiving that accreditation is now 62, with others (which handle refills and other pharmacy services) having an “Approved e-Advertiser” accreditation.

The premise of the dot-pharmacy domain is that consumers will learn to trust only those with that identifier—and that could eventually happen. But pharmaceuticals remain a popular item to purchase online, and there are thousands of sites making that offer. Law enforcement agencies across many international jurisdictions have run an annual “Operation Pangea” program to enforce pharmaceutical-dispensing rules; the last one, Operation Pangea VII in 2014, resulted in 237 arrests, the seizure of $36 million worth of potentially dangerous medicines, and shutting down more than 10,600 sites, according to Interpol, the European police agency. But similar numbers were seen in prior Operation Pangeas—indicating the resilience of the rogue pharmacy business.

Operation Pangea VII included the participation of several credit-clearing agencies, including Visa, MasterCard and PayPal, and that’s encouraging development to Libby Baney, founder and executive director of the Alliance for Safe Online Pharmacies (ASOP Global). “Everyone has a role to play,” says Baney, “to help educate consumers and advocate for effective means to safeguard them from the risks posed by illegal drug sellers.” ASOP has just begun a public-education program, “Beware of Illegal Online Drug Sellers,” and sponsors a free continuing education program for pharmacists. ASOP includes about a dozen pharma companies and trade associations among its members. 
 
COMPANIES MENTIONED IN THIS REPORT
 
3C! PACKAGING
Clayton, NC | www.3cpackaging.com
DOMINO NA
Oakville, ON |
www.domino-printing.com
OMEGA DESIGN CORP.
Exton, PA | www.omegadesign.com
SAP
Walldorf, Germany | www.sap.com
ACSIS
Marlton, NJ | www.acsisinc.com
EXCELLIS HEALTH
New Hope, PA | www.excellishealth.com
NATIONAL ASSN. OF BOARDS OF PHARMACY
Mt. Prospect, IL | www.nabp.net
SCHREINER MEDIPHARM
Blauvelt, NY | www.schreiner-group.com
ALLIANCE FOR SAFE ONLINE PHARMACIES
Washington, DC | www.safeonlinerx.com
FREIGHTWATCH INTERNATIONAL
Austin, TX | www.freightwatchintl.com
OPTEL VISION
Quebec City, QC | www.optelvision.com
SEIDENADER (KORBER)
Clearwater, FL | www.seidenader.de
ALPVISION
Vevey, Switzerland | www.alpvision.com
FREQUENTZ
Palo Alto, CA | www.frequentz.com
ORACLE
Redwood Shores, CA | www.oracle.com
SICPA Secureink
Lausanne, Switzerland | www.sicpa.com
ANTARES-XYNTEK
Yardley, PA | www.xyntekinc.com
GS! HEALTHCARE US
Lawrenceville, NJ | www.gs1us.org/healthcare
PHARMACEUTICAL CARGO SECURITY COALITION
www.pcscpharma.com
SPROXIL
Cambridge, MA | www.sproxil.com
AXWAY
Phoenix, AZ | www.axway.com
HEALTHCARE DISTRIBUTION
MANAGEMENT ASSN.
Alexandria, VA | www.hdmanet.org
PHARMA LOGIC SOLUTIONS
Yardley, PA |
www.pharma-logic.com
SYSTECH
Cranbury, NJ |
www.systech-tips.com
CCL LABEL
Hightstown, NJ | www.ccllabel.com
INFRATRAC
Silver Spring, MD | www.infratrac.com
ROC IT SOLUTIONS
Pittsford, NY | www.rocitsolutions.com
TRACELINK
North Reading, MA | www.tracelink.com
COVECTRA
Westborough, MA | www.covectra.com
JDA SOFTWARE
Scottsdale, AZ | www.jda.com
RONDO-PAK
Norristown, PA |
www.rondo-pak.com
VIDEOJET
Wood Dale, IL | www.videojet.com
CUSTOM VAULT
Bethel, CT | www.customvault.com
METTLER-TOLEDO
Columbus, OH | us.mt.com
RFXCEL
San Ramon, CA | www.rfxcel.com