Even as the pharma industry gets its arms around RFID for product security, the next level of secure data—cryptography—is arriving

In many auto-repair shops, the customer will often see a sign posted by the front desk: “Service: Fast, Cheap or Good. Pick any two.” About the current state of the pharma industry and RFID, a similar sign might read: “RFID: anti-counterfeiting, track-and-trace, or supply chain efficiency: Pick any two.”

Ever since FDA’s 2004 Counterfeit Drug Task Force report, the grand vision for securing the pharmaceutical supply chain has been to use RFID in combination with physical packaging techniques such as printing, holography or markers. This “layered approach,” as FDA put it, would minimize if not eliminate counterfeiting; meanwhile, the expense of RFID technology would be laid off, in part, to economic improvements in supply chain operations.

“High tech does not equal high security,” says Robert Johnston, head of the Vulnerability Assessment Team at Los Alamos National Laboratory (NM). Johnston has been making the conference circuit for the past year pointing out that all of the current product security measures—including physical security from printing and markers, as well as RFID—have flaws; the danger is in believing that with the adoption of any security measure, the supply chain will be impregnable.

Along the way, states, impatient with the lack of regulatory action at the federal level, began establishing pedigree programs. (The original pedigree rules go all the way back to the 1988 Prescription Drug Marketing Act—PDMA—parts of which have been, and are now, held up by litigation). Wrapped into the function of generating a pedigree is the concept of “track and trace”—the business and technical processes of either monitoring the forward movement of an article through a supply chain (tracking) or retrieving the records of where it has been (tracing).

Fast forward to 2007. Florida, Nevada, Indiana and other states have established paper-based pedigree programs for their states, or “e-pedigrees” that allow for digitized data records to replace paper. EPCGlobal, the international standards-setting body for RFID-based product-identification systems, has generated standards for tag reading and pedigree generation, among others. A handful of manufacturers (including Purdue Pharma, Pifzer, GSK, Novartis and Wyeth) have started putting RFID tags on products, or announced their intention to do so. Leading wholesalers (including all of the Big Three) are starting up RFID track-and-trace projects, with the intent to get away from the paper pedigrees they are currently generating, and to comply with a January 2009 deadline from the California Board of Pharmacy for full-blown e-pedigree programs.

It sounds like progress, right? Indeed, it is, but lost in the shuffle of developments is one uncomfortable fact: RFID does not prevent counterfeiting and, in fact, is not really an anti-counterfeiting technology at all. RFID tags have been hacked, cracked and violated; in certain hacker communities on the Web, it’s now a sport to tout the fastest or easiest cracking techniques.

“Pharmaceutical executives I talk to understand the need to wrap their products in plastic bottles and wrap the bottle in a carton,” says Louis Parks, president of SecureRF (Westport, CT). “In a like manner, they need to think of ‘wrapping’ their data in a secure way.”
Enter the keepers of the secrets: cryptographers, and the world of public keys, hashing algorithms, and FIPS (Federal Information Processing Standards) codes. Cryptography has been around for decades, mostly in the world of secret military or government communications. The modern era of digital information, automated data-entry and –retrieval systems has caused an explosion in cryptographic technology, and information security vendors have been hard at work in developing systems to prevent counterfeiting or code-breaking in many commercial and communications applications.

Now, RFID and crypto vendors are linking up, offering a higher degree of security to brand owners, including the pharma industry. Use of cryptography also has the potential to provide patient privacy—the fear that unauthorized individuals could read out the content information of a prescription bottle or a pharmaceutical package in transit. Meanwhile, some crypto vendors are saying, in effect, who needs RFID if the crypto provides the anti-counterfeiting?

Security plus identification
At last fall’s HDMA/NACDS RFID Adoption Summit, Texas Instruments (Austin), a leading tag vendor, demonstrated a collaboration with Certicom (Mississauga, ON), a crypto company that provides the security for, among other things, most cellphone communications.

TI’s tags (which are designed to ISO 15693 standards, or high-frequency) have a certain amount of onboard memory. Certicom proposes to use that memory to store an EPC number (EPC being the Electronic Product Code, as defined by EPCGlobal), along with product-specific information, such as National Drug Code (NDC) number. Using Certicom’s “digital signing appliance” (essentially a tag-writing machine that would be positioned on a packaging line), Certicom would both compress and encrypt this information onto the tag.

Any trading partner of the manufacturer would use an “authentication agent,” or decryption system based in software, to authenticate the package. Certicom notes that the authentication step does not require a network call to a central database; the authentication is performed on the spot. The trading partner could choose to decrypt the encoded information or not; by keeping the information coded, the system could provide privacy to pharmacy patients or others who do not want specific product information to be revealed.

“We are finding interest among pharma companies who want to secure a closed-loop supply chain, such as high-value specialty pharmaceuticals going to a clinic or hospital,” says Joseph Pearson, business development manager for the pharma RFID business unit at Texas Instruments. “The value there is both authentication and the chance to collect other data, such as for patient registries.”

This system offers a fairly elegant solution to an ongoing problem of pharmaceutical trading partners: many manufacturers do not want to encode product information like NDC codes on the tags, to ensure privacy and to prevent the interception of, say, controlled substances by thieves. But retailers, such as chain drug stores, by and large want to have NDC
information and more encoded in the RFID tag, so that one read-out of the tag provides desired inventory information. (The alternative is to obtain the product’s unique serial code and then do an Internet look-up for the other information.)

Another entry in the encrypted RFID market comes from Atmel (Colorado Springs, CO), which is offering the CryptoRF family of products, which contain up to 64 kbits of nonvolatile memory. Atmel’s products make use of EEPROM (electrically erasable, programmable read-only memory) chip designs. End users would encode the product, using a variety of Atmel “encrypted passwords, mutual authentication, data encryption and encrypted checksums” and then electrically burn out microelectronic “fuses” on the chip to permanently encode and protect the information. The company believes that it could both provide the serial identification of products, and store a significant amount of tracking information, so that the chip itself becomes the pedigree instrument. Atmel is a major international player in RF-based “smart cards,” personal identification devices and related applications.

A third contender is SecureRF, which began marketing its technology for pharma applications last year. The company offers a LIME (LIghtweight, Multistream Encryption) “battery-assisted passive” UHF tag with multiple types of encryption and the capacity for up to 4Mbits of onboard memory. It plans to introduce a passive tag this year.

SecureRF tags employ an encryption technique the company calls the Algebraic Eraser protocol. (The “eraser” part of the name alludes to the protocol’s technique of encrypting and then erasing parts of the process, said to result in a “virtually impregnable” code.) Trading partners would use a public key to decrypt the data.

One outcome of the combination of large memory and battery power is that the tag can act as a data-recording device. SecureRF proposes to use it in combination with a temperature sensor to provide cold chain data-logging. Sensors for humidity, pH and vibration can also be specified. In effect, the SecureRF tag is both an authentication technique as well as a self-contained pedigree record.

“If the industry wants to use RFID just as a carrier of an ID number, why not just stick with barcode?” says SecureRF’s Parks. “There is computational and memory capacity in RFID tags, why not use it?”

Crypto without RFID
Many tag vendors, whether of active, passive, HF or UHF tags, incorporate a factory-installed ID number for the tag itself. This is a form of authentication (matching the factory ID number with other client data), although critics of RFID say that the ID number can either be copied or “spoofed” (causing a fake tag to seem to possess the desired ID number). Nevertheless, the tag ID represents one more “layer” of anti-counterfeiting security.

The alternative view toward using crypto for product security is to dispense with RFID altogether, or to use it in a routine way as simply the carrier of a number. That’s part of the vision of Kezzler AS (Oslo, Norway), whose CEO, Magnar Loken, says that several major European pharma companies—and one U.S. pharma company with operations in Europe—are planning to use “Kezzlercode” to provide authentication of pharmaceuticals.

Kezzlercode uses a proprietary crypto program to generate up to 60 alphanumeric characters as a unique product identifier. With an Internet connection, the code could be authenticated “in milliseconds” according to Loken. Meanwhile, a database of authentications or other communications with trading partners could provide a track-and-trace system for the manufacturer to monitor drug distribution. From Kezzler’s point of view, trading partners can use RFID if they want non-line-of-sight reads of packages, or use barcode or simply printing the ID on the carton if they do not need it. For a secure supply chain, each trading partner would need to be authenticated themselves, for which Kezzler proposes using the digital certificate program of SAFE-Biopharm (others could be used as well—see box).

Kezzler is similar to other encrypted systems that are available to the pharma industry, including Secure Symbology (New York), Verify Brand (Minneapolis), Orbid (San Francisco), and Dintag (Anjalankoski, Finland) in Europe; label converters for the pharma industry such as CCL Label, Nosco and Cortegra, in turn, offer them for package labels and cartons.

Johnston, at Los Alamos, has proposed a simple “call-in numeric token” technique whereby purchasers (including consumers) would call a phone number to verify a code, but the authentication is a statistical probability rather than a mathematical certainty. Meanwhile, the companies that developed e-pedigree systems, such as Supplyscape (Woburn, MA), VeriSign (Dulles, VA) or Axway (Scottsdale, AZ) offer authentication as part of the data-gathering process as packages move through supply chains. Even if the authentication systems do not depend on RFID, most of the companies are designing their systems in compliance with the e-pedigree structure that has been standardized by EPCGlobal.

The major obstacle to these systems—for pedigree purposes, at least—is the readiness with which trading partners will share information about product distribution. The authentication vendors assume that the pharma manufacturer—the originator of the product, and its identity—own the data and should be able to record all downstream transactions. However, state-level pedigree rules typically do not require manufacturer input (California’s, planned to go into effect in January 2009, is an exception). The wrangle between technologies and business relationships will continue.

SIDEBAR: DIGITAL SIGNATURES AND PHARMACEUTICAL DOCUMENTS

The SAFE-Biopharma Assn. (Fort Lee, NJ) is an industry collaboration set up mostly to provide digital certificates (authentication) for paperwork being submitted to FDA by pharma companies. But the utility of digital certificates has broader applications, ranging from pharma sales reps confirming receipt of samples with physicians, to reimbursement documentation following guidelines from the National Coalition of Prescription Drug Plans (NCPDP). As shown in the graphic below, when individual parties sets up a customized authentication, the number of pathways these authentications must follow expand exponentially. A better way is to have a common, third party authentication “source” to which all communicating groups refer. The authentication process involves some of the same public-key infrastructure (PKI) techniques that are being used for anti-counterfeiting and other secure data exchanges.

SAFE-Biopharma has a commercially available system whose compatibility with FDA’s Electronic Submissions Gateway has been confirmed; AstraZeneca used it to transmit documentation for its latest drug application in March. In the world of pharmaceutical distribution, the SAFE-Biopharma guideline has been adopted by Supplyscape (see main story) which, in turn, provided the guideline used by Florida for its e-pedigree program. Kezzler also has developed its digital signature with SAFE-Biopharma guidelines in mind. Similar PKI-based cryptography has been used to develop the CSOS (Controlled Substances Ordering System) program of the U.S. Drug Enforcement Agency commercialized by NuBridges (Atlanta), Axway and others.