2011 Product Security Report: Back to the Future

There’s a “back-to-the-future” feeling in the current scene in product security and brand integrity: many of the initiatives that were starting up in 2008, when the California e-pedigree program was marching ahead (only to be delayed until 2015), are being dusted off and revived. The California Board of Pharmacy itself has held a meeting on the subject this month (the first in a couple years), and is expecting to crank up industry workshops during the next calendar year. Another pilot project for serialization has been announced in Europe—this time in Germany, and with the specific goal of preparing for the timetable set by the European Parliament’s “Directive on Falsified Medicines,” passed last spring; that EU-wide effort is expected to take hold in 2016 (not accidentally roughly the same timetable set by California).

As in past years, FDA continues to pile up new criminal investigations of counterfeit drug distribution (Fig. 1)—and in keeping with past patterns, is still seeking expanded authority from the US Congress to develop a national pedigree program. (In providing these data, FDA always cautions that they are neither a measure of counterfeiting activity, nor a count of the volume of counterfeits circulating. But their continuing rise does point to a rising level of concern.) A small number of additional states continue to establish their own pedigree and wholesaler-licensing programs, now proposed, legislated or enacted in 32 states.

FIG. 1. FDA'S COUNT OF NEWLY OPENED COUNTERFEITING CASES REACHED A NEW HIGH IN 2010

Another recent bit of FDA activity—which, amazingly, traces all the way back to revisions to the Prescription Drug Marketing Act revision of 1992—relieves “non-ADR” distributors from providing pedigree documentation sourced all the way back to the manufacturer. Per a July Federal Register announcement (Docket No. FDA-2011-N-0446), distributors who are not authorized by the manufacturer of a product, but who can provide a pedigree that goes back to the last entity that is an ADR, can still trade in that product. This, in fact, enables many so-called secondary distributors to continue to do business, and represents a final victory, after five years of litigation, for one of them, RxUSA, that started litigation when FDA sought to impose the ADR requirement on all distributors.

In effect, pedigree rules are still in force, but with more limited scope and, as such, represents a step back in the overall track-and-trace effort in the US. As FDA noted in the announcement, the rule “has been effective for only a total of 7 days since the finalization of the rule in 1999,” due to review and judicial proceedings. This could have been considered a momentous turnabout in the track-and-trace effort, except that everyone involved is now looking toward Congressional action on the overall topic (see PDUFA story, p. 8). And today, ironically, many of these same secondary wholesalers, collected together as the members of the National Council of Pharmaceutical Distributors (NCPD; www.ncpdusa.org) have pedigree programs in place, and in a technical sense, are more regular filers of these pedigrees than the full-line, ADR wholesalers are.

Meanwhile—always behind the scenes, mostly because pharma companies do not want to alert counterfeiters to their actions—manufacturers continue to apply on-package security measures, available in a bewildering array of types and technologies. Last spring, Bayer Healthcare introduced a new package for its Levitra product, with reportedly 120 security features embedded. Security vendors continue to roll out new types of inks, taggants, optical systems and markers, for both authentication and for tamper evidence.

Finally, GS1, the international standards-setting organization for product identification, continues to refine its set of guidelines for item-level serialization and data exchange. GS1 US Healthcare (Lawrenceville, NJ) is holding workshops in Chicago and at its headquarters in coming weeks to review current guidelines with industry.

At the same time, there are many new dimensions to the brand integrity, supply chain security and product authentication field. Industry, as well as FDA, is moving toward a more encompassing view of overall product security, including both upstream movement of pharmaceutical ingredients as well as downstream finished-product distribution. Supply chain security is now sharply in focus by FDA and the Pharmaceutical Cargo Security Coalition (see p. 7), with both organizations tracking cargo thefts and seeking to prevent stolen goods from re-entering legitimate supply chains. FDA has also established its PREDICT program, an attempt to perform rapid risk assessments of imported food, medicines and other products suspected of being adulterated or counterfeit.

Another new element is the growing focus on illicit Internet pharmacies, which commit a wide range of violations including selling without doctor’s prescriptions; selling controlled substances (a violation of the Ryan Haight Act); selling unapproved or outright counterfeit products; and—worrisomely for the pharma industry—selling bulk APIs that might have the same contamination or adulteration as counterfeits. And that gets the pharma industry right back to worries about the overall security of the supply chain.

Google accepted a $500-million penalty from the US Dept. of Justice in August, the culmination of a running investigation of illicit pharmacy activity over several years. Google, like many other broadbased search engines, now has restrictions in place to limit pharmacy advertising to certified pharmacies (usually operating under the VIPPS program established by the National Assn of Boards of Pharmacy), but a casual search of drug sales online still shows up numerous “Canadian” and other pharmacies that commit the same violations as before (NABP maintains a list of suspect online pharmacies that parallels many of the online pharmacies showing up on searches). Several companies now provide a service to pharma and other brand owners to monitor online marketing activities at these pharmacies, and while federal or international sting operations occasionally interrupt their activity, the marketing goes on apace.

Track and trace

Center stage—at least as far as industry capital budgets are concerned—for product security remains the broadbased effort to establish track-and-trace programs for pharmaceutical distribution or dispensing. In the past year, Turkey has moved ahead with a national program; Brazil, India and several other countries have legislation or industry directives in place, and many more nations are reportedly considering taking action. In many cases, especially outside the US, the programs are a complement to national health-insurance programs, where central governments are trying to streamline the dispensing and reimbursement of drugs. The US remains the primary proponent of full tracking of drug distribution through the value chain, from manufacturer to wholesaler to retail or point of dispensing.

According to data published by the Center for Healthcare Supply Chain Research (sponsored by HDMA), just over half of all manufacturers in the US have some type of serialization activity going on, either fullscale production or a pilot program. In the past year, TEVA Pharmaceuticals, the leading generics manufacturer, announced a serialization effort—a significant breakthrough in that generics manufacturers have customarily been looked on as reluctant participants in serialization. Other generics manufacturers are reported to be following suit.

“Strategic planning is occurring at a growing number of manufacturers,” says Greg Cathcart, president of Excellis Health Solutions, an IT consulting firm in New Hope, PA. “We expect to see 2012 be a real breakout year as companies get ready for 2015.”

Excellis is the lead sponsor of a meeting, the Global Track and Trace.org forum, to be held Oct. 25 in the Philadelphia area, to bring together systems integrators and software vendors focused on track-and-trace. Accenture (Chicago), one of the sponsors, is seeing the same increase in activity. “Our advice is to take the time now to develop the right strategy,” says Eugene Jones, a principal at the firm. “Serialization should be one component of an overall security strategy, and some companies might be jumping on the wrong approach.”

IT developer Axway (Scottsdale, AZ), one of the pioneering firms in track-and-trace technology (and another sponsor of the October meeting) agrees. Ruby Raley, director of healthcare solutions at the firm, notes that European-style “end to end” systems will not be directly transferable to the US pedigree system, where a barcode is generated at the manufacturer or packager, and then authenticated at the point of dispensing, leaving the intermediate steps unchecked. “We were one of the first companies to garner full certification of GS1’s EPCIS standard for pedigree data transfer, and we’ve got one of the largest implementations of this at AstraZeneca, which has a global serialization program underway,” she says. (EPCIS, or EPC Information Service, was developed by GS1 to provide a way to exchange distribution “events” between supply chain partners. An alternative GS1 standard, known as the Drug Pedigree Messaging Standard, is still in effect in some states, and is used to comply with certain drug transfers. GS1 is pushing to have everyone move to the newer EPCIS standard.)

Axway has just announced what it considers a major win: the contract to provide serialization management services to Sanofi on a global basis.

The list of companies providing serialization data services is long and growing. At the production level (where codes would be applied to packages), Systech International is a leading vendor; the company just announced a partnership with Zetes Industries (Brussels, Belgium) to provide systems-integration work in Europe; in Brazil, it is partnered with Videojet Technologies (Wood Dale, IL), a leading provider of barcode printing equipment, as that program moves forward. Werum (Lueneburg, Germany; US HQ in Parsippany, NJ), a developer of manufacturing-execution system (MES) software, announced a partnership this year with Uhlmann Group (US HQ, Towaco, NJ) to deploy a track-and-trace solution with the latter’s packaging equipment (Fig. 3).

At the distribution center level, Acsis Inc. has partners with Nosco, a label and carton converter, Cognex, a machine vision company, and Omega Design, a packaging machinery vendor, in a consortium called 4 Serialization to expedite development of overall serialization solutions. Acsis brings its serialization IT system, VisiTrak Suite, to the group. Roc-IT Solutions, organized by several veterans of an early track-and-trace developer, Blue Vector Systems, is developing a tracking system based on a technology known as aspect-oriented programming, said to be tailored to the needs of distributed systems.

At the enterprise or cross-facility level, Oracle has been promoting its Track and Trace solution, IBM has its Websphere Information Center, and SAP its Event Repository. Other vendors offering enterprise-level systems include rfXcel, Covectra, and, as part of a comprehensive product security system, SICPA and OpSec.

By most accounts, putting a barcode on a package is not a major hurdle. Aggregating those specific packages into a carton (and recording their presence), or aggregating cartons into a pallet or larger shipment, remains a significant obstacle. According to an FDA consultant who has looked into the matter, it can cost as much to install an accurate aggregating machine at the end of a packaging line as it does to perform the verified barcoding of packages in the first place. Industry experts have settled on “inference”—the allowance to assume that a certain set of serialized products are in a specific carton—will be an essential part of a functioning track-and-trace system.

That’s at the starting point of a track-and-trace system. At intermediate or final points, a long list of “exception cases” need to be resolved—what to do, for example, when a package comes in to a warehouse with an unreadable barcode (see box below). Addressing this is part of the ongoing workshops and conference calls that GS1 Healthcare US is holding (a next one will be in October, in New Jersey; see www.gs1us.org).

Opsec and SICPA are two of a type of service provider that provides comprehensive security systems for many branded products (including pharmaceuticals), government tax stamps, currencies or identity programs, or other applications where preventing counterfeiting has long been an essential service.

“Our approach is to look at a project like serialization as part of an overall business security and continuity plan,” says Jack Henderson, sales manager at the company. “Where’s the added value for the drug manufacturer, in terms of better supply chain visibility, or protecting its brand in the market? We have comprehensive track-and-trace technologies, as well as a host of on-product authentication techniques, but we tend to look on regulatory compliance as simply the first step in the process.” Henderson says that SICPA, which operates globally, is also looking at how programs developing in different parts of the world will need to be integrated from the perspective of the individual multinational pharma company.

fIG. 2. THE OVERALL BRAND SECURITY PROGRAM OF OPSEC SECURITY

OpSec which, like SICPA, says that it has multiple but unidentified clients in the pharma industry, takes a similar approach, most recently marketing an Internet brand monitoring service for pharma clients. “We’ve been able to analyze the connections between various ‘storefronts’ on the Web that are actually simply fronts for the same drug supplier,” says Alina Halloran, VP global online products protection. “Besides tracking who is selling products in an unauthorized manner, this helps pharma companies track down the sources, so that they can take further legal action if they choose to do so.”

OpSec conducted a survey of online pharmacies late last year, finding, among other things, that the percentage of drugs with discounts of 40% or more increased from 42% of drugs offered in 2007, to 86% in 2010. “This doubling of deeply discounted drugs is a key indicator that an increasing amount of counterfeit drugs are being sold,” they concluded.

Other companies in the online brand-protection business include MarkMonitor and New Momentum. In August, New Momentum announced a partnership with JDSU to incorporate New Momentum’s service into a more comprehensive security offering by JDSU, which manufactures a variety of security products, including SecureShift inks and CHARMS taggants, which have been used by pharma packagers.

On-package authentication

Counterfeiting was a problem before the Internet; before pedigree programs; indeed, going all the way back to the earliest days of the pharma industry—when there were, indeed, “snake oil” salesmen who sold what was claimed to be a curative derived from traditional Native American practices. On-package anti-counterfeiting methods were the norm, and are still in broad use, if only by a fraction of the pharma companies who could deploy them.

Today, the battle chest of tools ranges from specialized types of printing, proprietary inks, taggants, holograms and other “optically variable” methods, films and coatings and more. Security experts commonly speak of a layered approach to anticounterfeiting, with “overt” techniques that are meant to be observed by the patient (such as a tamper-evident seal that breaks apart irretrievably when opened); covert techniques meant to be kept unknown except by examiners in the field; and forensic techniques, meant to be used as a last, most-secure means of analyzing product quality, often requiring a laboratory analysis of some type.

FIG. 3. 2D BARCODES PLUS 'HUMAN READABLE' SERIAL NUMBERS ARE PROVIDED BY THE WERUM/UHLMANN PARTNERSHIP

Security vendors have developed, and continually refine, these and other techniques. The trend most recently appears to be a combination of some type of encrypted code or characters which are next to impossible to reproduce, but which can be read easily either by a dedicated scanner, a high-powered lens, or by taking a photo of the package with a smartphone, and sending it wirelessly to a central data repository where the image is analyzed and verified. These techniques can be used on the pharmaceutical carton, on a bottle or syringe label, or, in some cases, on tablet surfaces themselves:

•Schreiner MediPharm recently introduced its Pharma-Comb Void label, intended to prevent empty vials from being refilled with fake product and resold (Fig. 4). The label has integrated covert inscriptions, combined with a tear strip that is functionally destroyed when the vial is first opened. The company also has a division, ProSecure, that makes holograms and specialized pigments for authentication.

•Bilcare, a manufacturer of packaging materials, is now offering Bilcare Protect, a polymer film for blister cards that has a metalized surface with a hard-to-replicate pattern embossed on it.

•Kodak has been marketing the Traceless system for pharma applications recently, incorporating a microscopic marker that can be read with a proprietary scanner; the product is one of several that Kodak offers for a “multilayered brand protection model.”

•AlpVision is offering Cryptoglyph, a method of encoding microdots in a pattern that can be detected with appropriate software and a scanner, but is otherwise invisible to the eye. Earlier this year, the company announced that three pharma manufacturers, including Debiopharm Group ((Lausanne, Switzerland) would be deploying the technology this year.

FIG. 4. SCHREINER MEDIPHARM'S VOID LABEL PREVENTS PRODUCT TAMPERING

As something of a combination of on-product authentication and track-and-trace, several organizations have developed simplified communications systems that allow end users to read a scratch-off code (similar to a lottery ticket), call the code into a central number with a cell phone, and get a ‘yes/no’ response that the product appears to be authentic. The technology is being promoted by Sproxil and PharmaSecure in Africa and other developing regions of the world, where cell phone use is common, but counterfeiting is widespread. Accenture has weighed in with its own version of this technology, called the Easy Remote Mobile Authentication Solution, and has developed an “ERMA App” for smartphones. In theory, the system could be integrated into the EPCIS structure of GS1 for a full-blown e-pedigree program, but managing the workflows in industrialized-world warehouses and supply-chain processes would be a challenge.

In-transit security

One of the clear success stories in recent years has been the accomplishments of the Pharmaceutical Cargo Security Coalition (PCSC; www.pcscpharma.com) in tamping down in-transit theft. According to Chuck Forsaith, chairman of the volunteer-run organization, overall thefts of trucks or warehouse burglaries have dropped from 29 in 2009, to 19 in 2011 (through the first nine months of both years), while the value of these thefts has fallen more than tenfold, from $3.5 million to $322,000. The group has accomplished this mostly through bootstrap efforts, sharing information about patterns of thefts, highways at risk, and distribution center practices to prevent break-ins. The entire industry is still feeling the repercussions of the Eli Lilly break-in of March 2010, when $75 million worth of branded products were stolen during a weekend theft, and despite considerable security measures already in place. Cargo thieves are professionals, says Forsaith, and will take the time to research weak points or flaws in a security system. The group is meeting at a Merck facility for one of its annual get-togethers in early November.

Cargo theft, from a governmental perspective, has become part of anti-terrorism defense, and shippers who employ aircraft for drug transportation have had to deal with the “TSA 100% inspection rule” requiring any package being carried on passenger aircraft be inspected prior to being loaded. TSA, partly at pharma industry behest, began the Certified Cargo Screening Program (CCSP), which allows shippers themselves, or their freight forwarding agents, to pre-screen packages prior to delivery to an airport. According to TSA officials, as of this summer over 100 organizations had the CSSP status. The next step that industry watchers are awaiting, is a requirement that all cargo (passenger or cargo aircraft) inbound to the US be screened. PC

BOX: Track and trace for medication adherence

Many proponents of track-and-trace technology have said that there are identifiable business values to be obtained from having the system in place—it’s not just a matter of regulatory compliance. Indeed, preliminary studies have shown efficiencies in handling product returns, in gaining higher visibility to downstream supply-chain processes, and in better managing inventories. But now, one vendor is looking at track-and-trace as a pathway to better healthcare.

Covectra, an IT vendor that markets the AuthentiTrack system, has adapted that system to an adherence-monitoring service. According to Steve Wood, president, a brand owner could provide an incentive to patients to call in the serial number of the prescription they currently have, and if the serial number is the correct one (as determined by the brand owner’s own policies), receive the incentive along with however much counseling or other support services called for. The program could then monitor the progression of the patient’s treatment, sending a reminder for refills, checking the serial number of the next refill, or other objectives.

“We’re talking with pharma companies who might have a product nearing the end of its life cycle, and who would want to position themselves favorably with payers by offering a higher level of service and potentially better outcomes for their patients,” he says.