Embed Size (px)
Citation preview
ne
ws
f
ea
tu
re
6In
fosecu
rity Tod
aySeptem
ber/October 2006
UK to track US on drug traceabilityIan Grant
The British Department of
Health is conducting a
'scoping exercise' to determine
whether prescription drugs
should acquire an electronic
identity that guarantees their
provenance.
The main aim is protect con-
sumers against counterfeit or
otherwise suspect products.
If it goes ahead, it will require
a national, perhaps continental,
secure network and database
that will allow customs officers,
wholesalers, pharmacists and
dispensing physicians to au-
thenticate the drugs they sell at
the point of sale or issue.
But there are powerful eco-
nomic forces against it. Health
authorities are keen because it
would help protect patients
against counterfeit or otherwise
harmful drugs, but dislike the
technology and administration
costs.And even though the
World Health Organisation says
fake drugs cost the industry
$42 billion a year in lost profits,
drug makers will lose copyright
protection for drugs worth dou-
ble that in the next couple of
years.Their money may be bet-
ter spent lobbying for longer
protection or inventing the
next blockbuster drug.
However, momentum is
growing for a system-wide track
and trace system. Such a system
is likely to depend on unique
identification and serialisation
of each pack of drugs, as well as
a switch from bulk to 'unit of
use' packaging.
Shift to patient-centredapproachThis requires a profound
change in approach. Suddenly
the focus is less on manufactur-
ing and distribution efficiency
than on individual patient
health.At the very least this is
likely to require an upgrade to
database capabilities and point
of sale scanners to allow them
to read, collect and verify prod-
uct and pack data.
Such a switch will be com-
plex, expensive and affect the
entire supply chain. Moreover, a
British track and trace system
will probably have to exchange
data with the National Health
Service's controversial £12 bil-
lion Connecting for Health sys-
tem, but without compromising
patient identities. Last year the
NHS filled almost 800 million
prescriptions.
Department of Health offi-
cials decline to say more at this
stage. However, the depart-
ment's move follows the US
Food & Drug Administration's
decision to fulfil a law that re-
quires drugs to have 'pedigree'
documentation.
The US FDA and RFIDThe FDA held up implementa-
tion for five years in the hope
that drug makers and the IT in-
dustry could produce
'ePedigree' tags that use radio
frequency identity (RFID) au-
thentication and verification
technologies. In August it
emerged that the FDA would
miss its self-imposed deadline
of December 2007 for a RFID-
based ePedigree.
But the legal requirement re-
mains.This could leave drug
manufacturers, distributors and
retailers to implement a variety
of technologies to meet the
newly-effective legislation.
Multiple systems could raise
costs throughout the distribu-
tion chain. It could also intro-
duce transcription errors when
data moves from one system to
another, and create loopholes
for fake or illegal products.
IMPACT of the UNHowever, the United Nations is al-
so getting into the act.Under the
WHO, it is setting up IMPACT (for
International Medicinal Products
Anti-Counterfeiting Taskforce).
This followed a Rome conference
in February 2006 to increase
global cooperation in fighting the
“growing scourge”of counterfeit
medicines.The WHO estimates
fake drugs represent 10% of the
trade in pharma products.
IMPACT has five working
groups that cover technology,
legislation, enforcement, regula-
tory aspects and risk communi-
cation. However, its director, Dr
Valerio Reggi, admits that it has
no direct budget.All its funding
comes indirectly from the
WHO's member countries, regu-
latory agencies and other inter-
ested parties which are also do-
ing most of the work.
In addition to preparing a
document on anti-counterfeit-
ing and tampering technolo-
gies, IMPACT will also assess
the feasibility of setting up a pi-
lot study for a global drug au-
thentication database and net-
work. Dr Reggi tacitly admits a
working system might be a
pipedream, if only because of
the different levels of capability
in the global supply chain.
American problemsEven the US, the most technologi-
cally advanced country and, at
48% of the total $553 billion/y
global market, the richest in
terms of drug sales, is having
problems.
“In 2004, we were optimistic
that widespread implementation
of the ePedigree was feasible by
2007 because we were told by
many stakeholders in the drug
supply chain that this was a real-
istic goal.Although significant
progress has been made... this
goal most likely will not be met,”
the FDA's ePedigree project lead-
ers, Randall Lutter and Margaret
Glavin, said in an update report
on the FDA's Counterfeit Drug
Task Force.
The two remain optimistic.
“We continue to believe that
RFID is the most promising
technology for electronic track
and trace across the drug sup-
ply chain. However, we recog-
nise that the goals can also be
achieved by using other tech-
nologies, such as 2D-bar codes.
“Based on what we have re-
cently heard, we are optimistic
that this hybrid environment of
electronic/paper and the use of
RFID/bar code are achievable in
the very near future.We believe
that efforts to ensure that hy-
brid pedigrees are secure and
verifiable should be a priority
consideration.”
Ilisa Bernstein, senior science
policy advisor at the FDA, adds
“There is no requirement that
pedigrees be either paper or
electronic, only that a pedigree
exists in some format when it is
required.There is no plan in the
near future to phase out bar
codes.
“Our position is that wide-
spread adoption of ePedigree is a
useful tool in further securing the
nation's drug supply.RFID is a
promising technology to achieve
an e-pedigree,but other technolo-
gies can be used as well.”
No doubt the British
Department of Health will note
what is happening in the US,
but the supply chains in the US
and Europe are fundamentally
different. In the US there might
be up to 10 links between the
raw material manufacturer and
the consumer, but in Europe,
which permits parallel trading,
there might be as many as 40.
British Pharma keen ontrack on traceA spokesman for the
Association of British
Pharmaceutical Industries, the
drug makers' main trade body,
says members are very keen on
track and trace technologies be-
cause of the anti-counterfeiting
advantages they offer. "But we
don't want to close off access
to new technologies," he adds.
“Our present position is that
if track and trace was to be in-
troduced urgently, the industry
would prefer to use 2D bar
codes with unique serialisation
of packs and validation at the
point of dispensing.”
Continued on page 8...
�
ne
ws
f
ea
tu
re
8In
fosecu
rity Tod
aySeptem
ber/October 2006
Presently bar codes refer to
the product type rather than
specific contents of a pack. In
the ABPI's scenario, validation
would require online access to
a secure database.
The spokesman adds that the
healthcare industry shifted a year
ago to individual packet dispens-
ing, so more and more drugs are
being packed in units of use.This
allows drug makers to add extra
features such as holograms and
anti-tamper features to packs.
“I think we are a little ahead of
the US on this.”
The US initiative was driven
by the need to protect patient
safety.This followed the discov-
ery of counterfeit products in
the legitimate supply chain.
Fake drugs globalThe problem is global. In Britain
investigators for the Medicines
and Health Regulatory Agency
discovered nearly 2,000 fake
packs of Pfizer's best-selling anti-
cholesterol drug Lipitor on three
separate occasions.They have
also discovered fake samples of
Viagra and Cialis, the erectile dys-
function drugs, as well as scores
of other fake branded drugs.
Industry sources regard the
West's drug distribution system
as “pretty safe, but there are al-
ways some who will be tempt-
ed”, as one says.
The main threat is to patients
in developing countries.
Researchers believe that fake
drugs cause the death of over
100,000 a year in China alone.
Nigerian sources estimate that
60% of drugs sold there are fake,
adulterated or past their use-by
dates. Scores of Malaysian malaria
sufferers died last year after tak-
ing fake anti-malarial drugs with
zero active ingredients.
The introduction of a nation-
al 'ePedigree' scheme in Britain
will tighten a few loopholes.
But it may also prevent diver-
sion to developing countries. If
it only does that, it may save
lives, but at a massive indirect
cost.
For infosecurity profession-
als, they have a job for life, as
well as an expanding market.
Continued from page 6...
EMC buys RSA Security for $2bn. Have they gone mad?Eric Doyle
Perhaps EMC wants to be
the Tesco of the IT market.
If so then CA, IBM and HP offer
stiff competition. Documentum
was an understandable pur-
chase for the storage giant,
even though document man-
agement peripheral to its busi-
ness.And ControlCentre,
Invista, Legato, Rainfinity,
Smarts, and VMware were all
sensible seeming acquisitions.
RSA is something else.To
many people it is the company
that produces those handy, little
SecureID key fobs.To those who
know the company better, it is
the doyen of the encryption
world and the prime mover in
authentication software. None of
these areas has much to do with
data management except in the
loosest sense of access control.
The $2bn will not slip unno-
ticed from the admittedly
swollen coffers in EMC’s Boston
basement. Joe Tucci, EMC chair-
man, president and CEO, admit-
ted that the deal resulted from a
secret bidding war.This may
have inflated the price and only
adds to the suspicion that
something is brewing.
EMC sees itself as the custo-
dian of its customers’ data and,
given the size of some of its ac-
counts, that probably amounts
to over half the digitally stored
data in the world.At this year’s
EMC World conference in April,
the company began to show its
hand.
Tucci kicked things off in apress conference by saying thatthe company had not finished itsrecent spending spree and wouldbe buying up other companies –but had no plans to purchasehardware manufacturers. Later,the newly-appointed vice presi-dent of information security atEMC Dennis Hoffman unveiledmore of a dream than a plan forthe development of a security in-frastructure for storage.
With virtualization of storagesystems, the lynchpin is software,not hardware.Tucci does notwant the company to disappearinto the storage closet hidden be-hind this virtualization portal. Hewants to hold the keys to thatdoor – encryption keys.
Complexity of the security sceneStorage of meaningful data wasthought to be the domain of thedatabase companies until emailrose in importance.Added to this,the issues and legislation stirredup by the Enron scandal hasforced companies to look hard attheir information systems and towant to clamp down on security.This has meant a windfall forcompanies defending the bordersbut the security scene is becom-ing too complex.Mobile tech-nologies and untrustworthy ornon-security conscious employ-ees have made breaches in thefortifications.As in days of old,the castle needs a keep, a last re-sort that can be defended moreeffectively.
Hoffman is in charge of pro-
viding this edifice for EMC. His
dream, outlined at the confer-
ence, was that one day all data
would be protected.At the time
it sounded like each item of data
would be wrapped in a bullet-
proof coat of encryption and
permissions to ensure that it
could only be accessed by sanc-
tioned users and applications.
This may still be the endgame to
which EMC strives, but first it
needs to establish itself as a play-
er in the security field.The pur-
chase of RSA certainly offers
these credentials. EMC could
have gone for smaller companies
in the market but this would not
have had the same shock factor.
RSA is self-sufficient and has
an established customer base.
President and CEO Art
Coviello’s stewardship of the
company has turned it into a
more profitable outfit which
could probably survive on its
SecureID licensing revenues
alone. Hoffman says that EMC
does not want to integrate and
obliterate the company but to
let it be semi-independent, spin-
ning off its future innovations
into its traditional market as
well as fulfilling EMC’s needs.
Service oriented frameworkIn a recent interview with
Computer Weekly, Hoffman said
that one of RSA’s attractions is
the work it is doing to produce
a service-oriented security
framework that other products
can plug into to provide a serv-
ice security system. RSA has
been developing this as the
Identity Management System
(IMS) and Hoffman sees this as
relevant to content management,
virtualization and network man-
agement as part of information
lifecycle management (ILM).
IMS offers applications and de-
vices a standardized and man-
aged port of call for authentica-
tion, authorization and encryp-
tion key management. Hoffman
summed this up by saying,“It fa-
cilitates our ability to build secu-
rity into everything we make.”
EMC has to grow and develop
as a company and the disk drive
market is tightly controlled by
price. Margins will similarly re-
duce in the virtualized storage
market as the technology ma-
tures and EMC has to find a
growth market.The security mar-
ket has grown rapidly over the
last few years but there is still
room for growth. Storage is
where much of the information
that drives the company resides
and, if EMC can not only protect
this in situ but also develop a
way to protect it in transit, the
profits would be immense.
Maybe the company is on a
quest that will be unfulfilled
but RSA will remain as a prof-
itable asset. If EMC is going
mad, maybe there are compa-
nies out there who wish they
were crazy, too.
�
