Headshot of Josh Bolin

As the DSCSA interoperability deadline approaches, we at NABP remain focused on critical Drug Supply Chain Security Act (DSCSA) infrastructure and committed to helping align all sectors of the supply chain that support and provide safe medication to patients in the United States. This is the second blog of a series that explores steps we must take before the November DSCSA deadline. Read the first blog about the 4 biggest hurdles to compliance

Over the past few years, one area that has captured significant attention in industry work groups and conferences is data security. Specifically, there is a debate over whether digital credentials based on aligned security standards are needed, even though such requirements are not mentioned in the DSCSA text. Given the technical and financial barriers to adopting any single credentialing solution and the focus of DSCSA 2023 requirements being heavily related to electronic interoperability, the industry needs an approach that engages as many trading partners as possible while providing a path for incremental adoption. We believe a more flexible and risk-based approach would be better and allow adequate time to form a consensus on the use of a specific technology based on its proven value and capability. This thinking is based on similar input collected from our cross-industry pilot and working sessions and prompted us to design such an approach in the development of the Pulse by NABPTM platform launching this summer. 

To better understand the views of the broader industry, we recently conducted two surveys: one for organizations across the supply chain and another for DSCSA-focused software solution providers. We shared the results of these surveys, in addition to the results of a manufacturer’s survey, with industry DSCSA-engaged stakeholders in 2022. The results highlight several important issues.  

Solution Provider Survey  

Out of 10 software solution providers that responded:  

  • 7 plan to support the use of digital credentials,  
  • 1 plans to require digital credentials, and 
  • 1 has clients who have committed to using digital credentials. 

Trading Partner Survey  

We sent an open survey to DSCSA-informed trading partners across the supply chain, including manufacturers, distributors, dispensers, and third-party logistics providers. Out of the 41 respondents:  

  • 2 plan to require digital credentials for a regulator request, 
  • 3 plan to require digital credentials for a request from another authorized trading partner, 
  • 10 prefer email or another secure electronic channel for receiving verification requests, and 
  • 13 prefer email or another secure channel for trace requests.  

Among dispensers that responded, 86% plan to utilize Pulse, our solution for secure and accessible trace and verification requests.  

Manufacturer’s Survey  

Industry leaders are calling for trading partners to build upon GS1’s Global Location Number (GLN) system to meet DSCSA track-and-trace requirements. In early 2022, Genentech conducted a survey primarily focused on a subset of hospitals and retail pharmacies.  

  • Only 6% of these dispensers reported having a known GLN. This is consistent with our trading partner survey, where 0 small dispensers reported having known GLNs, and only 50% of larger dispensers reported having known GLNs. This further amplifies the risk of adding even more requirements such as digital credentials—and more costs—for dispensers who have been slow to adopt this basic GLN number needed as a predecessor for DSCSA related data exchanges.  

In addition to the survey feedback, DSCSA thought leaders have consistently acknowledged that there will only be partial industry participation in digital credentialing. For example, the recently released GS1 Healthcare US Implementation Guideline highlights that “the industry will operate in a hybrid environment” as it moves from current GLN-only based methods but does not suggest a pathway for this partial adoption. Likewise, the Partnership for DSCSA Governance (PDG) highlights that the credentialing recommendations outlined in its Foundational Blueprint for 2023 Interoperability are the optimal approach—but not the only approach—for DSCSA compliance. PDG acknowledges that its blueprint does not intend to, nor can it, prevent “alternate methods of compliance.” 

Because the industry has not aligned on the need for—or selection of—a specific approach to digital credentials, many will continue relying on emails, portals, and existing Know Your Supplier/Know Your Customer processes. These approaches allow the responder to assess the level of security necessary for a given use case and balance security costs against the needs of the situation. We urge solution providers and standards organizations to treat any specific technological approach to digital credentials as optional while the market determines which solution best supports its needs overall. 

Providing a Versatile Option Needed 

Pulse, our own digital platform, aims to support this transition period by allowing responders and requestors to decide, individually, what level of identity assurance they require while factoring in cost and administrative burdens. Keeping in mind that there are technical gaps in how any identifier (GLN, state license, etc.) is linked to a specific company, user, or request, the Pulse network will utilize a secure sign-up process that facilitates connecting a request to a secured user and related profile (when needed). Our existing infrastructure allows connectivity for state and federal licensure or registration numbers, and Pulse will use this foundation to harmonize state regulator trace requests and disparate governmental and industry data sources. Equally important, this tool is designed to help during the adoption of GLN or other identifiers as the industry works on alignment by also providing a method for user validation.   

Since requiring digital credentials will clearly discourage participation in the DSCSA “system of connected systems,” it will negatively impact patient safety and therefore should be optional. Many dispensers and distributors will not adopt the current specifications and will rely on emails and phone calls to avoid spending time, staff resources, and money on a heightened standard that is not required under the law. 

As business practices become more homogenous, volumes become easier to predict, and other critical DSCSA concerns are resolved, there may be a clearer path to streamline and automate processes. The current primary use case for digital credentials is related to indirect trading partner exchanges, which happen a small percentage of the time when compared to direct trading partner exchanges.  When a specific technology makes sense for the industry, it will gain market adoption naturally. NABP has been and remains open to exploring innovative approaches, but industry should be given appropriate time to develop some, and this should be only a secondary priority to ensuring participation, stability and alignment on data that is actually needed to be securely exchanged. A voluntary trading partner directory, which NABP is including in the first release of Pulse, will serve to provide a secure option for those who require it while leaving room for business to leverage existing or explore new methods of securely connecting to trading partners.   

Check back soon for the third blog in this series where we’ll cover actions industry members can take to encourage adoption of a flexible compliance tracking approach. And in case you missed it, read our first blog from this series about compliance hurdles