An Interoperable Pathway to DSCSA Authentication and Credentialing

As the DSCSA interoperability deadline approaches, NABP remains focused on critical DSCSA infrastructure and committed to helping align all sectors of the supply chain that support and provide safe medication to patients in the United States. Below, NABP outlines important outstanding DSCSA challenges: industry readiness, the need for complete and accurate data, evolving standards, and issues surrounding pre-November 27, 2023, transaction information. These topics directly affect patient safety and resolving them should be top priority. Also addressed is the ongoing debate surrounding digital credentialing. Because of the technical and financial barriers to adopting any single credentialing solution – and because digital credentials are not required by DSCSA – NABP supports a flexible approach and believes that digital credentials should be optional, not required.

Industry Must Remain Focused on DSCSA’s Statutory Requirements and Patient Safety

With fewer than 10 months until the most challenging DSCSA requirements take effect, there are still a significant number of hurdles for the industry to resolve. This is well known. In December 2022, Food and Drug Administration held virtual public meetings and outlined a wide variety of DSCSA compliance challenges facing the industry. If these issues are not addressed, they have the potential to negatively impact the flow of safe medicines to patients. Some of the bigger concerns include:

These larger areas of basic formatting and data flow still need resolution prior to the more advanced issues of full industry alignment on data security measures.

NABP Supports a Flexible Approach to Digital Credentials

One area that has captured significant attention in industry work groups and conferences during the past few years is data security and whether there is a need for digital credentials based on aligned security standards. To be clear, there is no mention of such requirements within the DSCSA text. The Partnership for DSCSA Governance (PDG) has outlined credentialing requirements in its Foundational Blueprint for 2023 Interoperability under Chapter 1 in a subsection called “Requirements and Recommendations to Support Credentialing and Trading Partner Authentication.” The PDG Blueprint reflects the input of trading partners and solution providers who are active participants in PDG’s voluntary alignment efforts. While PDG’s efforts include roughly three dozen trading partners, that number represents only a small percentage of the impacted trading partners. To put this in context, there are over 100,000 US facilities that comprise thousands of trading partners. Given the technical and financial barriers to adopting any single credentialing solution, the industry needs an approach that engages as many trading partners as possible while providing a path for incremental industry adoption. This allows time for the industry to develop a consensus around the use of a specific technology based on demonstrated value and capability.

To better understand the views of the broader industry, NABP recently conducted an open survey that was completed by 41 organizations across the supply chain, including manufacturers, distributors, dispensers, and third-party logistics providers. The Association also conducted a separate survey of software solution providers, which received responses from 10 DSCSA-focused organizations. The detailed results of these surveys, as well as a manufacturer’s survey that was shared with NABP in 2022, highlight several important issues:

NABP encourages all sector trade organizations to continue expanding efforts to educate on these important topics and to conduct further unbiased surveys of wider industry segments.

In addition to the feedback NABP has received via survey, DSCSA thought leaders have consistently acknowledged that there will only be partial industry participation in digital credentialing. For example, the recently released GS1 Healthcare US Implementation Guideline highlights that “the industry will operate in a hybrid environment” as it moves from current GLN-only based methods. Likewise, PDG highlights that its blueprint represents what it believes to be the optimal approach – but not the only approach – for DSCSA compliance. PDG acknowledges that its blueprint does not intend to, nor can it, prevent “alternate methods of compliance.”

Because the industry has not aligned on the need for – or selection of – a specific technical approach to digital credentials, many will continue using emails, portals, and existing Know Your Supplier/Know Your Customer processes as reliable options. These approaches allow the responder to assess the level of security necessary for a given use case. That level of security could be a bulletproof credentialing system but could also be as low-tech as the call center infrastructure that is used today. The important thing is that the security costs are balanced against the needs of the situation. Because there is currently no clear direction on how the industry should operate when multiple authentication methods are utilized, NABP hopes that solution providers and standards organizations can treat any specific technological approach as optional while the market determines which solution best supports its needs.

The NABP DSCSA Interoperable Network solution announced and demonstrated in late 2022 aims to support this period of transition by allowing responders and requestors to decide, individually, what level of identity assurance they require while factoring in cost and administrative burdens. As business practices become more homogenous, volumes become easier to predict, and other critical DSCSA concerns are resolved, it will make sense to revisit how to best streamline and automate the system. If a technology makes sense for the industry, it will gain market adoption naturally. Forcing a solution today, based on the conditions outlined above, will only make November’s monumental task a near impossible one.

NABP understands there are technical gaps in how any identifier (GLN, state license, Drug Enforcement Administration number, Data Universal Numbering System, etc.) is linked to a specific company, user, or request, and the Association intends to utilize a secure sign-up process that facilitates connecting a request to a secured profile (when needed), as demonstrated in NABP’s November 2, 2022 webinar. NABP’s infrastructure allows connectivity for state and federal licensure or registration numbers, and it harmonizes state regulator trace requests and disparate governmental and industry data sources. Equally importantly, it is designed to be a tool that can help in the period of adoption of GLN or other identifiers as the industry works to bring more alignment.

Although NABP does not object to specifications that make digital credentials optional, it would be a mistake and will negatively impact patient safety to require such credentials. Many dispensers and distributors will not adopt the current specifications and will rely on emails and phone calls to avoid spending time, staff resources, and money on a heightened standard that is not required under the law.

NABP Encourages Industry to Make Their Needs Known

Given the larger demands taking center stage in the ramp-up to DSCSA later in 2023, now is the time for the industry to align on the fact that a flexible and optional approach is needed.

Industry stakeholders can take the following four steps to encourage this flexible approach:

NABP remains encouraged by the work of industry leaders, but shares the concerns voiced to us regarding trading partner participation and technological adoption in advance of the fast-approaching November 27, 2023 deadline. The Association remains committed to working with the industry to help align all sectors of the supply chain that support and provide medication to US patients. NABP will continue conducting, attending, and participating in industry work groups to support the state boards of pharmacy and the protection of public health.

For information on how pharmacies, or dispensers, can prepare for the Drug Supply Chain Security Act (DSCSA), see our blog post, How Pharmacies Can Prep Now for the 2023 DSCSA Requirements.