An Interoperable Pathway to DSCSA Authentication and Credentialing
As the DSCSA interoperability deadline approaches, NABP remains focused on critical DSCSA infrastructure and committed to helping align all sectors of the supply chain that support and provide safe medication to patients in the United States. Below, NABP outlines important outstanding DSCSA challenges: industry readiness, the need for complete and accurate data, evolving standards, and issues surrounding pre-November 27, 2023, transaction information. These topics directly affect patient safety and resolving them should be top priority. Also addressed is the ongoing debate surrounding digital credentialing. Because of the technical and financial barriers to adopting any single credentialing solution – and because digital credentials are not required by DSCSA – NABP supports a flexible approach and believes that digital credentials should be optional, not required.
Industry Must Remain Focused on DSCSA’s Statutory Requirements and Patient Safety
With fewer than 10 months until the most challenging DSCSA requirements take effect, there are still a significant number of hurdles for the industry to resolve. This is well known. In December 2022, Food and Drug Administration held virtual public meetings and outlined a wide variety of DSCSA compliance challenges facing the industry. If these issues are not addressed, they have the potential to negatively impact the flow of safe medicines to patients. Some of the bigger concerns include:
- Industry Readiness: While many manufacturers have started making transaction records available to direct customers, most have not. Full Electronic Product Code Information Services (EPCIS) implementation across manufacturer customers is necessary to enable and drive adoption by downstream trading partners. Many distributors report successful data exchanges and the receipt of EPCIS files, but most highlight that more time and work is needed before they can start generating outbound EPCIS transaction records. Because the distributor sector works with both upstream and downstream trading partners, significant challenges remain. Even early adopters are unable to sufficiently test their capabilities due to limited upstream data constraints. Finally, the dispenser sector faces the greatest challenges, because, on the whole, they have the least familiarity with DSCSA. They also have the shortest ramp-up time to implement infrastructure and develop compliance policies.
- Complete and Accurate Data: Organizations that have been steadily working with fully serialized transaction data have noted that significant time is needed to adjust systems and processes. These adjustments include monitoring and standardizing the data to generate accurate transaction data for downstream partners.
- Evolving Standards: The industry has largely aligned on using GS1’s EPCIS standard for sharing transaction data and GS1’s Lightweight Verification Messaging for verification of product identifiers. Both standards have already been updated, and, as they are more widely used, they will likely be revised again. Given the international and domestic scope of these standards, this will be no small feat; it will require consensus-driven adoption of updated standards and their related US implementation guides. Product tracing is anticipated to adhere to similar message standards and implementation guides, but development is ongoing. For the foreseeable future, it is likely many are planning to rely on email or phone calls to conduct tracing.
- Transitory Inventory and Data: A substantial amount, if not a majority of the product in the supply chain on November 26, 2023, which is one day before the effective date of the interoperable deadline of DSCSA, will be missing transaction history for the serialized product. NABP has not seen an interpretation of the law or guidance that requires saleable unit level serialization data to be stored and shared by distributors and dispensers prior to the implementation date. This leads to scenarios where legitimate product will be indistinguishable from potentially suspect product when traced. It will be impossible to compile a full transaction history back to the manufacturer for products without stored transaction information.
These larger areas of basic formatting and data flow still need resolution prior to the more advanced issues of full industry alignment on data security measures.
NABP Supports a Flexible Approach to Digital Credentials
One area that has captured significant attention in industry work groups and conferences during the past few years is data security and whether there is a need for digital credentials based on aligned security standards. To be clear, there is no mention of such requirements within the DSCSA text. The Partnership for DSCSA Governance (PDG) has outlined credentialing requirements in its Foundational Blueprint for 2023 Interoperability under Chapter 1 in a subsection called “Requirements and Recommendations to Support Credentialing and Trading Partner Authentication.” The PDG Blueprint reflects the input of trading partners and solution providers who are active participants in PDG’s voluntary alignment efforts. While PDG’s efforts include roughly three dozen trading partners, that number represents only a small percentage of the impacted trading partners. To put this in context, there are over 100,000 US facilities that comprise thousands of trading partners. Given the technical and financial barriers to adopting any single credentialing solution, the industry needs an approach that engages as many trading partners as possible while providing a path for incremental industry adoption. This allows time for the industry to develop a consensus around the use of a specific technology based on demonstrated value and capability.
To better understand the views of the broader industry, NABP recently conducted an open survey that was completed by 41 organizations across the supply chain, including manufacturers, distributors, dispensers, and third-party logistics providers. The Association also conducted a separate survey of software solution providers, which received responses from 10 DSCSA-focused organizations. The detailed results of these surveys, as well as a manufacturer’s survey that was shared with NABP in 2022, highlight several important issues:
- NABP’s Solution Provider Survey: Based on responses from 10 software solution providers, seven out of 10 solution providers plan to support the use of credentials, but only one out of 10 plans to require credentials. In addition, only one out of 10 solution providers have clients who have committed to using digital credentials.
- NABP’s Trading Partner Survey: Based on responses from 41 trading partners across the supply chain, only two respondents plan to require a digital credential for a regulator request, and only three respondents plan to require a digital credential for a request from another authorized trading partner. In addition, 10 respondents preferred email or another secure electronic channel for verification requests, while 13 respondents preferred email or another secure channel for trace requests. 86% of dispensers responded that they are planning to utilize the NABP-provided network for trace and verification requests. Although this is a limited snapshot of perspectives on the credentialing topic, it is provided by DSCSA-informed participants.
- Genentech Survey: GS1 standard messaging for DSCSA data points toward the use of a location based primary identifier for an organization in requiring the use of an identifier called Global Location Number (GLN). In a survey primarily focused on a subset of the hospital and retail pharmacies conducted by Genentech in early 2022, only 6% of dispensers reported having a known GLN. This is consistent with NABP’s November 2022 trading partner survey, where zero small dispensers reported having known GLNs, and only 50% of larger dispensers reported having known GLNs. This further highlights the risk of adding even more requirements such as digital credentials and more costs for dispensers who have been slow to adopt this basic GLN number needed as a predecessor.
NABP encourages all sector trade organizations to continue expanding efforts to educate on these important topics and to conduct further unbiased surveys of wider industry segments.
In addition to the feedback NABP has received via survey, DSCSA thought leaders have consistently acknowledged that there will only be partial industry participation in digital credentialing. For example, the recently released GS1 Healthcare US Implementation Guideline highlights that “the industry will operate in a hybrid environment” as it moves from current GLN-only based methods. Likewise, PDG highlights that its blueprint represents what it believes to be the optimal approach – but not the only approach – for DSCSA compliance. PDG acknowledges that its blueprint does not intend to, nor can it, prevent “alternate methods of compliance.”
Because the industry has not aligned on the need for – or selection of – a specific technical approach to digital credentials, many will continue using emails, portals, and existing Know Your Supplier/Know Your Customer processes as reliable options. These approaches allow the responder to assess the level of security necessary for a given use case. That level of security could be a bulletproof credentialing system but could also be as low-tech as the call center infrastructure that is used today. The important thing is that the security costs are balanced against the needs of the situation. Because there is currently no clear direction on how the industry should operate when multiple authentication methods are utilized, NABP hopes that solution providers and standards organizations can treat any specific technological approach as optional while the market determines which solution best supports its needs.
The NABP DSCSA Interoperable Network solution announced and demonstrated in late 2022 aims to support this period of transition by allowing responders and requestors to decide, individually, what level of identity assurance they require while factoring in cost and administrative burdens. As business practices become more homogenous, volumes become easier to predict, and other critical DSCSA concerns are resolved, it will make sense to revisit how to best streamline and automate the system. If a technology makes sense for the industry, it will gain market adoption naturally. Forcing a solution today, based on the conditions outlined above, will only make November’s monumental task a near impossible one.
NABP understands there are technical gaps in how any identifier (GLN, state license, Drug Enforcement Administration number, Data Universal Numbering System, etc.) is linked to a specific company, user, or request, and the Association intends to utilize a secure sign-up process that facilitates connecting a request to a secured profile (when needed), as demonstrated in NABP’s November 2, 2022 webinar. NABP’s infrastructure allows connectivity for state and federal licensure or registration numbers, and it harmonizes state regulator trace requests and disparate governmental and industry data sources. Equally importantly, it is designed to be a tool that can help in the period of adoption of GLN or other identifiers as the industry works to bring more alignment.
Although NABP does not object to specifications that make digital credentials optional, it would be a mistake and will negatively impact patient safety to require such credentials. Many dispensers and distributors will not adopt the current specifications and will rely on emails and phone calls to avoid spending time, staff resources, and money on a heightened standard that is not required under the law.
NABP Encourages Industry to Make Their Needs Known
Given the larger demands taking center stage in the ramp-up to DSCSA later in 2023, now is the time for the industry to align on the fact that a flexible and optional approach is needed.
Industry stakeholders can take the following four steps to encourage this flexible approach:
- Request simplicity: Work with PDG and GS1 US to allow all DSCSA messaging, including EPCIS, verification, and product tracing, to continue to flow without unnecessary technical complexity, with or without a digital credential. When in doubt, keep it simple.
- Ask for options: Encourage solution providers to provide options. There are some solution providers that will offer a digital credential as one of several options; however, NABP is concerned that there will be others that force clients to adopt a single approach. Require a flexible infrastructure to avoid a single point of failure.
- Let the market decide: Early adopters should test various technological methods, including digital credentials, and campaign for broader adoption based on a technology’s demonstrated value and merits but avoid rejecting existing infrastructure.
- Work with NABP: Consider working with NABP to allow state regulators and trading partners to leverage a more straightforward and feasible path to interoperability. This will allow the industry to focus on the essential tasks of direct data sharing and better prepare regulators and trading partners for the future of the supply chain.
NABP remains encouraged by the work of industry leaders, but shares the concerns voiced to us regarding trading partner participation and technological adoption in advance of the fast-approaching November 27, 2023 deadline. The Association remains committed to working with the industry to help align all sectors of the supply chain that support and provide medication to US patients. NABP will continue conducting, attending, and participating in industry work groups to support the state boards of pharmacy and the protection of public health.
For information on how pharmacies, or dispensers, can prepare for the Drug Supply Chain Security Act (DSCSA), see our blog post, How Pharmacies Can Prep Now for the 2023 DSCSA Requirements.