FDA, Companies Test RFID Tracking to Prevent Drug Counterfeiting

AIDS Treatment News logo

by John S. James

Summary: The U.S. has an apparently growing problem with fake, counterfeit drugs entering the mainstream drug supply, and being fraudulently sold at full price in regular pharmacies and hospitals; some have no active ingredient, or too little, or substitute a cheap drug for an expensive one. The FDA has asked the manufacturers to develop technology to track all shipments electronically as they move through the distribution chain; currently, RFID (radio frequency identification) is the preferred method for doing so. This article explains what is happening, and why we do not believe that this use of RFID is a privacy threat -- though other privacy issues are among the most important questions we face today.

----------------------------------------

The FDA has asked the pharmaceutical industry for help in testing technology to track drugs electronically through the supply chain to prevent drug counterfeiting -- a huge worldwide problem that mushroomed in the U.S. several years ago, centered especially in Florida at that time. The FDA wants systems in place by 2007, and testing is beginning now. The leading tracking technology at this time is RFID (radio frequency identification). Among the first drugs to try this system are Viagra (Pfizer), Oxycontin (Purdue Pharma), and one HIV drug, Trizivir (Glaxo). For obvious reasons expensive drugs (or those with street value) are most likely to be faked.

Drug Counterfeiting

Several years ago AIDS Treatment News published warnings from the FDA that fraudulent, counterfeit drugs had entered the mainstream U.S. supply. These were sold to patients at full price in standard pharmacies or hospitals (not through unconventional channels like unregulated Web sites). Sometimes the fake drugs had no active ingredient; sometimes a cheap drug in the same class was substituted for an expensive one; sometimes the fake contained the right drug but in a much lower dose; and sometimes the drugs were real, but had been stolen and re-sold. Doctors or patients could be shown how to detect tiny anomalies in the printing on some packages or on the labels of bottles, but other times the fakes were so good that even experts could not identify them without chemical testing. Some of the fake or illegal drugs were not kept at proper temperatures and could have deteriorated chemically -- sometimes baking in trunks of cars in the sun while deals were made in parking lots. No one knows how big the problem is, because many fakes are never detected; if a patient does not respond, that is attributed to the illness or other factors, and no one knows that the patient never received the treatment they thought they were taking.

How could this happen to mainstream medicines that are sold by leading U.S. pharmacies and hospitals? The consensus is that bad drugs enter the supply through the "secondary market" in pharmaceutical distribution -- a system that is mostly legitimate, but has been open to abuse.

U.S. pharmaceutical companies seldom sell their drugs directly to pharmacies or hospitals -- for various reasons, probably mainly because the profit margins for distributors are vastly less than for selling patented medicines. Instead they sell mainly to a few large distributors. In addition there is the secondary market of thousands of small distributors, who make tiny profits by looking for deals where they can buy a batch of drugs and sell it for a little more than they paid for it.

Most of these companies are honest, but temptations occur. For example, somebody struggling to get by on a margin of 2% or less may jump at a chance to buy a drug from another distributor for, say, a third less than the manufacturer ever charges. The low price might possibly be legitimate -- the result of a deal that went bad, leaving someone with stock they needed to unload. But it could also mean that the drug was fake, or stolen. When one deal could solve a business's serious financial problems, there is an incentive not to ask questions.

For more information on drug counterfeiting see the important book Dangerous Doses: How Counterfeiters Are Contaminating America's Drug Supply [1], by Katherine Eban, an investigative reporter who has worked for The New York Times, ABC News, and other major publications; an August 31 Federal indictment and press release featuring some of the same characters [2]; and the FDA's page on the problem [3]. On February 8 and 9, 2006, the FDA will hold an FDA Counterfeit Drug Initiative Public Workshop and Vendor Display near Washington DC, with a major focus on RFID and electronic drug pedigrees [4]; written or electronic comments can be submitted before or after the workshop, through February 24. This workshop is open to the public; online registration is recommended because seating is limited to 400.

Fighting Back

Years ago Congress passed a law requiring that drugs have a "pedigree" -- paperwork that shows the trail of ownership from the manufacturer or from a major distributor, all the way to the pharmacy or hospital that dispenses the medicine. But the law has not been implemented effectively, in large part because distributors have objected. While they raised issues of cost of compliance, the more likely real issue was that the paperwork would reveal business information. If a distributor's customers could find out who its supplier is for each drug, and learn the entire chain back to the manufacturer, they would likely cut out that distributor the next time.

This is not the case with electronic records, where each bottle will have a unique identification number but not the pedigree information itself, which will be kept in databases elsewhere. A pharmacist, hospital, or distributor will not have access to those databases and could not trace the chain back. But the FDA or other law enforcement could trace it -- and talk to everyone who had legitimate custody of that drug, to find where it went from there.

The FDA did not insist on RFID (radio frequency identification -- see explanation below) as the technology for electronic tracing; bar codes could also be used. But RFID has become the leading candidate, for several reasons:

RFID can hold more information. Standard bar codes only identify the manufacturer and the product -- but standard RFID also includes a unique serial number for every bottle or other retail package. If the FDA finds a bad batch, it will know who was responsible for each bottle at every moment since it left the manufacturer -- or who was the last one to receive the drug before the chain was broken.
RFID can quickly read the serial number of every bottle in a case -- instead of requiring someone to unpack the case and scan every bottle's bar code by hand.
RFID will be difficult to counterfeit. Even if criminals forge the tags, they will have no way to add matching records to all the databases in the supply chain. And if they duplicate an existing serial number, or use a non-existent one, law enforcement or the drug manufacturer could easily learn that something is wrong. And there will be plenty of information to investigate where the problem began.

How RFID Works

RFID is the system used in many retail stores to detect store merchandise being carried out without being paid for. It is also becoming very important at this time for managing inventory in retail and other businesses. How does the machine by the exit door tell that store's merchandise from anyone else's? It uses a "tag" added to the merchandise, with a serial number unique to that product (or possibly, unique to that store).

The tag is like a tiny radio broadcasting station. The ones that will be used on pill bottles have no battery or other power source in them, so usually they cannot broadcast anything. But the tag also has a tiny loop of wire that will generate a little electricity when it is in a changing magnetic field. The magnetic field is supplied by the RFID reader, which gives a nearby tag enough power to turn on the transmitter and broadcast its serial number, which the reader then receives.

Magnetic fields do not carry very far, so the tag must be close to the reader for this to work. According to Glaxo, its system will require the pill bottle to be about a foot or less from the RFID reader (or a little more in a specially designed machine that shapes the magnetic field so that it can read all bottles in a case at once as that case moves through a tunnel).

Other kinds of RFID can work at greater distances. One kind uses radio waves instead of a magnetic field to send the power to the tag. Another system has a battery with the tag -- not planned for pill bottles because of the complications and expense of having a tiny battery on every bottle. How far these kinds of RFID can read depends on whose estimate you are looking at, but most of the articles we have read suggest a maximum range of about 100 meters or less, often much less. Close range works best, and for pharmaceuticals at least, this technology is being developed for tracking products at hand, not at a distance.

Comment: Privacy and RFID on Medicines

There are serious privacy issues with RFID (see below). But we have not found problems with its use to track pharmaceuticals, for several reasons:

There is no interest in tracking the drugs after they reach the patient -- only before.
The RFID tag contains no patient information -- only the manufacturer, the product, and the serial number of that bottle or other package. This is written on the tag and applied to the bottle by the manufacturer, who does not know who the patient will be. Then this information can only be read, not altered or added to, by the pharmacy, distributors, or anyone else.
Anyone worried about RFID could ask the pharmacy to put the drugs into a standard pharmacy bottle, which will not have an RFID tag. Or the patient could put the pills into a different bottle and discard the original. Be sure to save any necessary information -- and perhaps remove personal information from the bottle before discarding it.
For drugs that are liquid or otherwise cannot be rebottled, anyone who is worried could block RFID by wrapping the bottle or other package in aluminum foil; this will stop the radio signal from getting out, no matter what kind of RFID is used. We do not think doing so will be necessary, especially if an RFID reader has to be within a foot of the bottle to pick up any information. But people should know that they have this option if they are concerned.

The small privacy risk of RFID on medicine bottles must be balanced against the considerable risk of drug counterfeiting -- which has been substantial for years, and appears to be growing despite new legislation.

Other RFID Issues

While we are not worried about RFID for tracking medicines and preventing counterfeiting, other uses do raise serious issues. We are particularly concerned about tags designed to be injected into humans and remain permanently. This is not science fiction; such a device has already been approved by the FDA and is in use.

The first uses of RFID injected into people are likely to be important and beneficial -- especially preventing medication errors in hospitals (although bar codes worn on the wrist already do this, much less intrusively). But next, RFID in people will be required for entry into certain rooms and buildings, and those who do not accept it will be barred from increasingly large areas of the society. Finally, RFID tags will be in almost everybody, and readers in public areas will keep track of where people are when, and who associates with whom.

And for an overview of security issues with RFID in passports, see http://www.schneier.com/crypto-gram-0511.html#1 Security expert Bruce Schneier noted that an early State Department proposal could have allowed terrorists or kidnappers to identify Americans on the street by electronically reading their passports -- or rig a bomb to explode if four Americans were nearby. Most of those passport problems have been fixed, thanks to the outcry of privacy and security experts -- but there could be additional undiscovered flaws. The new electronic U.S. passports could start being used in late 2006.

Privacy and Fear in a Computerized World

Privacy has been in the news, but badly explained in the press. People think that if they have nothing to hide they have nothing to be concerned about. But the real issue in the U.S. today is not wiretapping. It is how to restrain a government that has already come close to claiming the right to imprison, torture, and kill anyone it chooses, U.S. citizens or otherwise, for any reason or none, with no real oversight or accountability -- in time of war, which now means any time, forever.

Computerization of everything creates new threats and endless possibilities for abuse, including milder punishments. Even Senator Kennedy had considerable trouble getting off a no-fly list, in March 2004 [5]. Of course it was a mistake. But if Kennedy had difficulty, imagine yourself or any non-senator trying to get such an error corrected. There is no due process for fixing a mistake, maybe no process at all. And already it can be a serious crime to tell anybody, even your lawyer, your spouse, or a government official, about a government request to turn over records. So you cannot discuss such problems with anyone, let alone organize or ask for support.

Multiply that many fold and consider the result if every interaction with officialdom turned out badly for you -- planes, trains, taxes, jobs, licenses and permits, schools, buying or renting real estate, financial accounts, credit, Social Security, medical care, insurance, IDs and passes, computers, telephones, voting, dealing with police, correcting errors in records, postal mail, even email that disappears without a trace based on its content or your relationships. Fixing each problem would be difficult or impossible. And anyone who hired you, or spoke out on your behalf, would know it could happen to them, so you would also struggle to keep problems secret. Just maintaining everyday life and staying out of additional trouble could become a full-time job or more.

You would have been targeted not for any particular act, but for the whole complexion of your life, including your associates and their associates. There would be no notification, no appeal -- and no one to appeal to, since no human being anywhere would know why you got thumbs down. The full explanation could involve millions of records and be impossible for anyone to understand -- and officials would not be allowed to reveal what they did know. Law enforcement often works by targeting individuals or groups; as in any field, people often form impressions and then selectively collect supporting information. So far, the harm to the innocent has been limited somewhat because every act requires human effort, and because societies have partly adjusted to the problem by living with it for thousands of years.

Computer targeting and punishment will certainly occur; it already happens routinely in primitive, often accidental ways, and there is no bright line to restrain it. Sometimes all you know is that the clerk or automated voice on the phone could not fix your problem. Computerization could multiply the targeting problem much like junk mail multiplied from paper to spam. There is little community experience with machines that know your official records much better than you ever will, know your associates' records equally well, and spend 24 hours every day exploring connections and looking for bad guys of many sorts -- machines that can and necessarily will act against people without human knowledge or oversight, yet could not possibly operate without political influence.

An unrecognized root of the culture wars is that the increasingly automated global economy no longer needs everybody. Middle-class jobs are going away. So thousands of people are shipped to prison, to the underclass, to war, to psychosis, to depression, to drug abuse, to a permanently failing struggle to get by, or to other kinds of degradation. Many are not going to make it; their failure is increasingly not only unlucky or accidental, but also systemic. The musical chairs competition gets worse as folks compete to escape such fates and leave them to others. Racial, ideological, or cultural tests move the consequences to out-of-power groups, selectively sparing others. Or look at the increasing demands, pressures and intrusions in children's lives, as parents fight to get their children an increasingly scarce toehold on middle-class life.

We are dangerously close to a society of fear, where people must watch every move every time to protect their access to a normal future. Permanent fear is not a way to live, not a legacy to leave to future generations. Privacy gives an oasis, places to rest, where Big Brother does not look and remember everything forever.

More importantly, privacy is becoming a forum for many issues around developing controls against government, corporate, and other abuses, so that we do not live in fear, in a world of revolutionary data technology that people will choose to use.

References

1. Dangerous Doses: How Counterfeiters Are Contaminating America's Drug Supply, by Katherine Eban. A Web site about the book, http://www.dangerousdoses.com/, has additional information, but little of the content or flavor of the book itself. The book shows in detail how drug counterfeiting happens, how the bad drugs get into mainstream distribution channels, and how a few dedicated people brought the problem to wider public attention.

2. Several links, including a press statement and the 52-page indictment itself, are at
http://www.usdoj.gov/usao/mow/news2005/news.html#august2005

3. U.S. FDA, Combating Counterfeit Drugs, http://www.fda.gov/counterfeit/

4. FDA Counterfeit Drug Initiative Public Workshop and Vendor Display, http://www.fda.gov/rfidmeeting.html

5. Sen. Kennedy Flagged by No-Fly List, Washington Post, August 19, 2004, page A1,
http://www.washingtonpost.com/wp-dyn/articles/A17073-2004Aug19.html (registration required).

----------------------------------------

Return to home page: www.aidsnews.org

Free subscription to announcements online: send a blank email to subscribe@aidsnews.org -- and reply to the email request from Yahoo to confirm your subscription. You will receive about five emails or fewer per month and can leave the list at any time. Or just visit www.aidsnews.org to read the articles -- no subscription or registration required.