Using RFID to Effectively Support the Pharmaceutical Supply Chain

To get the most out of RFID, manufacturers must embrace the technology, but understand its limitations. Darren Suprina, chief security architect at Verifichi, offers wisdom and guidance.

By Darren Suprina, chief security architect, Verifichi

1 of 2 < 1 | 2 View on one page
The high value, small product size, and lengthy distribution chains that characterize the pharmaceutical industry present unique security challenges to manufacturers, distributors, and retailers. Radio frequency identification (RFID) technologies represent a rapidly maturing means by which firms can overcome or mitigate several of the challenges inherent in this highly-regulated industry, including concerns regarding transport, information dissemination, and product quality. All parties involved need to be aware of the security benefits — and risks — that RFID tags can provide, so they can make intelligent, effective, and cost-conscious decisions regarding the use of these tags.

The potential

RFID tags may be used to support the pharmaceutical supply chain in a variety of significant ways, including goods transport, information dissemination and quality control. The use of tags to provide positive product identification and counterfeit rejection is well understood, with such validations supporting the automation of inventory management. This is perhaps the most common use of RFID technologies. With a variety of tags of differing capabilities available, coordination between all participants in the distribution chain as to how each product is to be uniquely tagged is critical to avoid confusion.

Electronic tags are like icebergs, with an entire underlying infrastructure hidden behind a few bytes of encoded data. Tags may be used not only to identify a product by type but by serial number as well, and thus support the tracking of individual consignments as they are passed to their ultimate destination. Furthermore, data specific to pharmaceutical shipments (such as compound name, formulation, quantity, potency and use guidance) need not be stored on the tag, but rather referenced by a tag’s unique serial number. The practical upside is a supply chain wherein high-value shipments are not easily identified by transport personnel – the electronic equivalent of a plain, brown wrapper to mask the content from view. The cost of such a system is the additional burden of maintaining and sharing data about product and shipments, which firms responsible for logistics are well adept at handling.

The current generation of RFID tags is used to identify product. This type of tag is, in essence, a statement of identity and placement at the instance in time the tag is read. But these devices are small computing systems, and, looking forward, they may prove to be a useful platform for assuring quality once the product has left the loading dock. Pharmaceuticals, like other ingestibles, generally have limited shelf lives and limitations as to environmental extremes, such as prolonged exposure to elevated temperatures, which must be adhered to. The adoption of RFID tags capable of recording exposure to unacceptable conditions during transport and storage could mitigate the potential impact of transport and storage on product quality, and serve to identify any steps throughout the process that fail to meet the manufacturer’s guidelines.

Securing the product pipeline

It is a certainty that the manufacturer of pharmaceuticals loses a great deal of control over goods once they leave the loading dock. It is also a given that while products are in transit, there exists the potential for challenges to the brands, reputations and bottom lines of these firms. Thievery, counterfeiting, and purposeful alteration represent just some of the negative impacts that RFID may be used to control.

Though not a perfect solution, the current state-of-the-art in radio tag technologies represents the means by which a manufacturer of a product, the resellers of that product, and a public reliant on that same product can be safeguarded. Of course, no RFID tag will prevent a container from being forcibly compromised. But assuming that controls are in place to safeguard goods in transit from such access, or at least to detect such compromise, tags may be applied so as to indisputably identify the product, its source, and possibly the intended recipient as well. Good security is often a combination of physical, electronic, and procedural controls. Understanding RFID’s potential and limitations is key to its successful application.

For example, the information inside RFID tags supporting read-write operations may be vulnerable to alteration, corruption and deletion. The degree to which tags may be tampered with is dependent upon the strength of the system contained within that tag to identify it uniquely and then to enter into a secure conversation (between the tag and the tag reader) without itself compromising tag security. Until a mathematically provable, high-value security can be provided on-tag for such purposes, it is recommended that rollouts of RFID tags be limited to read-only devices.

An important consideration is the impact of “Moore’s Law,” i.e., that the capabilities of computing systems double approximately every 18 months. If this holds true, then the strength of any cryptographic technique used to secure an RFID tag and its data halves at the same rate. The practical downside is the necessity of anticipating that any data security techniques adopted today will be demonstrably less secure next year. Therefore it is important to consider the maximum time a product is likely be in transit and/or spend being warehoused prior to sale. This must be done to ensure that the tag selected does not inadvertently present too great a risk of compromise prior to its replacement by a unit offering support for stronger cryptography.

Tag security can be expressed in terms of the strength of the cryptography employed, the processing speed of the tag and the amount of time it takes to establish a secure channel of communication with that tag. Compromising the security techniques employed in an effort to reduce tag complexity — and cost — yields tags whose mean time to "crack" may be measured in too short a timeframe to be considered secure.

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments