Substance control

DEA uses a PKI system to better better track the flow of certain drugs

Digital certificates

CHALLENGE: Moving the Drug Enforcement Administration's tracking system for Schedule II controlled substances from a paper form (in triplicate with actual carbon paper, if you can believe it) to an electronic format was a project whose time had come. DEA has been using Form 222 successfully since 1970, but sending paper back and forth is expensive and time consuming. Plus, it encourages retailers to keep larger inventories of drugs on hand and undercuts the value of electronic ordering systems that the pharmaceutical industry has been using for Schedule III and IV drugs. Industry wanted to streamline the process, and DEA realized it could benefit from an upgrade as well through improved security and reduced costs.

SOLUTION: DEA chose to enable electronic ordering systems to use digital signatures through a public-key infrastructure. Nortel Government Solutions is now the certificate authority for the Controlled Substance Ordering System, issuing and maintaining certificates for individuals authorized by DEA to order and distribute drugs. CSOS can be integrated into third-party applications to digitally sign order forms, and the signed electronic forms are submitted to DEA in place of paper.

MISSION BENEFIT: Only about 10 percent of the industry has adopted CSOS in its first year of operation, but the savings for those who use it can be great. The cost of a transaction has been reduced from $39 when using a paper form to under $6 when handled electronically. CSOS is faster and more flexible than paper, encouraging retailers to make more small orders, reducing the inventory of controlled drugs that they must secure and account for.

LESSONS LEARNED: DEA found that PKI requires coordinating many moving parts. 'Collaborate with whatever groups are going to be using the system,' said Mike Mapes, e-commerce chief of the DEA Diversion Control Office. 'Without collaboration, it is going to be a difficult process.' The needs of the end users have to be considered when doing the initial requirements analysis, and technology must be found to fill those needs. And as in any project where a manual, paper-based system is moved to an electronic environment, educating the users is important.

The Drug Enforcement Administration is charged with tracking the movement of controlled substances and keeps a particularly sharp eye on so-called Schedule II drugs such as morphine and oxycodone.

'The Schedule II drugs need to have more tracking,' said Mike Mapes, chief of the e-commerce section of the DEA Office of Diversion Control, which sees that prescription drugs do not get diverted into illegal channels.

Tracking of wholesale sales traditionally has been done with DEA Form 222, a paper form in triplicate, imprinted with the buyer's name and DEA registration numbers, which must be filled out by the buyer and supplier, and submitted to DEA.

'They've been used forever, and there hasn't been a lot of diversion or copying because they are printed carefully on high-quality paper,' Mapes said. 'They have worked well.'

Form 222 hasn't actually been used forever'just since 1970. But that's long enough to begin showing its age. The forms are expensive to print, and moving them back and forth between buyer and supplier takes time.

'It creates a lag in the process,' Mapes said.

This discourages pharmacies from making frequent small orders and results in larger stockpiles on the shelves, which can be a security problem.

E-commerce was an obvious answer to these drawbacks, and DEA has responded with the Controlled Substances Ordering System, which enables third-party electronic ordering systems to use digital certificates and e-signatures in place of the paper forms. 'It allows them to deal with their inventory a lot better doing it electronically,' Mapes said.

A straightforward PKI system

CSOS was developed for DEA by Nortel Government Solutions Inc. of Fairfax, Va. 'We provided the means to allow the electronic transmission of orders,' said Dick Thelen, director of Nortel's public-key infrastructure center.

Nortel is the certificate authority for CSOS, enrolling individuals in the controlled-substances supply chain, and issuing and managing the X.509 certificates, which contain the private encryption keys. The same information still has to be supplied to DEA within 48 hours of a transaction for Schedule II drugs, but now it can be sent electronically rather than on paper. This means data from the electronic ordering system can be used.

The system is straightforward. A hashing algorithm is used to create an electronic digest of the electronic order, and the digest is encrypted with a private key. The recipient decrypts the digest with the sender's public key and verifies that the document has not been tampered with by making another hash and comparing the two. This provides both nonrepudiation and integrity of the electronically signed document.

The impetus for the system came from industry, which saw an opportunity for greater efficiencies and cost savings by extending the use of their existing electronic ordering systems to Schedule II drugs. DEA worked with the Health Care Distribution Management Association and the National Association of Chain Drug Stores to develop system requirements.

The tricky part of implementing CSOS was policy, not technology. The program took about four years to develop before going live in August 2005.

'The major challenge was getting the rules changed for electronic submissions,' Thelen said. 'Technically, there was no challenge of any consequential importance.'

'You have to go through the different layers of government and get everyone's consent,' Mapes said. 'The technology was ready before the rule was.'

While the rules were being worked out, Nortel set up a pilot, producing test certificates so application vendors could ensure they worked with the ordering systems supplied to pharmacies and distributors.

'It was designed to be plugged into anybody's ordering system, to deal with the controlled substances,' Mapes said.

The first digital certificate was issued Aug. 15, 2005, and the first transaction was handled on Oct. 3. To date, more than 22,700 certificates have been issued and 208,000 transactions made on the system.

Retailers and suppliers are encouraged to use CSOS, but they are not required to.
'We haven't seen any issues with the transactions,' Mapes said. 'It's working as well as the paper forms.'

But DEA prints about 5.5 million 222 Forms a year, and electronic orders so far make up only a minority of orders placed.

'It was slow to get going at first,' Mapes said, but now some of the chains are coming on board.

The incentive for change exists, though. DEA estimates that the cost of a transaction using a paper form is $39.

'With what we've been able to do with the electronic system, the cost is down to just under $6 an order,' Mapes said.

The $33 saving is split between DEA and the pharmaceutical industry.

'About 10 percent of the industry has adopted it,' Thelen said. 'It's still early.'

He expects that a high percentage of the industry will adopt the system over the next five years. But both Mapes and Thelen agree that there will continue to be a need for paper forms, especially with smaller companies that do not want to invest in electronic ordering technology.

Now that the system has proved itself, some chains are putting the new technology into their development cycles, planning to upgrade to CSOS with their next technology refresh.

'We'd like to see the adoption rate a little higher,' Mapes said. 'But when you're changing a system you've been using for 30 years, it takes some time.'

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group