DEA uses a PKI system to better better track the flow of certain drugs
- By William Jackson
- Sep 20, 2006
The Drug Enforcement Administration is charged with tracking the movement of controlled substances and keeps a particularly sharp eye on so-called Schedule II drugs such as morphine and oxycodone.
'The Schedule II drugs need to have more tracking,' said Mike Mapes, chief of the e-commerce section of the DEA Office of Diversion Control, which sees that prescription drugs do not get diverted into illegal channels.
Tracking of wholesale sales traditionally has been done with DEA Form 222, a paper form in triplicate, imprinted with the buyer's name and DEA registration numbers, which must be filled out by the buyer and supplier, and submitted to DEA.
'They've been used forever, and there hasn't been a lot of diversion or copying because they are printed carefully on high-quality paper,' Mapes said. 'They have worked well.'
Form 222 hasn't actually been used forever'just since 1970. But that's long enough to begin showing its age. The forms are expensive to print, and moving them back and forth between buyer and supplier takes time.
'It creates a lag in the process,' Mapes said.
This discourages pharmacies from making frequent small orders and results in larger stockpiles on the shelves, which can be a security problem.
E-commerce was an obvious answer to these drawbacks, and DEA has responded with the Controlled Substances Ordering System, which enables third-party electronic ordering systems to use digital certificates and e-signatures in place of the paper forms. 'It allows them to deal with their inventory a lot better doing it electronically,' Mapes said.A straightforward PKI system
CSOS was developed for DEA by Nortel Government Solutions Inc. of Fairfax, Va. 'We provided the means to allow the electronic transmission of orders,' said Dick Thelen, director of Nortel's public-key infrastructure center.
Nortel is the certificate authority for CSOS, enrolling individuals in the controlled-substances supply chain, and issuing and managing the X.509 certificates, which contain the private encryption keys. The same information still has to be supplied to DEA within 48 hours of a transaction for Schedule II drugs, but now it can be sent electronically rather than on paper. This means data from the electronic ordering system can be used.
The system is straightforward. A hashing algorithm is used to create an electronic digest of the electronic order, and the digest is encrypted with a private key. The recipient decrypts the digest with the sender's public key and verifies that the document has not been tampered with by making another hash and comparing the two. This provides both nonrepudiation and integrity of the electronically signed document.
The impetus for the system came from industry, which saw an opportunity for greater efficiencies and cost savings by extending the use of their existing electronic ordering systems to Schedule II drugs. DEA worked with the Health Care Distribution Management Association and the National Association of Chain Drug Stores to develop system requirements.
The tricky part of implementing CSOS was policy, not technology. The program took about four years to develop before going live in August 2005.
'The major challenge was getting the rules changed for electronic submissions,' Thelen said. 'Technically, there was no challenge of any consequential importance.'
'You have to go through the different layers of government and get everyone's consent,' Mapes said. 'The technology was ready before the rule was.'
While the rules were being worked out, Nortel set up a pilot, producing test certificates so application vendors could ensure they worked with the ordering systems supplied to pharmacies and distributors.
'It was designed to be plugged into anybody's ordering system, to deal with the controlled substances,' Mapes said.
The first digital certificate was issued Aug. 15, 2005, and the first transaction was handled on Oct. 3. To date, more than 22,700 certificates have been issued and 208,000 transactions made on the system.
Retailers and suppliers are encouraged to use CSOS, but they are not required to.
'We haven't seen any issues with the transactions,' Mapes said. 'It's working as well as the paper forms.'
But DEA prints about 5.5 million 222 Forms a year, and electronic orders so far make up only a minority of orders placed.
'It was slow to get going at first,' Mapes said, but now some of the chains are coming on board.
The incentive for change exists, though. DEA estimates that the cost of a transaction using a paper form is $39.
'With what we've been able to do with the electronic system, the cost is down to just under $6 an order,' Mapes said.
The $33 saving is split between DEA and the pharmaceutical industry.
'About 10 percent of the industry has adopted it,' Thelen said. 'It's still early.'
He expects that a high percentage of the industry will adopt the system over the next five years. But both Mapes and Thelen agree that there will continue to be a need for paper forms, especially with smaller companies that do not want to invest in electronic ordering technology.
Now that the system has proved itself, some chains are putting the new technology into their development cycles, planning to upgrade to CSOS with their next technology refresh.
'We'd like to see the adoption rate a little higher,' Mapes said. 'But when you're changing a system you've been using for 30 years, it takes some time.'
William Jackson is a Maryland-based freelance writer.