The 5 Myths of RFID

For well over two years now, every single bottle of OxyContin that's bound for either Wal-Mart, the world's largest retailer, or US-based H.D. Smith, a midsize drug wholesaler, has been slapped with a special label that's hailed as the solution to the world's counterfeit drug problem.

Hidden inside each ordinary-looking label is a radio frequency ID tag that is supposed to allow US-based Purdue Pharma, manufacturer of the controversial painkiller, to track the drug's progress throughout the supply chain — regardless of how many pills are poured into how many bottles and stacked into how many cardboard boxes whizzing by on a conveyor belt. The idea is that distributors could quickly scan all their bottles of OxyContin, learn the complete provenance, or "pedigree", of each one, and reject any that could not be traced back to Purdue.

"It's efficient, it's accurate, it does what we want it to do from a security perspective, and it doesn't bog down the distribution system," says Aaron Graham, VP and CSO of Purdue Pharma, adding that the infrastructure investment for the pilot project was $US2 million and each tag costs between 30 and 50 cents.

If what Graham is saying sounds familiar, right down to the numbers he cites, that's because he's been saying the same thing for years. Yet even now, he can offer remarkably little detail about how the system has prevented counterfeit OxyContin from being sold. Purdue, after all, has never had a problem with counterfeit OxyContin. What the company has had instead is a problem with stolen and diverted OxyContin, along with pressure from the government to get better control over a highly addictive drug that has received much more media attention for its abuse than its use.

Indeed, Graham acknowledges that the main security advantage of Purdue's RFID system is that investigators can scan a seized bottle or box of OxyContin and pinpoint exactly where it came from. To really stop counterfeit drugs, Graham says, would require a central information clearinghouse where every distributor and pharmacy checked and validated the pedigree of every drug — a far more complex task than tracking one type of drug going to two different outlets, as Purdue is doing.

The need to prevent counterfeit drugs from being introduced into the legitimate supply chain is acute. The World Health Organization has said that counterfeit drugs represent more than 10 percent of global sales, and they are responsible for some thousands of deaths each year. The problem is that decades after RFID technology was invented, and years after the US Food and Drug Administration started touting it as the most promising way to authenticate drugs, RFID technology as an anti-counterfeiting technology remains just that: "promising" — yet far from proven.

Even as companies like Purdue continue to test the use of RFIDs, it remains unclear whether the technology can ever live up to its promises — not only in the pharmaceutical industry, which is at the leading edge of testing this much-hyped technology, but also anywhere else. The reasons why go far beyond the technology, standards and privacy issues that are most often raised, and into the very nature of what RFID simply is and isn't, and what it will or won't ever be able to deliver to any anticounterfeiting program.

"We see this in other areas of security," says Roger Johnston, team leader of the US Vulnerability Assessment Team at Los Alamos National Laboratory, who has done extensive research on RFID technology and concluded that it may not offer any better security than ordinary barcodes. "Providing good security is a tough challenge, and people are looking for silver bullets," he says. "The problem is that if you simply take an RF tag, slap it on and think somehow it'll magically provide security, you'd be quite mistaken."

Why? Here are five reasons. Behind each myth, as you'll see, is a much smaller dose of reality.

Myth 1

RFID tags are anti-counterfeiting devices.

Call up most pharmaceutical companies and ask to speak with the group most involved in testing RFID technology, and chances are good the security department will not answer the phone. Consider the RFID efforts currently under way at the US's three largest drug wholesalers. At McKesson, the RFID initiative falls under the pharmaceutical distribution business. At AmerisourceBergen, the point person is in "integrated solutions", which encompasses the testing and implementation of new technologies. And at Cardinal Health, the task falls to health-care supply chain services, which is part of operations. That's because an RFID tag is first and foremost a tracking device, not a security one.

Even the manufacturers of the RFID tags themselves, Johnston likes to grouse, are not security companies. "They're made by semiconductor companies for inventory purposes," he says.

True, an RFID tag has potential as a security device, when it's incorporated into a larger scheme. But it's not an anti-counterfeiting device in the way that, say, a hologram label is supposed to be. An RF reader cannot simply read information on an RF tag — even an encrypted one — and provide its owner assurance that the product is authentic. RFID technology is either a way of facilitating the documentation required to create a drug's electronic pedigree (the record of a drug's journey through the supply chain), or a component of a much more complicated system known as track and trace, which involves communication with the drug's source, or someone who knows it. Which brings us to point number two.

Myth 2

RFID technology is necessary to track the movement of legitimate drugs.

At AmerisourceBergen, a complex track-and-trace pilot project is under way that would allow the $US61 billion distributor to check the source of any drugs that pass through its distribution facility in California. Funny thing is, RFID technology is just one tiny piece of the project — the one that (hopefully) makes it operate quickly, rather than securely. The component of the technology that actually authenticates drugs is a registry handled by VeriSign, which is known mostly for its digital certificate products.

Shay Reid, AmerisourceBergen's vice president for integrated solutions, explains. Drugs that have RFID tags are read with an RF reader, but the crucial part from a security standpoint is what happens next: two-way communication. "If I am the rightful owner, and VeriSign can verify that I did receive [the product] from an upstream trading partner, then they'll give me a certification number that allows me to further distribute the product downstream," Reid says. "If they can't verify that I am the rightful owner, then the transaction will be refused."

Here's the catch: Typically, products that are marked with RFID tags are also marked with a 2-D barcode, which is similar to a traditional barcode but carries more information. "The 2-D is the backup," Reid explains.

That's because the most common complaint about RFID tags is that they're flaky. Read rates as low as 70 percent have been reported, and accuracy can be especially difficult when liquid medicine or foil wrapping is involved. (To be fair, RFID technology has come a long way in the past couple of years, and tests of the latest tags are much more encouraging. Cardinal Health reports that its latest tests showed 99 percent accurate read-rates and no ill effect from liquids or foils.)

For now, however, the 2-D barcode is generally considered a more reliable marker than the RFID tag — albeit one that takes longer to read, because it can't be scanned through packaging material using radio waves.

The crucial point of either marking mechanism is that each container be labelled with a unique, serialized number. That way, once bottle #1894892432 has been received by a pharmacy, a bottle with #1894892432 can't also be authenticated by another pharmacy. Otherwise, counterfeiters could simply churn out fake RF tags — or 2-D barcodes, for that matter — as easily as they churn out fake drugs, and there would be no central clearinghouse identifying the duplicates.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email CIO
• Follow CIO on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark