Falsified Medicines Directive leads the EU Commission to data backdoor

An student issue analysis for MIS41240 at University College Dublin.

Written by Gerard Rogers, Summer 2019. Dublin.

The counterfeit drugs market in the EU is a significant issue for the health of EU citizens. After years of debate, deliberation and conjecture, the European Commission for Regulation has produced a Falsified Medicines Directive which provides the basis for a number of legislative implementation measures to be carried out by the Commission in direct alignment to the pharmaceutical manufacturing supply chain and sale of drugs within Europe. In particular, the act has the Directive 2001/83/EC, which outlines the requirements for medicines for human use.

The EU Commission should also allow for regular external audits, including security pentesting

The impact of this directive means that product information and the marketing authorisation will have a unique identifier (UI) carried by a 2D barcode and anti-tampering device (ATD) on the product packaging of prescription medicines and some non-prescription medicines for authentication and identification.

The directive needs a mechanism to authenticate UIs, and it must be a central system which stores this information to verify the process from the directive. The European Medicines Verification Organisation (EMVO) has taken responsibility for advancing the formation of the European Medicines Verification System (EMVS).

How does it work? The manufacturer's data matrix code, which incorporates a UI, is scanned, checked and verified for authenticity against a national repository (European Hub, EMVO). If the UI on the package matches the information in the repository, the package is decommissioned and supplied to the patient. Otherwise, if there is a warning related to this package, then the system will highlight this as an exceptional event and the package will not be supplied to the patient. Figure 2 shows the product flow from manufacture to consumption. Sharp Packaging Solution, a global player in pharmaceutical packaging can be seen explaining the challenges of the process.

It must be noted that all EU countries must follow the Falsified Medicines Directive to sell prescription medicines and some non-prescription medicines since February 2019.

There is an underlying concern for many agencies, pharmaceutical manufacturers, distribution partners and pharmacies over the confidentiality, integrity and availability of this data stored by the EU Commission in their EMVS.

Data is transmitted to the EU HUB EMVS using Secure Socket Layer over HTTP for all parties involved in the medicine supply chain, however this data is in plain text format and not hashed on transmission. EMVO stores this data for validation, however, questions now arise from National Country Level Medical Organisations about the confidentiality and availability of the data. Figure 3 outlines the architecture for how data is transmitted between all parties in the supply chain.

As demonstrated in the Sharp Packaging Solution, the primary type of data that concerns companies are the volume of drug sales made available to organisations or countries with a self-serving or political bias. For example, the EU Commission could view data related directly to a particular drug price and sales volumes already purchased within the EU, then use that information to guide and influence the 27 EU member states to fix the future buying price of that drug. The output would be positive publicity for current government parties, which may also affect future citizen voting polls.

A risk to the confidentiality of data through company espionage is a valid risk to the data held within the EU hub. Pharmaceutical companies require drug patients in order to guarantee long term revenue returns on drugs they put through costly research and development. If a competing pharmaceutical company obtained sales data through espionage from the EU hub, it would give them an early advantage and may encourage them to produce a generic drug to compete at a cheaper cost with the existing patented drug. The EU EMVO database would contain the information of all registered prescription and some non-prescription drugs, if this information were to be obtained by malicious attackers or actors they could quickly identify what products were not within the database. Subsequently, they could then concentrate their efforts on making counterfeit drugs of those not within the database.

The risk of availability of services from the EU Hub can occur as it is a centrally located system with web facing portals and can be susceptible to malicious attacks such as a denial of service and distributed denial of service.

All participants of the EU hub must take measures in order to protect the data from being utilised incorrectly. Critical preventative measures must be implemented. It is not just a technology issue, we also need to address the people and process actors that can affect this environment. We know that the transmission of data is secure to an extent by the use of secure socket layer transmission however, after outlining the risks, the following technical solution should be considered.

Blockchain storage products should be deployed with the use of a cryptographic signature on documents or files to guard against tampering and the use of smart contracts to ensure that certain transactions happen under agreed conditions. External intrusion detection systems and intrusion prevention systems should be deployed to cater for any DDOS attacks. Some considerations should also be made to hash specific data before it enters the EU hub, and a secondary DR site cloud-based should be implemented for availability best practices.

The EU Commission should also allow for regular external audits, including security pentesting of their environment and the results to be shared to all concerned. Pharmaceutical companies also need to take responsibility for their data within the EU hub and regularly perform site audits on the EU Hub on their compliance, availability and confidentiality. If the audit produces any findings, they need to be actioned immediately depending on their criticality and impact.

As the Falsified Medicines Directive is relatively still new to all concerned, careful oversight and controls need to be implemented so risks cannot occur. The EU Commission and the pharmaceutical supply chain members must work together in order to not cause a backdoor for the inappropriate use of this data and future data, which can impact patients lives.