The Expressway To What?

I recently had the opportunity to attend a meeting titled the "California Express Manufacturer Workshop", which turned out to be a very elegant presentation, held at SAP Laboratories in Palo Alto, California. For those of you unfamiliar with the California Express Solution, it is a conglomeration of six companies with the goal of creating a suite of solutions to get California companies who must comply with the upcoming ePedigree laws up and running as soon as possible. From the site:

The California Express Solution provides a framework for global serialization and ePedigree compliance to pharmaceutical and bio tech manufacturers, wholesale distributors, and contract producers of any size. We will help you prepare for quickly approaching mandates in the United States. The California Express Team includes these member companies: ACSIS, HP, Nosco, SupplyScape, Systech International, and InCode.
The California Express Team is cross-trained on all solution components, works on common issues such as serial number structures and provides educational workshops and webinars to the industry. The team has specific expertise and focus on solutions for SAP customers and the deployment of the SAP enterprise serialization infrastructure.

Being involved in the security industry, and working with RFID companies who are focused on RFID security, I was initially excited about this workshop. After all, I surmised, ePedigree is about securing drugs against counterfeits (at least in part, if not in its essence), and who wouldn't want help in implementing a secure RFID solution. As it turns out, security is one of the last things on the mind of the companies who are being forced to comply. Why is that the case? Because security is not mandated. Sure, if you ask the solution providers questions about security, they will tell you they are implementing it. The minute you start digging deeply into validating the security of the ePedigree solutions, you quickly find that it is more "security theater" than security.

I made several attempts to make contact with SupplyScape, who is at the forefront of this initiative, but my emails have all gone unanswered.

The reality of this entire situation is that making these organizations validate the security of these systems is more of a headache than they wish to deal with, which really means that the California Express Solution is an expressway to yet another failed security solution.

Unfortunately, the companies involved will probably come back to us after they have caused stakeholders BILLIONS of dollars due to a failure of the system, or if the FDA ever requires validation of the security of the system.

Until then, we will try to get the word out.