Ready, Fire, Aim !!!

In a recent article by Mark Roberti, founder of RFID Journal, titled "Pharma Ponders a Track-and-Trace System", he speaks of the current "great deal of focus on what state governments and the FDA will require the pharmaceutical industry to do, and less emphasis on the business value of RFID".

It is no secret that the entire RFID industry is salivating at the spectre of RFID as a part of the ePedigree initiative. The amount of revenue this would (and currently does) generate for the RFID industry is ENORMOUS. Imagine all the consulting, tags, readers, databases, etc. that an industry as large as the pharmaceutical industry, and all its associated industries, would need to make this happen. Also consider, if you will, that in the current economic crisis health care is still thriving. The RFID industry has grown rapidly in the past several years, and the current financial climate has put the brakes on RFID projects for many industries who are suffering in this economy. This, of course, is causing several industries to shift their focus on industries which can "pay the bills", and health care is definitely high on the list.

So why is Big Pharma not diving into RFID ? There is no doubt that RFID offers many business benefits to the pharmaceutical industry. Is that not all that really matters ?

The health care industry operates on a level which is vastly different than any other industry. Sure, you have the big financial models found in any industry. You have the same supply chain logistics exercises found elsewhere. You have the CXO's with the big pay, corporate jets, retreats, etc. The health care industry also has the FDA, which can be their best friend or their worst enemy, and the FDA is currently not taking ePedigree lightly. The problem, however, is that nobody really knows, with any degree of certainty, how ePedigree will impact those financial models, big pay, etc.

Drug companies are currently not held liable for counterfeits. Some may argue this, but the reality of the situation is that counterfeits are not something a drug company is LEGALLY held liable for. How does this potentially change when ePedigree becomes the law of the land? If Big Pharma spends billions of dollars implementing an ePedigree system which incorporates RFID as part of the track and trace technology, then what potential liability does Big Pharma, or a distributor, or a pharmacist, or whoever face if someone clones an RFID tag, or infiltrates a database, or if prescription information for your herpes medication is skimmed as you leave the pharmacy?

I firmly believe that one of the major reasons the health care industry is stable is because they have to be so much more careful before they adopt any new technology, system, paradigm, or idea. The impact of a failed health care system is ultimately devastating at a level unseen in most other industries. Not being able to ship drugs, pay suppliers, build devices, and so on means people suffer and die. The court of public opinion does not like it when this happens. The RFID Security Alliance has recently experienced a surge in interest in risk and security among health care professionals interested in adopting RFID. I was recently asked to deliver a presentation for a joint meeting of the ASQ (American Society for Quality) and the ISM (Institute for Supply Management) in February of 2009 regarding security considerations for ePedigree. My presentation emphasizes a need for a clear understanding of security considerations for the UNDERLYING ePedigree system (not the fact that ePedigree is meant to bring security to the drug supply chain), and was overwhelmingly well received by the ASQ Golden Gate Chapter board, who then presented it to the ISM, and arranged for the joint meeting. The health care industry looks to these organizations for guidance as they try to determine the best pathway to success for any initiative. Thankfully, these industries are indeed interested in understanding the potential risks associated with ePedigree implementation.

RFID industry leaders, on the other hand, have all but ignored security and risk management in their quest to make RFID ubiquitous. As the chairman of the RFID Security Alliance, I have first hand knowledge of the VERY FEW organizations who are focusing on RFID security, and can tell you that they do not have industry leaders (i.e. RFID Journal, ABI Research, SupplyScape, etc.) banging on their doors for assistance in secure RFID implementation. I can tell you that most of the industry leaders have essentially politely ignored the efforts of the RFID Security Alliance.

Still, we are making progress. We have gotten the attention of the organizations which matter most to the health care industry, and they are beginning to understand that the RFID industry is not quite as forthcoming with an understanding of security and risk as they should be, and they are beginning to wonder why. We continue to press on.