Securing Digital Interactions Within the Pharmaceutical Supply Chain With Spherity

Enacted in November 2013, the Drug Supply Chain Security Act (DSCSA) mandates the development of an interoperable electronic system that will enhance the safety and efficiency of the US pharmaceutical supply chain, and ultimately protect patients’ health. Achieving this milestone will require US pharmaceutical trading partners to establish that they only interact with other trading partners who have been properly authorized. This means each trading partner must hold a valid state-issued license or a current registration with the Food and Drug Administration (FDA).

As of early 2022, U.S. pharmaceutical supply chain actors have no established mechanism to validate their counterparty’s trading authorization. With more than 60,000 active trading partners involved in the US Life Sciences industry and stakeholders’ aspiration of responding to data requests in under one minute, the need for an electronic solution that enables regulatory compliance by 2023 is pressing.

Under DSCSA, industry stakeholders expect trading partners to provide a response to a product verification request within 1 minute of receipt of the request.

How pharmaceutical supply chain interactions take place today

As with every supply chain, the pharmaceutical industry has many stakeholders with different needs, including several types and tiers of suppliers, some well-known manufacturers, small and big wholesalers, and a large number of dispensers. There are also several types of interactions and business cases happening concurrently within the pharmaceutical supply chain.

To conceptualize a solution, Spherity chose the “saleable returns” process, which involves the re-sale of legitimate products that have been returned to the seller, e.g. a wholesaler. U.S. pharmaceutical supply chain actors use a routing system provided by so-called Verification Router Services (VRS) to manage acceptance, formatting, and delivery of verification requests and responses for saleable returns based on the GS1 Lightweight Messaging Standard.

A considerable challenge in such business interactions is to be sure about the true identity of previously unknown entities (indirect trading partners) because there is no physical or digital proof of a trading partner at the other end of the digital interaction.

To address today’s challenges in identity authentication of trading partners and the industry’s aspiration of an automated response within 1 minute, Spherity has released CARO, a cloud-based Software as a Service (SaaS solution applying decentralized identity technology to the VRS solutions operating in the U.S. pharmaceutical market. API-facilitated integration of VRS providers allows for little to no changes to existing processes and avoids integration efforts by trading partners.

Spherity’s Credentialing Service CARO – Integration of decentralized identity SaaS with existing business logic leveraging established standards

Integrating decentralized digital identity with existing business processes

The four key components of this solution comprise:

1. Supply chain actors
2. Regulatory trading authorization
3. Existing VRS already in operation
4. GS1 Lightweight Messaging Standard used by VRS

Spherity’s CARO is based on W3C standard Decentralized Identifiers (DID) to allocate a unique ID to a business entity. By leveraging this decentralized identity technology, a trading partner is able to prove their organizational identity and trading authorization using so-called verifiable credentials (VC). The integrated VRS, that acts on behalf of the trading partner, can use those VC within their message exchange to facilitate product verifications for saleable returns.

Spherity’s Credentialing Service CARO enables trading partners to communicate their own authorized status electronically in every supply chain interaction in an efficient, cryptographically secure, and machine-verifiable way. CARO minimizes the complexity of DSCSA Authorized Trading Partner (ATP) compliance and enables real-time automated verifications in direct and indirect business interactions.

CARO is already integrated with major pioneering VRS providers as well as the forward-thinking regulatory compliance expert Legisym. The latter performs due diligence on trading partners’ licenses and other required documentation in a one-time on-boarding process. Legisym then also acts as a Credential Issuer by transforming the inspected evidence into digital VC that are the foundation of the automated ATP status exchanges between training partners. Any issued VC are stored in CARO’s secure digital wallet. Using this technology enables US pharmaceutical supply chain actors to interact with digital trust.

Spherity’s credentialing solution gives companies a way to prove who they are in the digital sphere using signed, sealed, and verified data with an easy to adopt SaaS solution.

Spherity’s solution follows the Open Credentialing Initiative (OCI) specifications. The Open Credentialing Initiative was co-founded by Spherity and supports the industry in standardizing credential issuance processes, digital wallet conformance and interoperability among service providers.

Decentralized Identities and Verifiable Credentials are managed within the AWS cloud

Forgoing uptime and security is not an option when providing a solution to the US Life Sciences market. With AWS, Spherity is able to leverage a wide variety of technologies and services to provide response times to trading partners in under a second for every product verification request.

CARO allows trading partners to manage the VCs connected to their DIDs for authentication purposes as described. These VCs must be stored in a secure way. AWS supports Spherity with their Multi-Tenant AWS Key Management Service (AWS KMS) to manage keypairs for DIDs and also helps to save VC data securely at REST.

To sufficiently handle all incoming and outgoing requests, scaling is guaranteed through Amazon Elastic Kubernetes Service (Amazon EKS) for the entire Credential Service within their parts to provide trading partners, credential issuers, and VRS providers fast processing.

Long-term storage is also essential for Spherity to fulfill regulatory requirements for conserving credentials and verification transaction records for as long as needed. To this end, Spherity could leverage multiple options to store transaction reports for our customers for multiple years with Amazon Simple Storage Service (Amazon S3) with S3 Glacier as an example.

Spherity Credentialing Service – Uses AWS components to run a secure and performant service for the U.S. pharmaceutical industry

Spherity’s Credentialing Service is designed in compliance with ISO/IEC 27001 and GDPR concepts. The service solution is fully aligned with Open Credentialing Initiative (OCI) specifications. The SaaS solution has proven its high security standard and vulnerability resistance by running through SAP’s cloud solution certification program, becoming SAP-certified, and passing a security test by Veracode with flying colors.

Conclusion: Adopting decentralized identity technology for establishing trust and data security

There are many key takeaways from Spherity’s use case that startups may apply to their own operations.

• Fast and easy adoption – It is crucial to approach the implementation of any new process or solution with the overall intention of fast and easy adoption. This means integrating with as many existing business processes as possible, rather than a start-from-scratch approach. This will not only reduce internal lag times around training and education, but it will also minimize opposition from different business stakeholders.
• Ecosystem of innovators – Building an ecosystem of stakeholders who are aligned and willing to adopt the technology is necessary. One innovative stakeholder alone attempting to adopt decentralized identity technology creates value in very few use cases. To ensure interoperability of your solution, build on open standards to avoid any vendor lock-ins and work with other interoperable digital identity solution providers to enable the ecosystem to flourish.
• Trusted and secure digital interaction – Building on open and global standards (W3C-specified Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), and GS1 Messaging) within AWS Cloud allows companies to empower business relations in a secure and tamper-proof way. Decentralized technology establishes a network effect of trust and data security between business partners within the ecosystem.

Learn more: AWS KMS, Amazon EKS, Amazon S3

Niclas Mietz is a Senior DevOps Engineer with a focus on Distributed Ledger Technologies. He has been building and running different technology stacks for over 10 years. At Spherity, his curiosity encourages customers and engineers to unlock the value of decentralized identities and verifiable credentials on different platforms. If you want to show him something, be sure it has an API and is tested. Follow him on Twitter @solidnerd.

About Spherity
Spherity is a German software provider bringing secure and decentralized identity management solutions to enterprises, machines, products, data and even algorithms. Spherity provides the enabling technology to digitalize and automate compliance processes in highly regulated industries. Spherity’s products empower cyber security, efficiency and data interoperability among digital value chains. Spherity is certified according to the information security standard ISO 27001.