Bob Celeste is the Founder of Center for Supply Chain Studies, a neutral nonprofit organization, hosting an online forum for team exploration and collaboration. The organization closely monitors the healthcare industry and shares insights on compliance issues, challenging topics, emerging technologies, and trends with its members.
1. Tell me about your story, journey to create the C4 Supply Chain Studies.
For many years, I worked at GS1 US standards body. GS1 is a not-for-profit international organization developing and maintaining its own standards for barcodes and the corresponding issue company prefixes. The best known of these standards is the barcode, a symbol printed on products that can be scanned electronically. GS1 has 116 local member organizations and over 2 million user companies.
I helped lead standards for the healthcare sector, developing standards and guidelines with the industry and tracked emerging laws in states and at the Fed level that affected the supply chain.
After I left, I still had a passion for helping make the pharma supply chain more efficient. I developed e-simulation software to simulate supply chain. My work garnered a great deal of interest and so I formed the Center for Supply Chain Studies as a 501c6 non-profit, with the goal of doing studies and pilots and publishing them.
In 2021, I worked with the U.S. Food and Drug Administration (FDA) and facilitated a series of pilots. Through the Federal Drug Supply Chain Security Act (DSCSA), there was a realization that two primary business interactions would need to be done electronically between companies that had trading relations and companies that have no direct trading relationship. The DSCSA requires (under certain circumstances) trading partners to verify product information (the NDC, serial number, lot number and expiration date) electronically. It also requires trading partners to have the systems and processes necessary to trace the ownership of products.
As you know, the Healthcare Supply Chain has many different stakeholders; but they didn’t all have existing relationships, so we saw the need for stakeholders to have the capability to PROVE the identity of each other in these new interactions. By law, their partners (even ones they didn’t have relationships with, needed to be authorized trading partners (currently holding a State license or registration with the FDA). We did a study around it, and several companies came together to do a pilot in a parallel effort to our study. Companies included Merck, Cardinal Health, Novartis, J&J, BMS, AbbVie, Atlantic Biologicals, Endo Pharmaceuticals, Fresenius Kabi, Gilead, Lilly, Kaiser Hospitals, SAP, rfXcel, Sperity, and HDA (Healthcare Distribution Alliance).
This work resulted in the incubator, Open Credentialing Initiative (OCI), where Web 3.0 standards were to be used. Several specifications have been developed through the OCI.
2. How do you see vendor credentialing for hospitals change as technology changes
In an online environment, the one piece missing is securely verifying who you are interacting with. In January 2002, the Executive Office of the President published a memorandum setting forth a Federal zero-trust architecture strategy requiring agencies to meet specific cybersecurity standards and move to a trustworthy secure means of doing business on the internet. We know there are many reputable players; however, there are also bad actors, and they could exist and have nefarious intent toward the legitimate supply chain. In short, all organizations transacting business online are facing this cyber security issue.
In terms of digital credentials, the question is, how can you truly trust and audit the credentials in a secure, interoperable way. We have proven that these verifiable digital credentials work very well. They could enable ANSI NEMA standards in digital form, encrypted, secure digital credentials.
The big change in what we have today is we are now able to authenticate and verify the identities of individuals and companies we are digitally interacting with. The digital, encrypted trail is auditable and verifiable. And because of crypto, it can be accurately auditable and verifiable years later to support investigations.
3. Tell me about your pilot, Novartis’ involvement, and others?
When we went into the pilot, we thought we were only solving for “Authorized Trading Partner” — are they a manufacturer/wholesaler/dispenser with the appropriate state license or FDA registration. But in electronic interactions, you first need to prove that you are who you say you are. We were working with pharmaceutical stakeholders, and they had the business documents at the large organization level down to community pharmacists. We now needed to digitize that proof of identity and ATP status. The root of trust was the credential and the conformant due diligence performed by the credential issuer.
We needed to adopt a standard. As such, we found a standard at the U.S. National Institute of Standards and Technologies, that helped us establish that a Level 2 assurance was appropriate for the industry. The National Institute of Standards and Technology (NIST) develops technical requirements for U.S. federal agencies implementing identity solutions. Organizations working with federal agencies must meet these requirements. We were able to pull together performance standards and testing; and, most important, it was all auditable.
There was an existing electronic network that handles product verification, however in this decentralized environment, there was no interoperable mechanism to verify identity and ATP status. We needed a different way to do this. First, we needed to prove the credentials could establish digital identity and authorized trading partner status, and that credentials could be revoked if the underlying facts about their identity or ATP status changed (if someone lost their license, for example).
The nonadjacent trading partners’ relationship also was important. We did audits to ensure that there was no gap in establishing the credentials, using them in electronic interactions and for trading partners to be able to audit the use of their credentials. We also provided a means to protect against man in the middle (interception for communications and reuse of credentials by nefarious actors) attacks. Those in the pilot were able to prevent malicious actors from breaching security. It also provided an auditable chain of trust. Coming out of the pilot, we put together an auditable trail. We formed OCI to standardize the work and make it available for use royalty free.
What is even more exciting is that we went from pilot in 2021 to 2022, to full testing in 2022 with solution providers and trading partners using the existing VRS (verification routing service). They were tested for use in the existing system, and the interaction can be done with great efficiency. In other words, you can transact 2 credentials and can do it in under 1 second. By 3/20/2022, we created specifications; conformance criteria for each area we were using credentials in the VRS. We have a full suite of specifications, guidance, and a conformance program. Now we must pick the auditors for the conformance program. We are currently working on this.
Later in 2023 we will have the first set of auditors. There are software auditing companies that provide those audit services against conformance criteria. They will build test cases for review. Once they do the audit, they will provide the audit summary back to OCI who will establish the trusted Issuer’s list and other lists of conforming solutions.
4. Describe decentralized identity, how it is being used now and how do you see it being used in the future.
In November 2023, the Enhanced Drug Distribution part of the Drug Supply Chain Security Act comes into effect requiring product information verification and product ownership tracing. We are working on the sunrise date for when credentials will be mandatory for solution providers. As companies come on, credentials will be optional for a period. Right now, we have several participants in manufacturing, wholesale-supply, dispensing and some hospitals such as Kaiser Permanente and Geisinger that are looking at this, and retail pharmacies and small community pharmacies.
It is now part of the Partnership for DSCSA Governance (PDG) blueprint for the entire industry. Credentialing is not required under the law. However, credentials provide an economic and secure means for what is required (establish identity and Authorized Trading Partner status).
5. Some say this is “just another layer” What do you say to that?
It may be another layer, but it’s a very important layer. Right now there are no secure means to establish identity and ATP status across the decentralized, distributed set of industry solutions. Right now, we need interoperability and need the verifiability; the OCI protocol provides a convenient, economic, and secure way to verify trading partner identity and ATP status. In a decentralized architecture, digital credentials are loosely analogous to a username and password in a centralized system.
6. What do vendors, hospitals and others have to do to make this happen.
If we are talking about vendor credentialing, what we need is to create a digital equivalent of what we see in the ANSI NEMA standards. There are a variety of steps that need to be taken. It may include re-stating the use cases that C4UHC has defined in the digital context. We need to work out conformance criteria for solution providers. Each current credential could have a digital equivalent. So, there is performance around that, and we would need to ensure protection and proper use. In short, this would be for issuers of digital credentials, digital wallets and current applications that would make use of these digital credentials to enhance their current processes.
We are getting there, but there still is a bit of work to do to move from paper-based to interactable distributed network.
Let me paint a picture. There are entities already issuing credentials either in their own systems or as paper that is used today. Using digital, verifiable credentials, today’s credential issuers (may be the companies that employ the representatives, current VCOs, or other primary sources) would issue a digital credential. Each representative could hold their set of credentials in an application (possibly on their phone). When presenting to a hospital (for example) the representative could electronically send the credentials required by the hospital to the hospital’s system. Through the standardization efforts of C4UHC and OCI, hospital systems would have a standard, common understanding of what each credential represents, whether the credentials were issued by a trusted issuer, whether the credential was indeed issued to the representative presenting themselves to the hospital, or whether the credential had been tampered with, expired or revoked.
The system would archive that interaction; hospitals would have an auditable record — the verification that was made on that record. We see the uses become very easy. That said, there are a few processes to work out with hospitals and companies: Onboarding and offboarding employees, expiring or revoking credentials as needed. As employees move from one company, the new employer becomes the issuer of certain credentials.
Interoperability is important. NIST, ANSI, W3C and GS1 standards together provide the mechanism for interoperable credentials and processes.
From a hospital perspective, digital credentials allow you to know exactly who is in your system. You have a verifiable archive; you can know immediately if a credential has been revoked and you can support audits and investigations. To sum up, the whole process is secure and auditable. Our next step is to create a demonstration of it.