KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
It's now it's now time to get started with the panel discussion on future-proofing pharmaceutical supply chain security. So may I have the panelist on stage in York, too? Brilliant. I think we'll let Bob Celeste take over from here and I wish you guys a great discussion. Thank you. Great. Thank you. So today we're gonna be talking about the us pharmaceutical industry using W3C standard verifiable credentials for a very specific reason.
And for our panel today, we have Dave Mason from Novartis, a pharmaceutical manufacturer, Jeff Denton from AmerisourceBergen pharmaceutical wholesale distributor, David Kessler. Fromum digital credential, issuer Oliver Newberg from SAP DS E S a serialization and product information solution provider and Gina Morgan from GS one international standards, buddy, and also JG who's in the room, actually in the room, digital credential wallet provider.
And so we're going to look at this from three perspectives and we'll move fast, but we'll be looking at the problem that the industry is trying to solve how we solve the, the problem. And then also how standardization is key to all of this. So first we'll, we'll have a little bit of a discussion with Dave and Jeff from the training partner standpoint. And so we'll start with Dave.
Dave, can you briefly explain for, for the folks, the regulation, drug supply chain security act and why they, this act is the reason why we're, we've been working on this? Yes. So UN excuse me, under the us drug supply chain security act, there's one detail called authorized trading partner. And what that means is that a manufacturer wholesaler or dispenser cannot conduct business unless that person has a valid license. So for a manufacturer, it would be FEI, federal establishment identification, which is issued by the FDA for dispensers and distributors. It's a valid state license.
It's not a DEA license. It's nothing, it is specific in the, in the law, a valid state license. So when we're communicating with each other through a distributed system, unlike a centralized system in Europe, we have to understand who the request from responder is and are they authorized? So that that's the issue we are trying to resolve under DSCSA. Great.
Thanks, Dave. Yeah.
So Dave, just to continue with you from a compliance of view from, from a manufacturer point of view on compliance and business perspective, what requirements do you have when a wholesaler is asking Novartis for a product verification? Yeah, so right now we, we have two methods of, of verification. We have a manual method, which they can use email, or they can use what's called a VRS where they are the requester, and they request information from us through, through our partner SAP.
And what we are were doing at the beginning was we were looking at our, our requesters and we were using GN global location numbers for GS one. And what we are finding out is some of the requesters, the GNS weren't registered, or the GNS were, were a company that didn't exist anymore. So really we could not validate with them, are they an authorized trading partner? And if we do a manual system, we have to, unless they are a direct customer, like Jeff is at Amerisource, we have to verify before we respond, are you authorized training partner?
So we are having to go into our internet and we have a provider like legacy to look up the state license to make sure they're valid so we could respond to them. So the big issue was trust. Okay. Do I trust, do I trust a responder? And do I trust the responders of partner now at SAP, we trust them because we audit them and we know that they maintained the data correctly and made sure everybody was an authorized trading partner.
But I, I don't audit all the, all the service providers that are in this system. So I can't say I trust them to do the right thing. So where this credentialing came in was, I know now that they have various credentials, they check one is the, the state license and other ones to verify. They say who they are. And also that they are authorized trading partner. And I have the, I have under D S C S a I can respond to them with a request. Great. Right. Thanks.
Thanks, Dave, Jeff, from a, from a wholesaler point of view, can you, can you describe the process that you go through to verify a product that was returned to your, to one of your warehouses? Yes. I think to put it in perspective, Bob, for the audience in our industry, in the us, we receive about 58 billion worth of product in a return sellable state. That it's good product return that can be reintroduced to the supply chain. And as part of our process, we have to create a, a, a verification request.
Or as Dave put a VRS, we call it DRS for simplistic terms, but it's verification re return service. It allows us to collect information on a bottle at a unique serialized level and send a transaction to a manufacturer or their agent to ask if they indeed can verify that they've made that product based on certain attributes within it, such as serial number lot expiration in G 10. And then that comes back to us.
The, the issue we have with the trust is the GLN is excellent in identifying an entity. There's no doubt about that, but anyone could get ahold of my GLN through nefarious ways and use that in a transaction. So if we're able to then not only create this request to, to a manufacturer for, for verification, we, we want to also ensure they know it is me. That's asking. And I think that's really, really key. And that's what this, this particular session is about how we brought that about and ensuring that trust is there.
When Dave gets my request for verification, he knows it's me, or some other wholesaler or a dispenser that's actually asking for that request. And how do you identify the responder today?
So you, I assume that you you're dealing with the many, many hundreds of manufacturers. And to know that you're getting that response back from the manufacturer that you're, you're seeking it from.
Yeah, it's, it's really kind of remarkable how this is worked out. So we use the third party, it happens to be SAP wonderful services in their ICH services that I'm sure Oliver will talk a little bit about, but as such, we're sending these transactions to this, this SAP service, and then they are forwarding it out to whomever it belongs to. And we're using the GLN to detect who we are that is given it to, to SAP and other things, but also the G 10 of a product that helps direct who owns that product from a manufacturing perspective. So our third party is doing that.
And the beauty of that is what we've established here for this trust is something our third party is managing for us. And I think we'll probably talk a little bit about that later, but it's really very simple on my side to provide that level of trust that we need to ensure that I am who I say I am and the message that a manufacturers getting from me came directly from me, artists of how many intermediaries in between of delivering that message may have occurred. Great.
And just before we move on to our next subject, maybe Jeff or Dave, can you give us a, a, like a magnitude of how many players we have in, in the supply chain manufacturers, wholesalers second wholesalers dispensers, just so people can understand how large of a, of a There's about 130 wholesalers, three of them represent about 95% of the total volume. So there's a significant number of smaller players that are regional or very local.
And then on the manufacturing side, in the regulatory space, we're talking about 500 or so manufacturers on the dispenser side, just for myself, we're talking about 60,000, I think globally a lot more, but within the us across all, all distributors, I don't know if you have a feel for that day, how many total dispensers are out there, but we work with about 60,000 David. I think you're on mute. Sorry.
We, we have about 300 direct customers. And then we, we work with another, probably about what Jeff says, 60,000 indirect customers. And most of them are community pharmacies.
Jeff, you're about you're right there. Now we also have, we work do a lot of hospital systems, the indirectly, they go through the middle and they, they are they're over 1700 hospitals that we, we deal business with that are indirect. So this is, this is why we need the credentialing and the trust it manually just can't be done with magnitude of partners.
Great, thanks. So I'm gonna move on to how we actually got together. We did pilot, we formed the OCI for, for managing these, this kind of information to, for other folks to be able to implement it. So we'll talk a little bit about solving the problem and for that I'll turn to Oliver, George and, and David. So first Oliver. So we learned that some of this is routed through the SAP system, and it might end up in a different system at an unknown trading partner. How did you solve this challenge in the past and what can you, what, what is different about what we're doing today in this situation?
I mean, basically we didn't solve it in the past, right? In the past, when you look at the, probably a dozen service providers that are in the space, there were discussions between the service providers. And I wouldn't say call us an agreement, but that everybody makes sure that only offer training partners can use their solutions with SAP. That's fairly simple because we deal with the large companies with Novartis, with AmerisourceBergen, these kind of companies.
But when you go to the lower end of the market where you don't maybe read in the newspaper that somebody's using the state license, because they are misbehaved or dunno what the correct term is, but then how do you make, we had no way to make sure that other participants in the supply chain really have their state license level. There were discussion among amongst the service providers to make sure this is being done everywhere said, yeah, they do it.
But basically we had no proof and this, the executive changing now, cause every single transaction, we now have proof that the sender, so the request and the responder are authorized trading partner, and we have the proof in the wallet and ready to be audited for every single transaction. Great.
So, so you're actually onboarding trading partners to, to be able to use the solution. So how does, how do your customers, what kind of changes do they need to make?
Are there, is this a complicated process with, with manufacturers and wholesalers? Yeah. Very good question.
No, the, we haven't established process. That process is running right about 80%, 75 to 80% of all the verifications in the us go through our system anyhow, already today. So we are talking about tens of thousands of these verification requests and the, basically the addition that we do doesn't change anything for our customers, right? They obviously need to make sure they get subscribed to a wallet, the need to work, for example, with, with legacy, to get the credentials.
And in a very far performer, it's very far credentials, but once that is done, our service basic plugs into the wallet and make sure this additional capability is being used to prove that the requester and or responder are authorized training. That was a key requirement from the market that we can basically move from a non, I don't know, non verifiable state to this new state where the, from ANP Great George being, as you're in the room live, just wanna get you to talk a little bit a Oliver mention the, the digital wallet capabilities.
And obviously that's the, that's one of the services that your, your company is providing. Can you explain a little bit more in detail how, how that works if we lift the covers on, on this whole architecture.
Yeah, exactly. Thank you, Bob. What we basically offer is a service, which is by now in production and the service enables trading partners like Novartis or Berg, and also smaller dispensers to acquire and decentralized identifier by using our identity wallet. And we anchor this decentralized identifier on a trust industry, like a public blockchain like serum. And with that identifier, the training partner needs to go through an onboarding process through our partner and they will run through very sophisticated identity verification process.
And once we have this basically established trust of a trading partner, so trading partner goes to the second step and can then acquire their credentials among thee authorized trading partner credential, which is also issued then by the experts them. And when all this is set up, actually in our credentialing service and the, for example, Nova, and they have an identifier, they have credentials then SAP, for example, is able to go to our op APIs of this wallet and get a presentation of these credential, attached us to their request message.
And basically have this bundle send over to a, to a requester. And then basically the recipient of the package is able to take thet credential presentation and to verify it with their wallet. And this all happens basically in, in, in one, one under one second, which is basically also basically meeting the performance requirements we have in this infrastructure. And with that, basically we established a system where two unknown identities are able to identify each other and to verify if the other side is really Nott partner. Thanks David.
In the beginning of when we started up the pilot, we talked about the issuer of the credential and initially it was sort of the issuer issues, the credential, and then we move on to all the fun stuff, all of the, the details, the technical details. But it seems to me that we, we spend most of the pilot talking about what you do.
Can, can you explain what, what, what your company's role is and how this works? Sure. Thanks Bob. Yeah. So performed validation and compliance solutions for over 13 years now. And so much of that validation does deal with certain identity components in a digital exchange. So our role was to really apply some of these identity methods to establish trust. And so we refer to it in, in the pilot of these discussions that Bob mentioned and others, the due diligence process. And that was to prove that trading partner's identity.
So whether it was Novartis nurse Bergen or others, we needed to be able to prove who the organization is, the individual involved with that due diligence process and then issue the corresponding verifiable credential. So obviously it was very critical to know that whoever the credential issuer is that they have that expertise to be able to, to go through and establish that necessary trust. And so that's what led someone was able to fill in this particular role and then having that verifiable credential created and issued to disparity wallet, then it could be used within the ecosystem.
Interesting. Thank you. So we'll move on to standardization now and, and Gina I'll point you out. We obviously the, the, the point of the pilot was to use a w three C standard credential and, and be able to exchange team trading partners and prove that they could prove each other's identity and also that they have an ATP status, but the industry is already, and especially this industry is already using well-established GS one standards for, for regular transactions.
So how is GS one supporting this, this effort with, you know, linking their, their regular transactions to these kind of transactions for identity and, and status? I think you might be on, Sorry. I was laughed I to make sure I needed, but sure. So we have supported the pharmaceutical industry and all of, as they have Dr. Been driving towards meeting the regulatory requirements of DSCSA for some time. And one of those standards that we have created and supported is the lightweight messaging standard.
And it allows like what Dave spoke to at the beginning, that query and response back to a manufacturer for a verified sale, verifiable saleable return to say, Hey, did you commission, this is, this is this pro a legitimate commission serialized product using S G 10. And so that message now will carry this credential and the header of the message along with it. So that when Dave receives that he can be assured that an authorized trading partner is making that request. And so that's the way in which we're supporting this particular use case.
And this EV this emerging technology, I would say that I think is very valuable as we, as physical and digital worlds begin to merge. And, and you are doing a lot of transacting with unknown partners. So that's like, I would say the baby step and how we're supporting this.
Now, I, I do think there is a longer term vision and, and, and how we, as, as the technology is adopted more broadly, and we do kind of start to implement this wallet, this wallet technology in a more scalable way so that it can just be part of your credential. I've got this credential that sales M and ATP, I've got this credential that might say, here's my GN and, and a number of different credentials that really kind of make up who an organization is, or even what a product is. And just as maybe to, to underline what you just said there.
So from GS one's perspective, how do, how do you start to envision the usages of these verifiable credentials in supply chain interactions? You see that more in, in other areas too? Yeah.
I mean, I, I think I saw this in the previous presentation when they were going over the, the trust over IP stack, you know, GS one is what would be considered a root of trust. We are the largest supply chain standards organization, and, and our system of standards gets used the status a bit 6 million times a day. And so we think that again, as digital and Figi, they call it digital.
Now, I don't know if anyone's heard that that's the idea. Oh, no.
And as, as physical and digital worlds do begin to merge, we see what we are used to is seeing in an way being presented in a digital way as a credential. So when you come to GS one and, and, and license your prefix to create your system of identification, you are presented with, we are the root of trust that for that we say, Novartis, this company, prefix, and these are all, you know, any identifier that sends them that does legitimate belong to them.
We are, we intend and have already piloted the ability to create that as a credential today is like a PDF document tomorrow. You'll be able to share that as I am. I am the legitimate owner of this company, prefix, or I'm the legitimate owner of this.
GLN, I'm the legitimate owner of this G 10 and oh, by the way, I'm also attesting to these facts about it. So that's part of it at, along with the part that says we are transacting, and here's my credential, which Jeff alluded to is identified by. He's identified by his GN is global location, number, his party, global location number to say, we're transacting. And here's the proof that you're transacting with who you think you are. And that will be a, a set of credentials that you'll be able to get as part of, as part of your GS one membership in the future. Great.
Thanks Dave, difficult question for you now that we've gone through a pilot we're in OCI, we're developing performance criteria and starting to beef up for this, what kind of things that we do to, to ensure that industry adopts this, this architecture? Is this for me? Yeah. Cause we got David and David. Sorry.
So, so, so what Novartis has been has done is of course we have done the pilot. We've also now are putting this credential into production. And one of the things I think is clear is there's a lot of fusion not understanding the credential and how it works a lot of times. So we need to continue to educate people. We're also looking at providing some credentials to some of our main customers and some of our indirect customers to show them for a year to show them how easy it is and, and, and get their buy in.
We're also working with the trade associations in, within the us to, to support this and, and push this. We've also talked to the FDA because I know they can't, what did I say, support anything, but they can at least talk about it in their, in their discussions with industry and kind of give a kind of a support there. So that's what we are trying to do. There's been slow acceptance, but I, I think as we do more of these trade meetings and we get the communication out there and we also provide some credentials to some of our customers, we'll get more acceptance.
Thanks, Jeff. I'm gonna end with you before we go into questions.
I mean, we, obviously, this is a very large panel with a lot of things going on. A lot of, lot of handshakes, a lot of people being able, having to cooperate together to make all this work, which sounds pretty complex. So I just wanna get your, your impressions as an end user, as you actually implement and use the technology.
You know, what is your experience? Is it, is it as complex as it sounds in use? From my perspective, from my viewpoint, from my position in the supply chain, working with third parties and others, it's extremely simple.
I know it is quite complex in the background, the work that David and George does, for example, to establish these, these credentials is not simple, but the burdens on them to go through that, if you think of what your own organization may go through to, to establish a new customer relationship and the things you need to do to know your customer, this is exactly what they're doing instead of me happening to now, in this case, I'm working with this, this whole new concept on behalf of the manufacturers, the burden is on them to know who I am before they can respond to a request and verify a return.
And so if this is the way that I'm going to be able to, to verify who I am, it's more than just a state license. Obviously Dave can talk for hours on that, but this is, this is what works for me. It's straightforward. It's simple. I sign up with whomever is within the, the environment that's willing to provide this service and everything else works within Oliver's team to set that up. He attaches these credentials to each of my outbound messages, and he looks at those, those credentials on inbound messages coming to me.
So it's, it's a real, simple, straightforward process from an end user perspective. Great.
Thanks, Jeff. So we have a couple more minutes. We'll open this up for questions. Obviously we've got a lot of different perspec perspectives here that you might be interested in in asking further. If you'd like to know more about what's taking place, you could go to the OCI website. So it's OOC i.org, but I'll turn it over to, is there someone in the room that might be able to take questions for the panel? Yeah. We just gonna ask. Yeah. So quick ask anyone have any questions to the panel or can we call it a day on a good note?
Of course, I think it's later there than it is here, maybe. So, so what I would say is this, you know, looking at everything from the outside, I think it's fascinating to see such a systematic approach towards the application of a new technology in a very traditional industry. And that shows that you really are concerned about, you know, lives in the end.
And yeah, I think there has a lot of credence to new technologies and the application of it. So on behalf of EIC, unfortunately, it's a shame that we have you in a virtual setting. We'd love to have you at EIC next year in a round table. And on that note, we actually have a question coming in from the audience and that is from Dr. Carson Stucker. So let's get a mic, let's get a mic for a second. And here you go. Speaker 10 00:27:00 Thank you.
So basically I have some context about the project, and I think you also evaluated other alternative technologies and had been a couple of other pilots and attempts to provide an authorized Austral partner solution. And in the end decentralized identity and verify the credential stood out against all other attempts to provide a solution. And maybe you can, one of you can share some background, what were the alternative technologies, pilots, and why, why the decentralized identity in the end and very fabric credential stood out. I can speak just to the decentralized part of that.
You know, we've got a decentralized industry who is using other decentralized ways of communicating with each other. And so a decentralized approach obviously makes sense, and doesn't, doesn't actually create a, you know, one attack area, but as far as other technologies, I might turn this over to your colleague, George it's sitting there. So basically we, we analyzed basically we analyzed this together with, with, with our partners, with SAP at the beginning. And there were, I think a lot of pilots also initiated by the FDA at the end was different kind of solutions.
But what stood out here is with this group at the end is that we had from day one, we had a group of verification routing service providers that, that has the understanding that we need to establish an intro solution, which is not under control under one party. And if we select a centralized solution, maybe all request and the information, whether a company's authorized or not will go through one solution provider, and this will end up in a very sensitive data field. And this is also something which an industry will never accept at the end.
And that's why we came up with a decentralized approach, which we together with industry now continue to develop to a, hopefully to a standard that can be it's acceptable by, by also by, from large manufacturers to large wholesalers down to small pharmacies. And maybe, maybe adding to this, you, you exactly right. I think there were two things. One was really that we from day one said it has to be interoperable. And we had, it was not an SAP driven pilot. There were, our competitors were in the room and we wanted that cuz otherwise this will never work.
And the second thing is also that we executed in this, in this group, we show this end to end with all aspects that this is working. So this is, is way more than a small POC. We did a very large, very extended pilot. We thought about integrating standards, et cetera. And even though there's still a lot of noise in the industry, in my view, nobody else has really executed through this and really proved that this was end to end across entire network looking towards standards, looking, I mean the entire picture, right?
And I think that really differentiated the pilot that we did all the productive implementation that we did as well from the other options that were out there. Right?
And, and now what we see, especially above with RCI, the open initiative is that we see parties joining just to understand that this is a way to do it, right. Even with slightly, I say different technology, but different approaches, right? And then we have, and getting this together, I think will be key to have one set or one way to identify the alter training partners in this process. Brilliant on that note, I'd like to thank you all for your time. And I wish the all, I wish all of you, the very best of luck in all of the initiatives moving forward.
And we hope to see a more decentralized approach towards healthcare materializing in the coming days and months. Thank you so much.
