Government Computer News
Substance control
DEA uses a PKI system to better better track the flow of certain drugs
Digg
De.licio.us
Slashdot
TechnoratiInside the project
Digital certificates
CHALLENGE: Moving the Drug Enforcement Administration’s tracking system for Schedule II controlled substances from a paper form (in triplicate with actual carbon paper, if you can believe it) to an electronic format was a project whose time had come. DEA has been using Form 222 successfully since 1970, but sending paper back and forth is expensive and time consuming. Plus, it encourages retailers to keep larger inventories of drugs on hand and undercuts the value of electronic ordering systems that the pharmaceutical industry has been using for Schedule III and IV drugs. Industry wanted to streamline the process, and DEA realized it could benefit from an upgrade as well through improved security and reduced costs.
SOLUTION: DEA chose to enable electronic ordering systems to use digital signatures through a public-key infrastructure. Nortel Government Solutions is now the certificate authority for the Controlled Substance Ordering System, issuing and maintaining certificates for individuals authorized by DEA to order and distribute drugs. CSOS can be integrated into third-party applications to digitally sign order forms, and the signed electronic forms are submitted to DEA in place of paper.
MISSION BENEFIT: Only about 10 percent of the industry has adopted CSOS in its first year of operation, but the savings for those who use it can be great. The cost of a transaction has been reduced from $39 when using a paper form to under $6 when handled electronically. CSOS is faster and more flexible than paper, encouraging retailers to make more small orders, reducing the inventory of controlled drugs that they must secure and account for.
LESSONS LEARNED: DEA found that PKI requires coordinating many moving parts. “Collaborate with whatever groups are going to be using the system,” said Mike Mapes, e-commerce chief of the DEA Diversion Control Office. “Without collaboration, it is going to be a difficult process.” The needs of the end users have to be considered when doing the initial requirements analysis, and technology must be found to fill those needs. And as in any project where a manual, paper-based system is moved to an electronic environment, educating the users is important.
“The Schedule II drugs need to have more tracking,” said Mike Mapes, chief of the e-commerce section of the DEA Office of Diversion Control, which sees that prescription drugs do not get diverted into illegal channels.
Tracking of wholesale sales traditionally has been done with DEA Form 222, a paper form in triplicate, imprinted with the buyer’s name and DEA registration numbers, which must be filled out by the buyer and supplier, and submitted to DEA.
“They’ve been used forever, and there hasn’t been a lot of diversion or copying because they are printed carefully on high-quality paper,” Mapes said. “They have worked well.”
Form 222 hasn’t actually been used forever—just since 1970. But that’s long enough to begin showing its age. The forms are expensive to print, and moving them back and forth between buyer and supplier takes time.
“It creates a lag in the process,” Mapes said.
This discourages pharmacies from making frequent small orders and results in larger stockpiles on the shelves, which can be a security problem.
E-commerce was an obvious answer to these drawbacks, and DEA has responded with the Controlled Substances Ordering System, which enables third-party electronic ordering systems to use digital certificates and e-signatures in place of the paper forms. “It allows them to deal with their inventory a lot better doing it electronically,” Mapes said.
A straightforward PKI system
CSOS was developed for DEA by Nortel Government Solutions Inc. of Fairfax, Va. “We provided the means to allow the electronic transmission of orders,” said Dick Thelen, director of Nortel’s public-key infrastructure center.
Nortel is the certificate authority for CSOS, enrolling individuals in the controlled-substances supply chain, and issuing and managing the X.509 certificates, which contain the private encryption keys. The same information still has to be supplied to DEA within 48 hours of a transaction for Schedule II drugs, but now it can be sent electronically rather than on paper. This means data from the electronic ordering system can be used.
The system is straightforward. A hashing algorithm is used to create an electronic digest of the electronic order, and the digest is encrypted with a private key. The recipient decrypts the digest with the sender’s public key and verifies that the document has not been tampered with by making another hash and comparing the two. This provides both nonrepudiation and integrity of the electronically signed document.
The impetus for the system came from industry, which saw an opportunity for greater efficiencies and cost savings by extending the use of their existing electronic ordering systems to Schedule II drugs. DEA worked with the Health Care Distribution Management Association and the National Association of Chain Drug Stores to develop system requirements.
![1105 Government Information Group [purity]](/images/1105logo_website.gif "Government Computer News [purity]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
