Choosing an authentication service supplier is just the start

‘The intellect of man is forced to choose; perfection of the life or of the work.’
(W.B. Yeats)

---

Across Europe in the coming months many representatives from the pharmaceutical industry will be sitting down with people who they may know as colleagues or as competitors; those who they are in-step with and those who have a different point of view. These unlikely groupings will be forming the national medicines verification organisation (NMVO) in their respective countries whose responsibility will be to run the medicine verification system (NMVS) for that jurisdiction.

One of the first things that this important collective will have to do is make a choice. Not the one about who will be the chairman and other committee posts, although these will be essential, no they will need to choose a company who will be their authentication partner for the next 5-7 years. This company will not only be a key supplier, they will be the cornerstone of the NMVO’s ability to deliver on its responsibilities in regard to the Delegated Act and the Falsified Medicines Directive.

So maybe not a choice as profound as the one described by Yeats above but a pretty important one nevertheless.

To make that decision a number of criteria will be used – broadly covering areas such as:

Service Choice. Does the service meet all the requirements detailed in the Delegated Act?

Systems and Architecture. Where questions around the flexibility and scale of systems need to be answered. The Delegated Act calls for medicines to be guaranteed by an end-to-end verification system.

Security. This is very important in an authentication service. Essential questions will need to be considered - How will users be checked to ensure they are authorised to use the system? How secure is the database? What happens if security is breached? How will medicines be dispensed safely?

Design and Implementation. A complex area with a wide range of considerations, from commitments to service delivery and not just software. Plus how will incumbent authorisation and authentication procedures be supported?

Regional Requirements. Ultimately, who in the NMVO is accountable for the decision?

Support and Issue Resolution. Here one of the key questions relates to disaster recovery, is there a credible plan in place from the provider? How will the NMVO react if a suspicious pack is identified?

Regulation. In order for a service to achieve and maintain GxP compliance, all software needs to be validated that supports the service, this includes pharmacy and wholesaler software if this has been changed to interface with the repository. Additionally, all parties and systems that interact with the system - particularly those engaged in the exchange of data - may be subject to secondary audits to ensure system integrity.

Privacy and Compliance. An important topic where assurances around compliance with local privacy regulations and confidentiality of all information are required.

(These topics have been seen regularly in our meetings with prospective NMVO representatives and groups. Specific questions have been grouped together into broad themes for the purpose of this article.)

To paraphrase another well-known saying, as the manufacturers’ representatives, ‘You are paying the money so you get to make the choice’. There might be a temptation for that to be that for the NMVO. Job done, decision made, sit back and relax. That would be a mistake.

The responsibilities of the NMVO will be deeper and wider than simply choosing a supplier and passing all of the responsibility for delivery on to them. The NMVO will need to have a clear understanding of where its own liabilities begin and end. Without this knowledge it cannot start its recruitment of executive officers or to put in place the checks and balances required to ensure full compliance with not just the Delegated Act but also the expectations and demands of the ultimate customer, the patients in their country.

Which leads to the question, what happens if these standards are not met? Is there a process in place should a supplier, or the NMVO itself, fail to meet all that is expected of it?

Does the country’s national regulator step in if the system fails in its governance, cost control or actual ability to deliver the required levels of patient safety? What are the likely outcomes of such a decision?

On the positive side of this argument there maybe additional areas of influence and performance management where the NMVO could become involved. It surely does not have to stop with just delivering the minimum requirement? What about faster responses? Or more secure processes? What about an ongoing dialogue with stakeholders that drives continuous innovation and improvement? If I was not only paying for a service but also had the responsibility for shaping it and ensuring that it delivered to a European standard then I would want to ensure that I knew exactly what I could and could not do. 

It would seem to make sense for the boundaries of influence on the one hand, and the consequences of poor performance on the other, to be fully understood by all concerned. This is a discussion that members of NMVO’s, confirmed or otherwise, should be having with each other and the Commission if necessary. Now is the time to do this and not when things start to go wrong.

---

Graham Smith is a director and chief sales officer of Aegate Ltd.