IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

Congress approves FDA Bill with section for Pharmaceutical Security

Posted by Joanne C. Kelleher 

Late last week Congress sent to the White House H.R.3580.  The full title of this legislation is “To amend the Federal Food, Drug, and Cosmetic Act to revise and extend the user-fee programs for prescription drugs and for medical devices, to enhance the postmarket authorities of the Food and Drug Administration with respect to the safety of drugs, and for other purposes.”

The Pharmaceutical Security section of the bill states that the Secretary shall prioritize and develop standards for the identification, validation, authentication, and tracking and tracing of prescription drugs and shall develop a standardized numerical identifier to be applied to a prescription drug at the point of manufacturing and repackaging at the package or pallet level. RFID and Encryption are mentioned as potential technologies, but to protect the data on the RFID tag these technologies should be used together.

This bill sounds good, but there is no language about implementing these standards or requiring manufacturers, distributors and wholesalers to comply with them. A big issue to be determined is who will maintain and be responsible for the database that contains the standardized numerical identifier (and related data), how can supply chain stakeholders easily acccess this information for validation purposes and who will pay for it.  With 30 months to determine the standardized numerical identifier, I don’t expect to see any implementations before Spring 2010. The next step is a signature from the White House. (Note:  This was signed into law.)

The full legislative text of this section is below and was taken from The THOMAS database. Additional details can be found at


Food and Drug Administration Amendments Act of 2007 (Considered and Passed by House)


    (a) In General- The Secretary shall develop standards and identify and validate effective technologies for the purpose of securing the drug supply chain against counterfeit, diverted, subpotent, substandard, adulterated, misbranded, or expired drugs.
    (b) Standards Development-
  •   (3) PROMISING TECHNOLOGIES- The standards developed under this subsection shall address promising technologies, which may include–
  •   (A) radio frequency identification technology 
      (B) nanotechnology;
      (C) encryption technologies; and
      (D) other track-and-trace or authentication technologies.

  • (4) INTERAGENCY COLLABORATION- In carrying out this subsection, the Secretary shall consult with Federal health and security agencies, including–
  • (A) the Department of Justice;
    (B) the Department of Homeland Security;
    (C) the Department of Commerce; and
    (D) other appropriate Federal and State agencies.

(c) Inspection and Enforcement-

  •   (1) IN GENERAL- The Secretary shall expand and enhance the resources and facilities of agency components of the Food and Drug Administration involved with regulatory and criminal enforcement of this Act to secure the drug supply chain against counterfeit, diverted, subpotent, substandard, adulterated, misbranded, or expired drugs including biological products and active pharmaceutical ingredients from domestic and foreign sources.
  •   (2) ACTIVITIES- The Secretary shall undertake enhanced and joint enforcement activities with other Federal and State agencies, and establish regional capacities for the validation of prescription drugs and the inspection of the prescription drug supply chain.
  • (d) Definition- In this section, the term `prescription drug’ means a drug subject to section 503(b)(1).’.


    1. Mike Ahmadi on November 18, 2007 at 12:35 pm

      It looks like the FDA may soon be extending this to medical devices as well.

      Although there is no specific mention of RFID requirements in this article, the eMDR (Electronig Medical Device Reporting) requirements the CDRH is apparently drafting may indeed make RFID the logical choice, since “…each filing must include information specific to the device involved in the event, including its model number, lot number, expiration date and serial number”.

      It would seem somewhat logical to me that extending H.R. 3580 to medical devices makes quite a bit of sense, since there is a fine line between drugs and devices. For example, birth control pills and IUD’s are both distributed through a pharmacy. Since a faulty, expired, or counterfeit medical device can be just as serious an issue as drugs fitting the same description it would appear that not extending this law to medical devices may indeed be a mistake.

    2. Joel Zemke on April 28, 2008 at 12:59 pm

      How do you prevent drug counterfeiters from simply making counterfeit pedigrees to send with their counterfeit products?

    3. Pharmaceutical on May 30, 2011 at 2:19 am

      That is precisely why the FDA’s mission has changed from protection of the public to protection of the financial interests of pharmaceutical companies.