Evaluation of Decentralized Verifiable Credentials to Authenticate Authorized Trading Partners and Verify Drug Provenance


  • Ghada L. Ashkar, PharmD UCLA Health, Los Angeles, CA, USA
  • Kalpan S. Patel, PharmD, MBA UCLA Health, Los Angeles, CA, USA
  • Josenor de Jesus, PharmD, MBA, FACHE UCLA Health, Los Angeles, CA, USA
  • Nikkhil Vinnakota Amgen, Thousand Oaks, CA, USA
  • Natalie Helms Amgen, Thousand Oaks, CA, USA
  • Will Jack LedgerDomain, Las Vegas, NV, USA
  • William Chien, PharmD, MBA LedgerDomain, Las Vegas, NV, USA https://orcid.org/0000-0002-5197-7861
  • Ben Taylor LedgerDomain, Las Vegas, NV, USA https://orcid.org/0000-0003-1776-0674




verifiable credentials, identity, DSCSA, pharmaceutical supply chain, drug verification


Summary: In 2013, the Drug Supply Chain Security Act (DSCSA) was signed into law to address the growing threat of counterfeit drugs and to ensure prescription drugs remain safe and effective for patients. As part of this law, US pharmaceutical supply chain stakeholders are required to confirm the authorized status of trading partners for transactions and information disclosures, even when there is no prior business relationship. While larger Authorized Trading Partners (ATPs) have connectivity solutions in place, newer and smaller ATPs have not traditionally participated, including tens of thousands of dispensers. To unlock the full potential of the interoperable system mandated by the DSCSA, the authors tested eXtended ATP (XATP), a blockchain-backed framework for ATP authentication and enhanced verification in a real-world pharmacy with genuine drug packages. The objective of this research study was to prove that electronic authentication and enhanced verification can be achieved between ATPs using a mobile-based solution. Moreover, we tested accurate reading of drug and associated electronic med guides, flagging of expired and recalled drugs, and correct generation of documentation to support saleable returns.

Methods: This study involved two dispensers and three participating manufacturers. Dispensers were onboarded to a mobile application and used supporting documentation to authenticate their identities, and then scanned 2D drug barcodes to submit drug verification requests to manufacturers (including 11 additional, randomly selected manufacturers). Genuine and synthetic drug package barcodes were used to test workflows against genuine and synthetic manufacturer serialization data records. Manufacturers authenticated the identity of requesting dispensers with verifiable credentials and responded to verification requests.

Results: Enhanced drug verification was achieved, with 100% of requests successfully delivered to participating manufacturers and 88% of requests being delivered to other manufacturers (based on the pharmacist selection of random packages from the pharmacy). Drug verification matching against synthetic serialization data records resulted in 86% accuracy, with the 14% error rate attributed to human factors. All barcodes were successfully scanned and provided package-accurate data, and 97% of randomly selected packages successfully generated drug package inserts. All synthetic recalls and expired drugs were successfully flagged. Four of the manufacturers contacted were among the top 15 pharmaceutical manufacturers globally; all four responded.

Conclusions: The XATP framework provides a secure, reliable, and seamless remote method to conduct enhanced verification as required by law. Interoperability between manufacturers and dispensers with no prior business relationship can be achieved on ‘day zero’ using mobile devices that enable digital authentication and rapid barcode scanning. As users retain control of their own private keys, the framework also mitigates the single-point-of-attack risks associated with centrally managed systems.


Download data is not yet available.


U.S. Department of Health and Human Services Food and Drug Administration. Drug Supply Chain Security Act (DSCSA). U.S. Department of Health and Human Services Food and Drug Administration. Available from: https://www.fda.gov/drugs/drug-supply-chain-integrity/drug-supply-chain-security-act-dscsa [updated 22 May 2019; cited 4 February 2021].

Callahan J. Council post: Know Your Customer (KYC) will be a great thing when it works. Forbes; 2018 Jul 10. Available from: https://www.forbes.com/sites/forbestechcouncil/2018/07/10/know-your-customer-kyc-will-be-a-great-thing-when-it-works/?sh=75bf384d8dbb [cited 4 February 2021].

U.S. Department of Health and Human Services Food and Drug Administration. Identifying trading partners under the Drug Supply Chain Security Act: guidance for industry – draft guidance. 2017 August. Available from: https://www.fda.gov/files/drugs/published/Identifying-Trading-Partners-Under-the-Drug-Supply-Chain-Security-Act-Guidance-for-Industry.pdf [cited 4 February 2021].

U.S. Food and Drug Administration. Drug Supply Chain Security Act law and policies. U.S. Department of Health and Human Services Food and Drug Administration. Available from: https://www.fda.gov/drugs/drug-supply-chain-security-act-dscsa/drug-supply-chain-security-act-law-and-policies [updated 23 October 2020; cited 4 February 2021].

Freisleben J. VRS update: Past, present, future. 2018 December 12. In: HAD.org. Arlington, VA: Healthcare Distribution Alliance; 2018. Available from: https://www.hda.org/news/hda-blog/2018/12/07/14/44/2018-12-12-vrs-update-past-present-future [cited 4 February 2021].

GS1 Healthcare US. Standard 1.1 – applying the GS1 lightweight messaging standard for DSCSA verification of returned product identifiers. 2020. Available from: https://www.gs1us.org/DesktopModules/Bring2mind/DMX/Download.aspx?Command=Core_Download&EntryId=1897&language=en-US&PortalId=0&TabId=134 [cited 4 February 2021].

Jürgens G. Industry-wide DSCSA compliance pilot successfully completed. 2020 December 17. In: Medium.com. Spherity; 2020. Available from: https://medium.com/spherity/industry-wide-dscsa-compliance-pilot-successfully-completed-d7223a0f2c92 [cited 4 February 2021].

XATP Working Group. Framework for eXtended ATP authentication, enhanced verification, and saleable returns documentation. Las Vegas, NV: LedgerDomain; 2020 December 17. Available from: https://www.xatp.org/whitepaper [cited 4 February 2021].

Chadwick D, Longley D, Sporny M. Verifiable credentials data model 1.0: expressing verifiable information on the web. World Wide Web Consortium (W3C); 2019 November 19. Available from: https://www.w3.org/TR/vc-data-model/ [cited 4 February 2021].

GS1 Healthcare US. Assessing current implementation of DSCSA serialization requirements. Ewing, NJ: GS1 US; 2018. Available from: https://www.gs1us.org/DesktopModules/Bring2mind/DMX/Download.aspx?Command=Core_Download&EntryId=1210&language=en-US&PortalId=0&TabId=134 [cited 4 February 2021].

Partnership for DSCSA governance. PDG FDA pilot program round-robin webinar series. Partnership for DSCSA Governance (PDG); 30 June 2020. Available from: https://dscsagovernance.org/wp-content/uploads/2020/08/Attachment-A-Presentations.pdf (see slides 16-29) [cited 4 February 2021].

U.S. Department of Health and Human Services Food and Drug Administration. Verification systems under the Drug Supply Chain Security Act for certain prescription drugs guidance for industry – draft guidance. 2018 October. Available from: https://www.fda.gov/media/117950/download [cited 4 February 2021].

GS1 Healthcare US. Standard 1.2 – applying GS1 standards for DSCSA and traceability. 2016 November 7. Available from: https://www.gs1us.org/DesktopModules/Bring2mind/DMX/Download.aspx?Command=Core_Download&EntryId=749&language=en-US&PortalId=0&TabId=134 [cited 4 February 2021].

GS1 Healthcare US. GS1 lightweight messaging standard for verification of product identifiers. 2018 December. Available from: https://www.gs1.org/docs/epc/GS1_Lightweight_Verification_Messaging_Standard.pdf [cited 4 February 2021].

U.S. Department of Health and Human Services Food and Drug Administration. Wholesale distributor verification requirement for saleable returned /drug product and dispenser verification requirements when investigating a suspect or illegitimate product – compliance policies: guidance for industry – draft guidance. 2020 October. Available from: https://www.fda.gov/media/131005/download [cited 4 February 2021].

U.S. Department of Health and Human Services Food and Drug Administration. DSCSA pilot project program. U.S. Department of Health and Human Services Food and Drug Administration. Available from: https://www.fda.gov/drugs/drug-supply-chain-security-act-dscsa/dscsa-pilot-project-program [updated 22 May 2019; cited 4 February 2021].

Chien W, de Jesus J, Taylor B, Dods V, Alekseyev L, Shoda D, et al. The last mile: DSCSA solution through Blockchain Technology: drug tracking, tracing, and verification at the last mile of the pharmaceutical supply chain with BRUINchain. BHTY. 2020 March 12; 3. doi: 10.30953/bhty.v3.134. Available from: https://blockchainhealthcaretoday.com/index.php/journal/article/view/134 [cited 4 February 2021].

Androulaki E, Barger A, Bortnikov V, Cachin C, Christidis K, Caro A, et al. Hyperledger fabric: a distributed operating system for permissioned blockchains. Proceedings of EuroSys 2018 conference. 2018. doi: 10.1145/3190508.3190538. Available from: https://arxiv.org/abs/1801.10228 [cited 4 February 2021].

Typically used by PICs to authorize pharmacy employees to issue orders for Schedule I and II controlled substances under DEA guidelines, Power of Attorney is increasingly being applied to other regulatory compliance measures. See Gabay M. Federal Controlled Substances Act: ordering and recordkeeping. Hosp Pharm. 2013 December 9; 48(11): 919–21. doi: 10.1310/hpj4811-919. Available from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3875106/ [cited 4 February 2021].

Sourced from National Library of Medicine. DailyMed. Available from: https://dailymed.nlm.nih.gov/dailymed/ [cited 4 February 2021].

PharmaCompass. Top 1000 global pharmaceutical companies. LePro PharmaCompass OPC; c2021. Available from: https://www.pharmacompass.com/data-compilation/top-1000-global-pharmaceutical-companies [cited 4 February 2021].

Modeled after the regulatory requirement that credit and debit card receipts have truncated account numbers to prevent identity theft. Federal Trade Commission. Federal law requires all businesses to truncate credit card information on receipts. Washington, DC: FTC; 2007 May. Available from: https://www.ftc.gov/tips-advice/business-center/guidance/slip-showing-federal-law-requires-all-businesses-truncate [cited 4 February 2021].

Matney L. Apple’s global active install base of iPhones surpassed 900 million this quarter. TechCrunch; 2019 January 29. Available from: https://techcrunch.com/2019/01/29/apples-global-active-install-base-of-iphones-surpassed-900-million-this-quarter/ [cited 4 February 2021].

Shuaib K, Saleous H, Shuaib K, Zaki N. Blockchains for secure digitized medicine. J Pers Med. 2019 Jul 13; 9(3): 35. doi: 10.3390/jpm9030035

Brook C. What’s the cost of a data breach in 2019? 2020 December 1. In DataInsider. Digital Guardian; 2020. Available from: https://digitalguardian.com/blog/whats-cost-data-breach-2019 [cited 4 February 2021].

Keen E, Moore S. Gartner forecasts worldwide information security spending to exceed $124 billion in 2019. Sydney: Gartner; 2018 August 15. Available from: https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019 [cited 4 February 2021].

Ponemon L. What’s new in the 2019 cost of a data breach report. 2019 July 23. In: SecurityIntelligence. IBM Security; 2019. Available from: https://securityintelligence.com/posts/whats-new-in-the-2019-cost-of-a-data-breach-report/ [cited 4 February 2021].

Steel A. Passwords are still a problem according to the 2019 Verizon data breach investigations report. 2019 May 21. In: LastPass Blog. LastPass; 2019. Available from: http://blog.lastpass.com/2019/05/passwords-still-problem-according-2019-verizon-data-breach-investigations-report/ [cited 4 February 2021].

Lu D. How much are password resets costing your company? Okta; 2019 August 20. Available from: https://www.okta.com/blog/2019/08/how-much-are-password-resets-costing-your-company/ [cited 4 February 2021].

Bourque A. Ditching passwords and increasing ecommerce conversion rates by 54%. CIO; 2017 May 1; Opinion. Available from: https://www.cio.com/article/3193206/ditching-passwords-and-increasing-ecommerce-conversion-rates-by-54.html [cited 4 February 2021].

StClair J, Ingraham A, King D, Marchant MB, McCraw FC, Metcalf D, et al. Blockchain, interoperability, and self-sovereign identity: trust me, it’s my data. BHTY. 2020 January 6; 3. doi: 10.30953/bhty.v3.122. Available from: https://blockchainhealthcaretoday.com/index.php/journal/article/view/122 [cited 4 February 2021].

Additional Files



How to Cite

Ashkar, G. L. ., Patel, K. s., de Jesus, J., Vinnakota, N. ., Helms, N., Jack, W., Chien, W., & Taylor, B. (2021). Evaluation of Decentralized Verifiable Credentials to Authenticate Authorized Trading Partners and Verify Drug Provenance. Blockchain in Healthcare Today, 4. https://doi.org/10.30953/bhty.v4.168



Original Research