Re-Thinking Security

Columns - Technically Speaking

What you can learn from the pharmaceutical industry.

© stevecoleimages |

In our industry, How can we define security?

A patient with an eligible condition wants medication that will predictably and consistently address her needs. Let’s call that medical security. Our patient also deserves medication that is free from contamination of any kind. Recreational customers also want predictability in their products, and products that are free from contamination. Let’s call that quality security. Regulations demand security from theft, loss and diversion of product away from fully licensed dispensaries. Let’s call that physical security. As part of an industry in development, we live with some differences in the concerns of our patients and our recreational customers, and the concerns of our regulators. Nevertheless, we need not consider patient and recreational concerns, and regulatory concerns to be mutually exclusive.

Let’s consider a local pharmacist handling Schedule II drugs in the normal course of business; she has similar concerns to those of a pharmacist or other dispensing professional in the medical marijuana industry. The pharmacist will be responsible—working with other medical professionals—for dispensing appropriate medication for a patient’s condition. She will also be responsible for reporting her pharmacy’s routine retail demand for Schedule IIs and its ordering patterns, as well as for secure storage.

She will spend most of her time, however, on precise, Schedule II inventory counts. If the counts are ever out of tolerance, she will have a reportable Schedule II event. Nevertheless, she will probably never need to assure a patient that the pills will accomplish their medical purpose, or that the pills are free of microbiological or heavy metal contamination: Medical security is built into the Food and Drug Administration (FDA)’s research and approval process, just as predictability, consistency and security against contamination are built into the FDA’s current Good Manufacturing Practices (cGMP) system.

The pharmacy analogy for our recreational users would be in the pharmacist’s over-the-counter, food and cosmetic products. FDA’s influence ensures that consumers of these products know what they’re paying for and need not worry about quality.

What does our industry’s security model look like? From a patient’s point of view, seed-to-sale does not address her medical or quality concerns with the products she purchases, and she has not noticed any thieves running down the street with bushes, large or small.

From our point of view as a producer, processor and packager, raw product has little use and even less value. Raw, green product must be cured, during which it loses over 80 percent of its weight. Raw product is very bulky; someone would have to steal about a pound in order to end up with an ounce, not counting stalks, roots, etc. One would also have to put some time and effort into curing it appropriately. In terms of value by volume, jewelry stores, Apple stores or even Verizon stores present more attractive targets.

As matters of production control, however, we focus our attention on medical predictability, consistency and quality through the documentation (certificates of analysis and production-control records) of our physical inputs, and of everything else that goes into our production process. Then, as wet weights become dry weights in cure, we begin to weigh and count. We also spend more time with our cure- and packing-room cameras than with any others. All of our scales are regularly calibrated by third-party vendors. We validate our systems across operators. We double and triple count all packages into visually obvious compartmentalized shipping cartons and into a visibly obvious vault storage system. By the time we draft our own certificates of analysis before shipment, we feel like a group of precision-oriented, documentation-heavy Oompa Loompas.

Again, although we know our plant counts, at various stages of growth, and our yields out of each process, we work with this data mostly as a matter of production control. We do, however, demand, obtain, file and worry through certificates of analysis for each of our inputs, including our packaging. We have large libraries of third-party test results and of retained samples.

We are aware that our industry has generated some controversy concerning testing, so we use a laboratory whose primary business is food and drug work for FDA-compliance purposes. We are also aware that our industry has had negative publicity concerning contamination, and we want no part of it.

We may focus on inventory controls, and accurate measures and counts, including theoretical and actual yields, and on completing full inventories after each delivery, but we know that the patients who buy our products really care about our production process’s ability to produce predictable, consistent products without questions of quality.

With respect to certain potential problems in the food supply, the FDA uses a methodology called Hazard Analysis Critical Control Point (HACCP) to address and control microbiological and other risks, most typically from food harvest to consumption. We find the methodology (which we must admit is no more exciting than our inventory counts and our cameras) to be a relevant and useful tool among our checks and balances.

If this sounds like a lot of work, it’s because it is. But, turning back to more conventional security concepts, we do not expect inventory deviations. Inventory control constitutes the centerpiece of what we consider to be an advanced, effective, physical security system. We want to be at least as good at controlling inventory as the local pharmacist is with her Schedule II products. Like our pharmacist, we have our vault. But, we never forget our patient, so we also want our products to be at least as predictably effective and consistent, and as free from contamination, as our pharmacist’s schedule II products.

© woraput |

Physical Security Is Important, But …

We located our production facility about a half mile from the local police station. At night, we light it well. We maintain good relationships with local officials.

Our security director, a former DEA agent, uses common sense and lessons learned from his former career to keep our facility and our deliveries as safe as possible. Our cameras and other security technology further enhance the security levels for our physical facility and for our deliveries.

What about cash? We don’t like cash at all and immediately deposit whatever we get. We provide IRS Form 8300s as necessary. We also provide bank deposit envelopes for customers to seal until the bank opens them. We have copies of every check we’ve ever received. We don’t look forward to audits, but we like to be ready for them.

Not every producer or pharmacy can locate in a low-risk area. Some concepts regarding physical security must, of course, be driven by each business’s local circumstances. We believe, however, that our industry has matured to the point where concepts of medicinal predictability and consistency, and of pharmaceutical quality, deserve a focus comparable to the focus that they receive in comparable industries—and comparable to our industry’s concerns with physical security.

The authors do not provide legal, accounting, or tax advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for legal, accounting, or tax advice. You should consult your own legal, accounting, and tax advisors before acting on any related matters.

Rino Ferrarese is the COO of Connecticut Pharmaceutical Solutions, one of four licensed producers in the state. He has experience as a compliance officer working in FDA-regulated industries under the guidelines of current Good Manufacturing Practices (cGMP) for the production of prescription, Over-The-Counter (OTC) and homeopathic human drug products. He is a certified Six Sigma Black Belt and ISO auditor. Ferrarese also works with Elite Cannabis Enterprises developing and submitting competitive medical marijuana license applications for clients across the United States. Thomas Schultz is president of Connecticut Pharmaceutical Solutions. He is a Wall Street lawyer and investment banker turned pharmaceutical executive. In 1996, Schultz completed an IPO-oriented merger of the last major producers of witch hazel, the EE Dickinson Company and the TN Dickinson Company. He assumed leadership of Dickinson Brands Inc., the resulting firm, until 2014. By 2003, Schultz had led the buyout of the EE Dickinson interests and managed the acquisition of Humphreys Pharmacal Inc., a company that marketed witch hazel to Central and South American markets. Mark Kaczynski is responsible for the development and implementation of the security plan at the CPS facility and transportation of CPS products. Kaczynski also manages CPS bank relationships, including operational consulting with relevant U.S. Department of Justice and U.S. Department of Treasury guidance documents. Formerly, he served as a supervisory special agent/attorney for the U.S. Department of Justice and Drug Enforcement Administration for 30 years.