Categories
Enforcement Technology

FMD SECURITY EXPLAINED

The EU and UK FMD system is secured to ensure that only appropriate bodies are able to access the system. This ensures that any changing of a FMD pack’s status can only be made by those who have a right and a need to do so. Indeed without the necessary permission it is not possible to see the current state of a FMD pack. The data matrix can be read but is only seen as a string of numbers and letters; not what product it relates to or whether the pack is active, inactive or fake.

Access to the FMD system in the UK is granted to users by SecurMed but the actual credentials are provided by the software provider. In the UK and some EU countries that is Arvato. This not true for all countries; for example the Republic of Ireland uses SolidSoft.

The credentials in the UK consist of:

  • 2-part user name (such as XXXXXX/12345678).
  • Password for that user.
  • A certificate
  • A key password for that certificate.

In version 1.06 of the NMVO portal a failure of these credentials when connecting will generate the error ‘NMVS-48612 portal bad request error’. The Serialogical software makes a check that the credentials are in place before attempting to connect but only the NMVO will know if these are valid credentials.

Certificates are set to expire in 720 days. This means that as this article is being written the certificates of the early adopters of the UK FMD system will be coming up for renewal. The NMVO will provide details of any new certificate 30 days before the old certificate is due to expire. Either certificate can be used for the 30 day transition. The new certificate will come with a new TAN. The TAN is required to download the linked certificate from the NMVO portal. As the certificate is downloaded a passphrase will be displayed. This is the key needed to install the certificate onto your computer, your NMVO access program (for example Serialogical) and onto your web browser. This passphrase may also be referred to as the ‘private key password’.

The user password is not the same as the certificate password. If an unknown user-password combination is entered the user account will be locked. The initial password allocated by the NMVO should be changed immediately. This new password will be valid for 90 days.

The certificate is used to encrypt the data (such as pack details) sent to the NMVO. It also fulfils the role of ensuring that the body you connect to is indeed the NMVO. Only the NMVO will recognise the certificate and allow access to its processing end points. This prevents any other body from pretending to be the NMVO and giving false data. It also allows the NMVO and only the NMVO to allow what users are allowed to do on its system.

If a body is acting as a pharmacist and a wholesaler it will have been provided with 2 sets of identification information (2 users and 2 certificates). Switching roles will require changing these credential details or running 2 sets of FMD software. The Serialogical software will run in wholesaler or pharmacy modes and can be switched between roles or installed in multiple locations. The activities that are not available to the user type are greyed out when roles are switched on our software.

The web portal is designed as a backup FMD tool

The best and most efficient way to work with FMD packs is with dedicated software such as that from Serialogical. The NMVO web portal is only to be seen as a backup should other access methods fail. This requires the same set of certificate, user details and passwords. If an organisation has credentials as a pharmacist and wholesaler then the web browser will need to be told which certificate to use as both certificates are for the same organisation. An easy work around is to 2 machines or Firefox for 1 account and Chrome for the other on the same local machine.