Cyber Supply Chain Security: A Concern for the Pharmaceutical Industry

Manufacturing practice requirements leave pharmaceutical manufacturers vulnerable.

The supply chain has been the source of several recent cyber breaches, including the well-publicized incidents at Target and other retailers. Within the pharmaceutical industry, manufacturing, distribution, and delivery systems can be vulnerable to hardware and software malware and cyber espionage, which can compromise product integrity.

“There is obviously an incredible amount of liability associated with counterfeit drugs coming into the marketplace in various parts of the world,” said Sandy Boyson, PhD, a University of Maryland professor, co-director of the university’s Supply Chain Management Center, and an advisor to the National Institute of Standards and Technology (NIST).

“The assurance mechanisms we’re talking about are not just present in the production phase, but also deployed throughout the distribution and delivery phases. Sensor networks (RFID tags, digital locks, mobile applications, etc) can help provide visibility into operations in real time. With visibility, you can have control over the flow of your product, quickly detect threat vectors, and react to breaches. And that requires information technology.”

Dr. Boyson’s team has been researching cyber supply chain risk management for the past 6 years. The new discipline combines aspects of 3 existing fields—supply-chain management, enterprise risk management, and cyber security—and aims to gain control and visibility over supply chain systems, Dr. Boyson said. Typically, chief information officers and vice presidents of supply chains have had limited communication and coordination with one another.

However, in recent years, as the IT supply chain has been globalized and outsourced, there has emerged an urgent need to create integrated risk teams that blend their respective executive skills and resources. These teams also include a risk/legal officer.

“We believe that this is an important new management approach because a lot of technical approaches have failed,” Dr. Boyson said. “If you look at the recent, for example, Home Depot breach, what you find is that a third-party vendor was the one who became the vector, or the pathway, of the breach. This is a problem that we see consistently. It’s all about extended IT supply chains opening up vulnerability windows.”

Pharmaceutical manufacturers are particularly vulnerable because of good manufacturing practice requirements, Dr. Boyson said. Furthermore, certain types of attacks or malware do not involve network breaches, making systems that are not even connected to a computer network vulnerable.

“If you are a manufacturer whose production, packaging, and distribution processes were significantly compromised in any way by criminal malware, by foreign espionage services, by whatever compromises your production practices, and the quality of your product became compromised, you can lose a billion dollars in revenue overnight,” Dr. Boyson said. “The FDA can shut down a product line overnight for serious violations of Good Manufacturing Practices. It gets shut down, literally, overnight.”

A portion of Dr. Boyson’s work at the University of Maryland’s Supply Chain Management Center and his work at NIST involved developing a framework and model to assess and manage IT supply chain risk. His team’s baseline assessment was that approximately half of companies did not have supply-chain risk assessments or management strategies in place.

The researchers then created a portal based on the NIST Executive Framework that allows companies to perform enterprise risk assessments of their IT systems and supply-chain organization using NIST’s approach. The tool produces a benchmark for that business, an assessment model, and determines vulnerability of key areas within the company’s IT supply chain.

“As cyber supply-chain risks become more strategic business factors, such as the recent case of the Target CEO resigning over an IT breach, you get into a situation where it’s not just an issue for the IT shop anymore,” Dr. Boyson said. “The revenue losses from a breach or weakening customer confidence in your system and brand can mount up. As these losses increase, companies are going to have to step up and manage cyber risk more intensively.”