As reliance on technology has increased, digital vulnerabilities in the pharma supply chain have grown – and it makes a tempting target for bad actors. Supply chain cyber security is now a key vulnerability.
With SCAIR®, we spend a lot of time thinking about the flow of goods across the supply chain. As companies have discovered to their cost, disruptions to seemingly small players can have big consequences. But increasingly in the last decade or so, it’s not just goods and services that flow: It’s data, too. And that produces a whole new set of vulnerabilities.
It’s not just industry worrying. It’s governments too. In January, the US government launched a new office for cyber supply chain risk management (C-SCRM) within the Cybersecurity and Infrastructure Security Agency (CISA)- the United States Department of Homeland Security body – which is responsible for strengthening cybersecurity and infrastructure protection across government.
As Shon Lyublanovits, head of the new office noted, while some government agencies like NASA were well advanced in managing supply chain risks, others still needed help with the basics.
“I think the thing that plagues agencies the most are two things: One, where to start? And two, how do I have that conversation with my leadership?” said Lyublanovits. The issue wasn’t just a government or industry problem, she noted. It was a national one.
Others seemingly agree. Not long after CISA announced its new office, the UK’s National Cyber Security Centre, which performs some similar roles to CISA, also issued new guidance on mapping the flow of information from providers. As with the physical flows of materials and goods through the supply chain, an essential first step in managing cyber risks is mapping your connections. Organisations need to understand who their suppliers are, what they provide and how they provide it.
Just as you can’t manage what you can’t measure, you can’t protect what you can’t see.
Supply Chain Cyber Security Risk Drivers
To manage the risk, though, organisations also need to understand it. There are several drivers for the increasing interest in cyber supply chain risks – all of which have relevance to pharma businesses.
Perhaps most obvious is the increasing frequency, severity and sophistication of attacks. Ransomware alone has the potential to cost the pharmaceutical manufacturing supply chain $31 million, according to research in 2021. It’s only likely to have grown since.
It’s not simply the ubiquity of risk nor the widespread availability of sophisticated tools that even inexperienced attackers can access through resources such as the dark web: it’s the scale. Widespread reliance on common, widely used platforms means a single breach can have consequences for organisations globally. The recent SolarWinds attack – among the biggest breaches of the 21st century, affecting thousands of companies and governments worldwide – was a striking example.
It was also an illustration of the threat from not just criminals but state actors – with that attack traced to Russia’s Foreign Intelligence Service. In a period of volatile geopolitics, the risk is heightened, but it’s already not wholly unfamiliar to pharma businesses, as China’s attacks on Moderna showed.
Increasing Connectivity, Increasing Risk
There are other drivers, too. In some cases, changes have improved supply chain management but nevertheless increased potential vulnerabilities. The sprawling network of connected sensors, devices and systems on the Internet of things, for example, has been invaluable in managing cold chain distribution. Indeed, the potential for using RFID for temperature logging individual packets of drugs was part of the ReMediES (Reconfiguring Medicines End-To-End Supply) project.
With cheap and ubiquitous sensors, cloud computing and other devices, the availability of real-time data and potential applications have rapidly expanded. With that, though, comes the potential for data breaches and disruptions.
Similarly, connected medical devices offer new and potentially dangerous vulnerabilities. While that risk is well recognised and managed through a regulated Quality by Design process, it cannot be entirely eliminated. Personal devices and wearables that transmit data over public networks offer perhaps even greater potential for data breaches.
In life sciences, it is not simply the amount of data now available that heightens the risk, but its sensitivity. The large amount of sensitive personal data held, such as medical records for clinical trials, make the sector an attractive target for bad actors. Attacks that put systems or devices down, meanwhile, can have critical consequences.
As the US Health and Human Services deputy secretary has put it: “Cyberattacks are an increasing threat across all critical infrastructure sectors. For the health sector, cyberattacks are especially concerning because these attacks can directly threaten not just the security of our systems and information but also the health and safety of American patients.”
At the very least, attacks on systems have significant potential to disrupt the supply of drugs.
Back to Basics
Part of the problem for organisations is that so much is outside their control. As retailer Target showed many years ago, your own security is only as good as your suppliers. Its massive data breach came through its heating, ventilation, and air conditioning vendor, with an employee falling for a phishing trick, which ultimately enabled hackers to gain log-in credentials for Target’s systems.
It is, in reality, often impossible to avoid providing access to third parties and suppliers. Indeed, application programming interfaces that allow systems to communicate and automate the flow of information between each other are likely to play an increasing role in bringing efficiencies to the supply chains in future. Organisations must therefore try to ensure those they deal with have robust security in place – enforcing this contractually where they can.
Even then, though, there’s an additional challenge – one of ownership. As the FDA’s revisions to its medical device cybersecurity “playbook” last November made clear, it isn’t simply an IT issue. Rather cybersecurity requires a diverse team “including clinicians, health care technology management professionals, IT, emergency response, and risk management and facilities staff.”
Crucially, data security in the supply chain cannot be managed independently of the supply chain itself. To map connectivity and identify vulnerabilities and prioritise security, organisations need to bring the physical and digital flows together: Identifying their critical suppliers, evaluating the need for access, and examining the strength of critical partners’ cybersecurity.
As with any vulnerability, understanding your cyber supply chain risk starts with gaining a clear view of the suppliers within it.
SCAIR®'s parent company Intersys Ltd, provides cyber security services for many highly regulated sectors including bio-pharma, pharmaceuticals and life sciences.