How to conduct a cybersecurity audit on your pharma supply chain

Digital
man and women doing an audit

Drug manufacturers, wholesale distributors and pharmacies stepped up during the COVID-19 pandemic to preserve supply chain integrity. They were very particular about quality because the stakes were incredibly high. While putting in that much effort during such a trying time is commendable, they can’t relax yet.

As the world has tried to return to normal, in-person auditing has become standard again. Most companies haven’t relaxed their quality or confidentiality standards. However, the temptation to do so exists. With cyberattacks on the rise, due diligence is more important than ever. How should pharmaceutical professionals audit their supply chains?

Common cyberthreats in the pharma supply chain

The pharmaceutical sector is prone to supply chain cyberattacks because it contains significant data. While protected health information (PHI) sells for up to $185 per record, regular personally identifiable information goes for $164 on average. Even seemingly valuable information like credit card numbers and contact details rarely reach double-digit value.

Moreover, the threat of unplanned downtime is more severe because the supply chain’s interconnectedness facilitates the spread of malware. For instance, in the infamous SolarWinds attack of 2020, a single threat group compromised up to 18,000 businesses by targeting one shared software provider.

Supply chains have many moving parts and lack comprehensive visibility. Threat actors can easily slip in unnoticed. If they choose their target strategically, they can cause extensive damage. Pharmaceutical products in the cold chain may expire or degrade unless companies comply with attackers’ demands.

Such shortages are already an issue, so professionals may have little bargaining power. According to the Office of the Assistant Secretary for Planning and Evaluation, drug scarcity affected approximately 18% of the population — 38.8 million people — in Fall 2023. Nearly 50% of those impacted stopped or delayed using their prescriptions or over-the-counter medications.

Even if pharmacies prepare for cyberthreats, their vendors, service providers, business partners, and subcontractors may not. Further, many still operate legacy systems with known vulnerabilities or incompatibilities, rendering the latest security measures useless.

Cyberattacks targeting the pharmaceutical sector often result in unplanned downtime, data loss, and legal repercussions. Businesses aren’t the only ones affected. According to one survey, 57% of medical facilities experience poor patient outcomes. Heightened readmission rates, delayed treatment, and increased mortality rates are common.

The main phases of a supply chain cybersecurity audit

Pharmaceutical professionals should follow the main cybersecurity audit phases to ensure their supply chains remain resilient.

1. Determine the audit’s scope

Auditing pharmaceutical supply chains down to every last employee and pallet would be ideal, but is logistically impractical. Decision-makers should narrow their scope by cataloguing their relevant hardware, network infrastructure, and information assets.

2. Assign categorical risk levels

What assets will cybercriminals target first? Which third party is most vulnerable to external cyberthreats? To understand and prioritise incident response processes, leaders must assign risk levels to all their vendors and each component of their tech stack.

3. Appoint reputable auditors

Insider threats are often the person management least expects. Whether companies source auditors internally or fill the position with a third-party service provider, they must vet the individual’s credentials to maintain integrity.

4. Evaluate defense effectiveness

Pharmaceutical professionals can determine the effectiveness of their supply chain’s security measures in several ways. Penetration testing simulates a cyberattack or breach to identify gaps in the network, hardware, and software defenses.

Purple team exercises are similar, but involve pitting a simulated cyberattacker against internal information technology professionals. This approach reveals the effectiveness of employee training and incident response procedures.

5. Review and act on findings

What is the point of a test if the person in charge doesn’t assign a grade? Acting on findings is just as essential as conducting the audit in the first place. Decision-makers must determine how to change or upgrade their systems and teams to address security gaps.

Tips for conducting supply chain cybersecurity audits

Leaders shouldn’t assume cyberattacks and breaches are less likely because they trust their vendors. Even those considered low risk are still vulnerable to insider threats and vulnerability exploits, since cybercriminals constantly evolve. Spreading their audits further apart is okay, but the investigations and tests shouldn’t be less involved.

Testing on-site is important because physical defenses are tied to network and data security. Unfortunately, in-person audits are often impractical. The White House reports that 87% of generic advanced pharmaceutical ingredient facilities were located overseas in 2021. While offshoring has saved the healthcare sector trillions since 2010, it adversely affects visibility.

If decision-makers can’t direct auditors to visit critical supply chain points in person, they must adapt. They should leverage best practices from the COVID-19 pandemic when most drugmakers and pharmacies were forced to audit remotely.

While the frequency of these evaluations is typically periodic, some events require additional scrutiny. For instance, since mergers and acquisitions combine resources, teams, and suppliers, both parties should verify each other’s integrity. Geopolitical events and data breaches may also necessitate sudden audits.

The last thing pharmaceutical professionals must consider is avoiding vendor lock-in. Even though managing multiple third parties can be complicated, the alternative is even more challenging. Having to stay with — and compensate for — a provider after non-compliance can be time-consuming and expensive.

Pharmaceutical professionals must remain vigilant

Drug scarcity and healthcare cyberattacks make the pharmaceutical supply chain a valuable target for threat actors. Even though professionals have outdone themselves to maintain integrity and security during the pandemic, they must remain vigilant to safeguard their business reputations and patients.

Image
Zac Amos
profile mask
Zac Amos