While most pharmaceutical manufacturers are applying serialization to drugs at the unit level, there are contract manufacturers that are still shipping products without any serialization at all. This has been occurring most often when products are shipped directly to dispensers like hospitals or doctor’s offices without any intermediaries (like wholesalers or 3PLs) involved that have Drug Supply Chain Security Act (DSCSA) requirements of their own.
The FDA’s mission is to leverage the DSCSA to enhance its “ability to help protect consumers from exposure to drugs that may be counterfeit, stolen, contaminated, or otherwise harmful. The system will also improve detection and removal of potentially dangerous drugs from the drug supply chain to protect U.S. consumers.” DSCSA compliance also serves as a defense from intentional efforts by organized crime and state sponsors to monetize sowing chaos and causing harm by attacking the supply chain.
This article will offer insight into the current, broader supply chain risks that parallel the challenges the FDA is seeking to address with the DSCSA, and how a more comprehensive approach can not only ensure compliance, but also verify that your supply chain partners have implemented sound cyber security practices to safeguard the confidentiality, integrity and availability of your product’s data.
Industry making progress towards DSCSA compliance
The DSCSA enhanced tracing and verification requirements are expected to be in place by November 2023, and most companies have been working hard to develop interoperability with trading partners so this data can be exchanged in a secure fashion. The GS1 US DSCSA Implementation Guidelines version 1.2 is based on global Electronic Product Code Information Services (EPCIS) standard for creating and sharing event data among the supply chain trading partners. Most organizations have ensured or are in the process of verifying that the EPCIS data can be passed and, if necessary, modified and shared due to routine supply chain procedures such as breaking down pallets for order fulfillment. GS1 is expected to release a new version 1.3 of the implementation guidelines by the end of the year. Even though guidelines exist, it allows the file formats through which this data is shared to vary from company to company, so it still is important to test your connections with trading partners to confirm interoperability.
Troubling rise in supply chain cyberattacks
The FDA’s effort to facilitate a more secure supply chain has taken years, it established different milestones across the supply chain for trading partners and continues to evolve even today as we race toward the 2023 deadline. However, while all these positive steps were being put into practice, cyberattacks on supply chains by criminals, hacktivists and state sponsors have increased at an alarming rate and threaten all the benefits derived through DSCSA compliance.
The old axiom has never been more apropos: a chain is only as strong as its weakest link. Even if your organization has a state-of-the-art cyber security program, it will not deter tenacious actors who will shift focus and attempt to breach the weakest companies and systems in your supply chain. In 2021, BlueVoyant commissioned a survey of 1,200 technology and business executives across six countries and found “93% of companies have suffered a cybersecurity breach because of weaknesses in their supply chain/third-party vendors, and 97% of companies have been negatively impacted by a cybersecurity breach that occurred in their supply chain.” In June 2021, the Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory regarding the Rising Threat to Operational Technology Assets, the type of technology assets that manage the DSCSA data in your supply chain.
Vigilance required to secure drug supply chain against cyber threats
Since the methods of attack are constantly evolving and at frequencies never seen before, companies must be unceasingly vigilant about cybersecurity--internally as well as externally--in the supply chain. A reliable source of information to remain abreast of the latest threats and learn how to effectively develop or assess a supply chain partner is the National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework is a holistic, straightforward approach that includes the following functions:
- Identify – developing an organizational understanding to managing cybersecurity risk to system assets, data, and capabilities (rank risks/prioritize efforts).
- Protect – outlines appropriate safeguards to ensure delivery of critical infrastructure services (limit/contain impact).
- Detect – defines the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – appropriate activities to take action regarding a detected cybersecurity incident (contain impact).
- Recover – identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
NIST does an excellent job communicating both the high-level strategic planning required to make fact-based decisions aligned with your business, as well as the granular implementation standards, guidelines, and best practices to manage risk. Perspectives, success stories, and online learning are among the resources available that help support the community taking on these enormous challenges.
With regards to ransomware, CISA has published Ransomware Prevention Best Practices, which should be taken into consideration whenever conducting internal and external assessments. One recommendation critical to a resilient DSCSA compliant program and supply chain is “maintain separation between IT and operational technology (OT), this will help contain the impact of any intrusion affecting your organization and prevent or limit lateral movement on the part of malicious actors.” Whether you are serializing, aggregating and shipping product or primarily moving data and product through the supply chain, separating the IT and the OT architecture can be a crucial factor in mitigating the risk of a cyberattack that could potentially stop the movement of product in your supply chain.
The FDA and pharmaceutical supply chain trading partners have made great strides in working to build an interoperable system to help protect consumers from exposure to harmful drugs. Substantial time, effort, and resources have been dedicated to ensuring products and systems are DSCSA compliant. However, as the November 2023 deadline nears, it is vital that those of us entrusted with helping to construct this enhanced system take into account factors beyond mere compliance which will continue to threaten the underlying infrastructure that supports the DSCSA and the overall security of the supply chain.