Pharmaceutical companies have long relied on a complex supply chain to bring products to market. And in recent years, more companies have turned to contract manufacturing organizations (CMOs) for both active pharmaceutical ingredients (APIs) and finished drug formulations (FDFs).
Using contract manufacturers enables pharmaceutical companies to focus on their core competencies, minimize capital expenditures and improve manufacturing agility. But in today’s world of heightened cybersecurity threats, extending manufacturing to external resources introduces additional risk if appropriate safeguards are not in place.
Indeed, pharmaceutical companies are well aware that a security breach can be far-reaching and compromise recipe formulation, quality control, intellectual property, productivity and more. Cyber risk intensifies if integration of a contract manufacturer’s assets with the pharmaceutical company’s main network is allowed.
For pharmaceutical companies, the critical question is: How do I maintain a flexible supply chain – and mitigate cybersecurity risk – when manufacturing extends beyond my walls?
A Secure Supply Chain Starts at Home – and Encompasses All Partners
Of course, for any pharmaceutical company, the first link in a cyber-secure supply chain is their own infrastructure and core manufacturing sites. Internally, companies must take a risk-based approach to cybersecurity that follows global best practices, identifies priorities, and applies technologies, policies and procedures based on a defense-in-depth strategy.
Through a risk assessment, the pharmaceutical company will also establish the security level required for any contracted process.
The next hurdle is determining if the CMOs being considered share the pharmaceutical company’s cybersecurity posture – and apply the same level of rigor. Again, a cybersecurity risk assessment is the best way to assess the CMO’s security posture and achieve this goal. Ideally, the assessment should be conducted at the contract manufacturer’s site before any agreement is formalized.
Beyond defining a CMO’s overall security posture, an assessment will also identify gaps that could expose pharmaceutical business assets to risk. The pharmaceutical company next determines what solutions will mitigate that risk and adequately isolate the CMO’s system from their own – while still retaining visibility to critical processes or information. Appropriate solutions include network segmentation, purpose-built firewalls, secure remote access, security zones and other technologies.
Maintaining Compliance with Security Standards
Ultimately, the pharmaceutical company and the contract manufacturer must agree on the security standards to be followed. But as we all know, agreeing to standards and maintaining compliance to them can be two very different things.
Therefore, a risk-based approach to supply chain cybersecurity must extend to CMO system design, deployment and monitoring – and to the ownership of the manufacturing assets and information infrastructure. A pharmaceutical company has three choices when it comes to ownership with varying degrees of associated risk:
- CMO owns the manufacturing assets and information infrastructure. This approach requires the lowest capital expenditure. But it also relies on the CMO having the expertise to maintain the appropriate security posture with limited oversight.
- CMO owns the manufacturing assets, while the pharmaceutical company retains ownership of the information infrastructure. This option minimizes capital expense by taking advantage of production assets in place. However, the pharmaceutical company retains ownership and management of the infrastructure, which is typically deployed via an industrial data center on a segmented network.
- Pharmaceutical company retains ownership of production assets and information infrastructure. In this scenario, the pharmaceutical company incurs higher capital costs – but a higher level of security assurance. The CMO provides only the production space and personnel to run the equipment.
The Infrastructure-as-a-Service (IaaS) Advantage
A pharmaceutical company may determine that retaining ownership of the information infrastructure is the prudent choice for a wide range of CMO applications. However, deploying and monitoring a secure infrastructure across multiple contract manufacturing sites can prove challenging.
First and foremost, internal organizations charged with CMO management have limited resources at their disposal. Calling on corporate IT, which is dedicated to core manufacturing and enterprise systems, is typically not an option. Companies simply do not have the bandwidth internally to assume responsibility for dozens – or hundreds – of contract manufacturing sites.
Outsourcing infrastructure deployment and monitoring to a third party can be an efficient, cost-effective option. An Infrastructure-as-a-Service (IaaS) provider can deliver a unified architecture – and a standard and validated deployment with common services – to multiple contract manufacturing sites worldwide.
Typical engagements include quarterly reporting and service level agreements stipulating response times for issues and anolomies ranging from network or infrastructure outages to cybersecurity breaches.
Learn more about IaaS and other industrial network services that can streamline manufacturing outsourcing and help mitigate cybersecurity risk.