An effective quality management system is a must for biopharmaceutical firms looking to protect their data assets against hackers according to a leading cybersecurity expert.

Increasingly biopharmaceutical manufacturing relies on data.

Ensuring optimal conditions are maintained in bioreactors or that chromatography systems are functioning properly depends on monitoring systems that feed information back to control systems.

Image: iStock/stevanovicigor

Likewise, data is key to how biopharmaceutical products are tracked through packaging and distribution systems to ensure they get to the correct hospital, pharmacy or – in the case of personalized medicine – patient.

But while these systems may make manufacturing more efficient and improve product quality, they are also a potential vulnerability.

Merck & Co experience

Merck & Co was hit by hackers a few years back in attack that locked multiple IT systems, including those involved with manufacturing.

According to an SEC filing the Notpetya ransomware was able to spread between Merck’s systems and disrupt worldwide operations, including its production activities.

“Due to the cyber-attack, the Company was unable to fulfil orders for certain products in certain markets, which had an unfavorable effect on sales in 2017 of approximately $260 million.

“In addition, the Company recorded manufacturing-related expenses, primarily unfavorable manufacturing variances, in Cost of sales, as well as expenses related to remediation efforts in Selling, general and administrative expenses and Research and development expenses, which aggregated $285 million in 2017, net of insurance recoveries of approximately $45 million.

“Due to a residual backlog of orders, 2018 sales were unfavorably affected in certain markets by approximately $150 million from the cyber-attack.”

Quality management

Guarding against such attacks is vital according to Kelvin H Lee, director of the Manufacturing USA National Institute for Innovation in Manufacturing Biopharmaceuticals (NIIMBL).

“Anywhere you have an IT-based system, there is a risk. Anytime you have a person interacting with that IT system, there can be a lapse of best practices which poses risk. The need is to ensure best practices to protect against those risks.”

Lee, who served on the committee behind the new National Academies Consensus Study “Safeguarding the Bioeconomy,” says a drug firm’s ability to safeguard networked IT systems depends on the resources available.

“Larger companies have more resources and capability than small companies in this regard” he said, adding “a quality management system can help assure that the medicines that reach patients are of high quality.”