Disasters, both natural and manmade, wreaked havoc on pharma supply chains this year, exposing vulnerabilities and costing the industry hundreds of millions, if not billions, of dollars.
Hurricanes took out power and plants in Puerto Rico, creating or exacerbating shortages of IV products that drugmakers, hospitals and the FDA will be dealing with well into next year, if not longer. Less visible but much more sinister was the cyberattack that managed to penetrate systems at Merck & Co., affecting manufacturing and other systems.
Experts say both kind of threats are only going to get worse.
Drugmakers have always had to prepare for and deal with serious weather related impacts but evidence shows they are getting more prevalent and more severe. According to The Economist, the number of disasters worldwide has more than quadrupled since 1970 to about 400 a year. Some of those, like hurricanes, can be forecast and tracked, but that doesn’t mean they won’t still wreak havoc.
Hurricanes Irma and Marie were two of the worst to hit the Caribbean. Puerto Rico, which had lured drugmakers over the years with tax advantages is home to more than 40 drug manufacturers. And while they have contingency plans, moving product off the island ahead of storms, and backup generators for power, they couldn’t prepare for the fact that Puerto Rico’s power grid would be left in ruins and government struggling to respond, employees would be trying to salvage their homes and communications on all fronts would be nil.
Some natural disasters, like earthquakes, don’t follow seasons and can’t be tracked. They just happen. According to a study recently reported by Time Magazine, 2018 is shaping up to be a particularly serious year for quakes.
The FDA pointed out that the Federal Food, Drug, and Cosmetic Act, does not include a specific provision giving the agency the authority to require a contingency plan for preventing drug shortages if a facility goes offline, regardless of the cause.
Some events have nothing to do with weather or geography. Merck was the only drugmaker to publicly acknowledge that it had not adequately protected its computer systems and was a victim of the Petya cyberattack in June. The attack took out its API manufacturing and affected its formulation and packaging systems, as well as areas outside of manufacturing. Dealing with the attack cost Merck $300 million in lost sales and expenses in the third quarter. It anticipates a similar hit in the fourth quarter.
In a statement, Merck said that after six months, its production systems are nearly back to pre-attack performance.
"Other than our sites in Puerto Rico, most of our manufacturing sites are now largely operational, meaning that we are manufacturing active pharmaceutical ingredient (API), formulating products and packing and shipping product," it said. It did caution there may still be some delays in fulfilling orders as it continues to build supplies.
Merck CEO Kenneth Frasier called the attack “an isolated but meaningful cyber incident.”
But experts said that having had some success with the ransomware attacks, hackers are hard at work with new, devastating ways of getting into industry systems.
“Expect this trend to continue in 2018,” industrial cybersecurity firm Indegy recently reported in its 2018 predictions. It pointed out that while the disruption caused by ransomware to industrial organizations in 2017 didn’t directly affect the automation controllers, “we expect that a new, more damaging type of ransomware will specifically target controllers” in 2018. The company said a university has already figured out how that can be done, and so cybercriminals will be close behind.
And if those threats were not enough to keep pharma executives up at night, Indegy also offered the chilling observation that North Korea, “has quietly developed a cyber army capable of unleashing attacks against critical infrastructures that could have global implications.”