If you are responsible for data integrity for your company and you limit your thinking to Critical Process Parameters (CPPs) and Critical Quality Attributes (CQAs), you may be creating your own vulnerability. For too long, the “unloved” business continuity plan has been a paper exercise rather than a true investment in protection of a true company asset… data.
While the industry strained to keep operating during COVID, remote connectivity accelerated in volume and maturity. All the time, the pharmaceutical industry seemed unprepared for the cyber attacks at several pharma companies as well as the European Medicines Agency (EMA) (Pharma cyber attacks: Five breaches that the industry must learn from). Additionally, the potential for attacks on manufacturing equipment still seemed distant in spite of known issues in industrial controls, such as the PLC malware used to disable the centrifuges in Iran (The Real Story of Stuxnet). There is still stiff resistance to considering extending the protection of data to industrial controls, such as PLCs and HMIs. The predicate rule (21 CFR 211.68(b)) is very much alive and well; however, it seems to get lost when applying the concepts of data integrity. Additionally, there have been significant publications from government departments identifying and amplifying their focus in the areas of cybersecurity, such as:
- Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions | FDA (September 2023)
- Industrial Control Systems | Cybersecurity and Infrastructure Security Agency (CISA)
- SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies | U.S. Securities and Exchange Commission
However, if your company has been subject to a cyberattack, laws, regulations, and guidances aren’t needed to make you pay attention. So, the question is “how” to monitor and control the threats.
In a well-constructed data governance program, checks and monitoring should not be limited to typical “IT systems” and the cloud, but also the industrial controls that make the equipment move, sequence, and dose the correct amounts of product. Monitoring credible sources of vulnerabilities, such as the CISA alerts, can give focus (for example, those for industrial controls released on October 17, 2023 (here)). Once an organization monitors sites such as this, the data in its Computerized Maintenance Management System (CMMS) becomes highly valuable for assessing potential impact.
Lachman Consultants is highly skilled in discovering these types of data integrity vulnerabilities in a company’s data governance program, regardless of the perceived maturity. Other recommended reading is Lachman’s blog on data risks and third-party service providers (here).