A couple of months ago, when we returned from Barcelona to San Francisco, it was impossible to check in online for some reason. Then the news broke about flight disruptions due to the CrowdStrike software update! Some flights, including ours, were only a couple of hours delayed. However, many more passengers were affected even further as some airline delays continued for weeks. We couldn’t help but think of how this might affect the pharmaceutical supply chain, not only in physical movement of medicine but also in the disruption of data needed for GMP decision making.

In the pharmaceutical industry, where the supply of critical medicine to patients is already stressed, these types of disruptions exasperate the situation. When a pharmaceutical company buys a service or product from a global or local supplier, the unavailability of data can have serious consequences for patients. We have been conditioned to be on the lookout for malicious cyberattacks, but are we looking out for well-intentioned software updates, such as the case with CrowdStrike? The cost of non-malicious accidents was previously not well understood until that fateful day, June 20, 2024. How can the pharmaceutical supply chain protect itself from non-malicious failures by third-party IT providers? If we think that the airlines’ use of Microsoft and CrowdStrike are unrelated, consider how many commercial systems are developed, managed, and deployed by local and global third-party providers. Additionally, pharmaceutical companies frequently buy critical components from single-source third-party vendors that make well-intentioned process updates to their own systems. Let’s explore how to best prevent failures in the future.

If you are a third-party supplier of a key component:

  • Ensure that you have a robust change-control procedure, even for non-GMP business systems.
  • Perform thorough testing before releasing product to your customer. The testing must include cases for all critical data such as COAs, purchase orders, and network connectivity.
  • Communicate all process changes in advance per the quality or contractual agreement established with your customer.
  • Alert your customers that testing or deployment is taking place to ensure a heightened sense of awareness or readiness of IT continuity plans.

These are all valid applications of ICH Q9 “thinking” as described by ICH Q10, Section 2.7, which states that “to assure the control of outsourced activities… processes should incorporate quality risk management and include… Defining the responsibilities and communication processes for quality-related activities of the involved parties. For outsourced activities, this should be included in a written agreement between the contract giver and contract acceptor.”

However, bad things happen. If you are a pharmaceutical company and you are affected, ensure that your QMS is designed to perform:

  • an appropriate investigation to assess potential product impact;
  • adequate testing for incoming materials; and
  • adequate testing for the final material produced. The test methods should be robust enough to catch any minor changes in the product’s profile.

Remember, “the buck stops here.” You are ultimately responsible for ensuring the safety and quality of all product produced at your facility. Per ICH Q10, Section 2.7, “The pharmaceutical company is ultimately responsible to ensure processes are in place to assure the control of outsourced activities and quality of purchased materials.”

The scenario described above can also be extended to other areas in the pharmaceutical industry where electronic quality or document management systems might be affected by a global service provider that hosts data in a cloud server if it is affected by a cybercrime. Read this blog by Lachman regarding such situations where the importance of a Business Continuity Plan is emphasized. Remember that some computer systems (e.g., Linux and Mac) were not affected by the CrowdStrike update. So, somebody was doing something right! If you want to ensure that your supplier quality management is risk-free and would like to perform an assessment, please contact Lachman Consultants at lcs@lachmanconsultants.com.