For years we have heard warnings of cyber attacks against manufacturing processes and against infrastructure, and for years we have seen these attacks grow from theoretical to real. We have also seen many who do not know how connected these systems are say that all is well and the threat is being over stated.
We have now learned of a cyber attack that may threaten loss of life. We can’t say how costly it will be, but recent cyber attacks by malicious code against Merck have disrupted their worldwide operations, including manufacturing, research and sales ops. The attack was so bad that it made it into their corporate financial results, which we extract from below. Merck expressed confidence that they would return to routine ops soon. But they do not provide any indication that they really know if that is true.
Additionally, the CDC announced that due to Merck manufacturing delays, they expect shortages in adult Hepatitis B vaccine. Expect none to be distributed till the end of 2018.
Merck told us via a statement that:
The shortage of RECOMBIVAXHB is not related to the cyber attack. Merck is experiencing manufacturing constraints in 2017 related to the growing global demand for our vaccines and unexpected demand due to lack of competitive supply. Supply interruptions for the adult formulation of RECOMBIVAXHB began in the first quarter of 2017. Merck does not expect to be distributing RECOMBIVAXHB in the United States between now and the end of 2018.
We are security professionals, not medical professionals. But have to take Merck’s statement as true. Still, this attack clearly is bad. Many serious questions should be raised by this attack. For example, how was Merck infected? How long did it take them to notice? How long did it take them to effectively clean up the infection? Was Merck exercising best practices of cybersecurity? Or were they negligent? How quickly can they recover? What lessons can others in the pharmaceutical industry learn? What lessons can those in other industries learn?
On June 27, 2017, the company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. While the company does not yet know the magnitude of the impact of the disruption, which remains ongoing in certain operations, it continues to work to minimize the effects.
The company is in the process of restoring its manufacturing operations. To date, Merck has largely restored its packaging operations and has partially restored its formulation operations. The company is in the process of restoring its Active Pharmaceutical Ingredient operations but is not yet producing bulk product. The company’s external manufacturing was not impacted. Throughout this time, Merck has continued to fulfill orders and ship product.
Merck is not currently distributing its adult Hepatitis B vaccine and does not expect to be distributing adult Hepatitis B vaccine between now and the end of 2018. Additionally, Merck anticipates that its pediatric Hepatitis B vaccine will be unavailable between early August 2017 and early 2018. Merck’s supply of the dialysis formulation of Hepatitis B vaccine, however, is not affected and is expected to remain available. GSK has sufficient supplies of adult and pediatric Hepatitis B vaccines to address these anticipated gap in Merck’s supply of adult and pediatric Hepatitis B vaccines during these time periods; however, preferences for a specific presentation (i.e., vial versus syringe) may not be met consistently during this time.