Sub-Tier Visibility for Medical Devices

Jan 17, 2023

More than half of supply chain disruptions occur in Tier 2 or lower, but only 2% of companies have visibility beyond Tier 2. Suppliers multiply exponentially beyond Tier 2, making manual monitoring and risk management impossible. For patient-critical products, you need to understand the impact of any supplier disruption immediately. But how can you define and monitor such a large network? 

In this session, we share insights from digitally mapping and analyzing the world’s largest medical supply chains, and how your company can quickly gain full sub-tier visibility. See how you can anticipate disruption to stay a step ahead of risk, keep production on schedule, and deliver to patients. 

Ulf Venne, VP of Enablement at Everstream Analytics


Ulf Venne

Leader Center of Excellence


Mirko Woitzik

Director, Intelligence Solutions


Speaker 1: 

Hi everyone, and thanks for joining our webinar today. We’re going to give folks a little more time to log on and then we’ll get started. 

Lauren McKinley: 

Hello everyone, and welcome to our session today, Sub Tier Visibility for Medical Devices. My name is Lauren McKinley and I’m joined today by my colleagues at Everstream, Ulf and Mirko. Before we get started, I have just a couple of quick housekeeping items. All of our attendees are muted, but please send questions at any time in the question toolbox in the upper corner of the go-to webinar window. You can close any extra windows to prevent buffering. We are also recording this webinar and we’ll email it to everyone within 24 hours after the session concludes. With that, let’s get started. 

Today our presenters are Mirko and Ulf. Ulf leads the center of excellence at Everstream, partnering with our global client network to standardize end-to-end best practices for company-wide supply chain risk management adoption and offers strategic advice on planning, decision-making and execution. Ulf has authored several articles and white papers on risk and resilience tools and methodologies, been published in numerous books and magazines, and declares himself our resident supply chain thought memer. So make sure you connect with all for timely and very entertaining supply chain information. 

Mirko leads our global intelligence solutions team here at Everstream, with a team of over 20 analysts who monitor sources around the world to gather relevant intelligence on events that can potentially impact our client’s global supply chains and produce customized intelligence reporting. Recently, Mirko and the team partnered with the World Economic Forum on the Renew Global Value Chain Risk Barometer and his team’s insights are often featured in CNBC, Forbes and more. 

With that, I will turn it over to Ulf, who will take us through the first part of our agenda around visibility in the medical technology space and the importance for sub tier visibility. We’ll talk about an analysis of global sub-tier networks here at Everstream Analytics. Then we’ll talk about how the top performing medical device companies incorporate risk and visibility into their processes. With that, take it away, Ulf. 

Ulf Venne: 

Perfect. Hello everyone. Hope you’re doing fine today. So we wanted to talk a little bit about the medical device sector and we wanted to start with what is the value of managing supply chain risk? There’s a great study for McKinsey that talks about that a company in medical device typically within 10 years loses 38% of one year’s earning in case of an attack, in case of a disruption. That is obviously a lot of money that comes to play, so it can be hundreds of millions very easily, but it’s not only about the value, it’s a lot about patient safety as well. So while value and monetary aspects are important, it’s also a lot about can we protect our customers. It’s about patient’s life, right? 

So for 2023, after having seen massive disruptions over the last two years, we believe there’s still a lot of potential for big supply chain disruptions due to coming and looming trends. That actually starts with the planning phase where we see a lot of volatility because of first, a lot of the previous historical data is now skewed due to Covid and these massive pivots we have seen in the industry to all of a sudden focus portfolios on Covid related materials and then focusing back on what you normally produce. We see products that are new. Wearables are taking over the market and the general spend of healthcare is going down. 

If you just look at the planning side, because there’s a lot of volatility, it’s already hard to prepare your supply chain in general for the right amounts that you need to produce. So any ripple effects of smaller disruptions will greatly impact your ability to deliver. We see a couple of key new trends rising. 

First of all, it’s cyber risk. Cyber risk is really something we see a lot in this space right now. Everybody’s talking about it because cyber risks in general are increasing. That will be one of the trends we will focus on one of our next slides. Same with nearshoring, reshoring and supply chain sustainability. 

We will today not cover obsolescence management or the stability of China or the air freight volatility. If you want to see all of that, we will soon have a new report on the medical device that you can download from our homepage. The easiest way to get updates from us is to follow our LinkedIn feed for Everstream Analytics. So if we go to the next slide. 

What I’m going to do now is I’m going to go through the three key trends I previously showed. We will talk about this in light of some external studies, but also some of our own insights that we gathered through combining risks and sub tier visibility that we generate by AI through Everstream Discover and generate unique insights for you. We are using 500 global medical device companies for which we use for this research. It’s sub tier mapping that includes tier two and tier three suppliers. It’s important to understand that we don’t only do it in a generic way, but we have the locations, materials, all of that is included. Yeah, you will see that it fits very nicely to the general trends that we see in 2023. We just move over to the next slide I would say. 

So let’s start with the cybersecurity. As you can see, 44% of top executives are saying cybersecurity is one of the biggest business risks. That’s not only for medical device, but in general. Everybody sees that, but we know that there’s, right now, a very big focus from these hackers to attack medical device companies. So you should even watch out more. So important is that it’s not only about you, yourself and your product, but also we see that more and more suppliers are taken out and don’t have the ability to deliver to you because of vulnerabilities or one of their components that goes into your product might have a vulnerability. So all of that needs to be managed and tracked. We are obviously generating alerts on this and have side risk course, but we come to that at the end. 

Important for now is the key factors, ransomware attacks are still the most dominant way of supply chain attacks and also there are a lot of data breaches still happening. Important also for medical device, you have the countries like US, Germany, Taiwan and Japan being heavily affected by cyber attacks recently. Then with especially US and Germany, you have really household names when it comes to the production of medical devices. So going to the next slide. 

Yeah, reshoring, a big trend, especially for the medical device industry. So what we see is that, right now, 80% of executives want to reshore again their production. If you look in comparison, in the heights of Covid, it was only 54%. So a lot of things have changed within one year. First of all, the general scheme of, hey, we want to have our assets next to us so we can access our resources very quickly, that’s getting more and more important and people have a better awareness that buffering within your own soil seems to be highly important, sorry. 

Then obviously a lot of medical devices, especially in the sub tiers are produced in China. 26% of all severe incidents that we saw in the medical device industry, especially in the sub tiers originated from China. So that’s actually a quite substantial amount. Then you have a lot of incentives to reshore again, like the US has with the Biden supply chain program. 

So we have a lot of different reasons. First of all, it’s a volatility in China, plus the incentives you get maybe from your own region to nearshore again as a medical device company. So yeah, that’s why it’s such a big trend. Obviously once you reshore, you also have to reassess your whole network again and to risk assessment properly because what you want to avoid is that you reshore and then all of a sudden have sustainability issues because you move into an unknown territory closer to you, but still maybe unknown to you previously. 

So what we’ve seen in sustainability in general is that there are a lot of environmental concerns in the medical device industry. Also, obviously you’re affected by all the, right now, ongoing regulations. Might be UFLPA, might be the EU Supply Chain Act that is coming up or the German Supply Chain Act that already went into practice 17 days ago. Then FDA also said after reducing the amount of inspections they did in the heights of Covid, they’re now going to just ramp up inspections again very seriously. That can also uncover a lot of sustainability issues in certain regions of the world. 

Then as you see, Everstream Discover showed us that 37% of materials that we identified in the sub tier for medical devices are actually plastic suppliers. Plastic is obviously a commodity that first has environmental concerns. Second, also is heavily produced in the Xinjiang province with PE and PP, and that obviously is something that needs to be managed because you want to avoid that one of your products has plastic from Xinjiang province in it and now you cannot import it into the US again due to ULFPA. 

Yeah, so these are the key trends that we wanted to highlight. How you deal with these key trends, we do in a minute, but before, we wanted to show you an executive briefing that we do for our medical device customers and Mirko’s going to do that. 

Mirko Woitzik: 

Thank you all. Yeah. For this webinar, we’ve taken a bird’s eye view at our own incident data at Everstream Analytics, specifically incidents that are impacting or have been impacting the medical device industry across the globe over the past 12 months. What we’ve seen is that the top countries that have really been impacted by disruptions in the medical technology manufacturing industry, but also in logistics operations that are very important to the industry are really the US, the UK, Germany, and China, but everyone has been different sort of impact in a different way. The disruptions have different slightly. 

For example, in the US there have been a disproportionately high volume of drug safety regulatory issues. Much over half of the total industry related incidents are related to FDA warning letters, recalls or other regulatory action in the US. Whereas if you look at the UK, all but one quarter of industry incidents were actually related to the risk of insolvency and bankruptcy filings when it comes to the MedTech industry. 

In China, by contrast, you see obviously throughout 2022, Covid 19 related lockdowns and what we see now, labor challenges at the end of the year. Also, sort of labor absenteeism because of Covid sickness have caused widespread production outages all across the industry landscape in China, but also obviously the medical device industry has not been spared. Most recently workers at the factory of Zimbio Inc, in Chong Singh have actually disrupted operations there following a protest and subsequent layoffs because of financial issues that the company makes Covid 19 rapid antigen test kits that are distributed globally and has really suffered, especially with the recent Covid 19 policy change in China, just as an example. 

In Germany, the MedTech industry has experienced a disruption in each of these risk categories as well, but the trend is really here that is gaining prominence or is that of cyber vulnerabilities and cyber risk and cyber attacks, as Ulf has mentioned before. That has creeped up to now account for 15% of all MedTech industry related incidents in the past year. Not even six weeks ago, there was a globally active maker of precision endoscopic instruments, Richard Wolf GmbH, which is headquartered in Germany, but it is also manufacturing in the US, in the UK and India. They were hit by a ransomware attack that affected the company’s IT systems for more than 10 days, just as one recent example of the industry. 

In the next slide, we’ll take a closer look at how cyber vulnerabilities also pose a growing risk to the entire industry, not only in Germany but elsewhere. We see, like most other industries, obviously the medical device industry is at a growing risk when it comes to sort of cyber and ransomware attacks, but especially the reasoning behind it is that obviously the high value of customer data and the premise of customer care as Ulf had mentioned, but also the great intellectual property related to medical research and innovation. 

We’ve looked at our data and really tried to highlight here in across industry analysis of different types of cyber attacks over the past year. What sort of stands out is that the medical device industry has almost an equal share between ransomware attacks and data breaches in contrast to other industries, right? Data breaches are really about getting the value of the data out without necessarily wanting to hold the company to ransom, which sometimes works, sometimes doesn’t. That’s really in contrast to other industries, such as industrial manufacturing or automotive, which are primarily targeted by all disruptive ransomware attacks. Furthermore, our incident data here at Everstream shows that 86% of all cyber incidents actually had a moderate or severe impact. So they were quite impactful in their sort of scope and sort of disruptive ability on the affected facility. Most incidents actually impacted suppliers located in the America’s region. However, at almost 30% the MIA region is proving itself also at an greasing risk of such disruptions. 

Medical devices are in particular often seen as easy targets for cyber infiltration because of the lack of security mechanisms. They’re sort of embedded in these devices historically and also obviously for the need for re-mode communication between patients and providers. If we look at our data and sort of the components that have been produced by most of the impacted manufacturers in the medical device industry in 2022, two actually stand out. One is sort of general diagnostic devices and the second one is insulin pumps that have been most in focus for cyber attacks throughout last year. 

This is just one aspect. You have to look at it also not only from a short term but also from a long-term perspective, what are sort of risks that are sort of creeping up around the world and have the potential to impact the industry. As part of our regular intelligence briefings with our MedTech customers, we typically look at not only the most pressing high impact supply chain disruptions that are currently ongoing for the industry, but also at the medium and long term impact and sort of risks. We receive regular feedback on what supply chain disruptions they are mostly impacted by or concerned with and sort of refine our sort of incident coverage accordingly. 

If we look at the short term, the industry definitely stands most at risk of ongoing production challenges at key material suppliers. Whether that’s in China because of the ongoing workforce absenteeism in light of the Covid 19 sort of infections that are sort of ravaging across China in an uncontrolled manner, but also in Europe because of the still elevated energy costs that are likely to remain probably very high throughout the year. Energy supplies could again be at risk when the next winter season comes around. 

In the long term, however, we see an increased risk of quality issues. At the supplier level particularly, if we look at from a US perspective, mainly abroad because of the lack of regulatory inspections. For example, by the FDA, but also other drug agencies over the last three years amid the ongoing Covid 19 pandemic. In 2022, and as you can see here on the right-hand side, four out of five inspections actually by the FDA took place at MedTech or pharma suppliers that have either never or have not been inspected for the last five years, which again, data here highlighting the complete lack of regulatory oversight under which suppliers were able to operate recently. 

On the other hand, we also see a potential threat for the MedTech industry coming from soon to be updated environmental protection agency regulations that are related to the permitted level of ethylene oxide emissions at sterilization facilities across the US. Ethylene oxide is used to sterilize about 20 million medical devices in the US every year and is sometimes the only option available to do that. The EPA was supposed to update its regulations by the end of 2022. That has now been pushed to 2023 but has recently identified sterilization facilities in 23 cities across the US, including in Puerto Rico, where ethylene oxide may be contributing to a higher risk of cancer in the surrounding areas where these facilities are. What we expect in terms of risk analysis is that once these regulations are updated, that there’s a higher risk of city or state level action against companies exceeding the permitted levels, especially in states that are more concerned about emissions, such as California. 

At the same time we see also at the EPA has been starting an outreach campaign with the local communities informing them of the risks posed by ethylene oxide in these cities that have identified, that have these facilities. So there’s an increasing risk as well that the community will focus on the impacts and that local population will sort of develop protest movements against these and sort of force city or state level regulators to sort of intervene. We are seeing this at the moment already in South Memphis. There’s a lot of focus by the local population on a facility run by sterilization services of Tennessee that has also been picked up by a lot of media coverage recently. So there’s the potential that here already a more sort of local protest movement will build against the plant and sort of force regulators to intervene. 

So with these insights on sort of short and long-term risks that we generally derive from our incident data and sort of brief our customers with, I hand it back over to Ulf, who will now talk about what companies can actually or you can do to get ahead of such risks in your sub tier supply chain. 

Ulf Venne: 

Yeah. Now we want to talk a little bit about what it is that you can do. The first thing is obviously, it is very hard for a lot of companies to acquire sub tier visibility that is fairly needed, especially if you focus on cyber risks, component material risk for cyber or sustainability issues and therefore discover our automated way of leveraging AI, acquiring sub tier data can help you. You see here some of the numbers that actually perfectly show you why automation and AI is needed for addressing the issue. 

When you start with 29 suppliers, this is an example from a real MedTech company, medical device company. You come from 29 suppliers. In tier two, you already have 212 suppliers. Tier three, you go to 1,766 suppliers and then tier four, you end up with 13,876 suppliers. Acquiring this data is one thing, making sense out of it is another which we do with risk management, but one thing that this should show you is surveys is not the answer. You have to do it in an automated way. 

So how we generally work with customers is we start with technical risk management, which helps them to go from being super reactive to proactive using predictive insights. Then they can use our sustainabilities and other risk course in explore to really reshape their network so they can make sense out of is this the right supplier for me? Do I want to onboard this supplier? Or if we come to the offboarding and reshoring, which of my supplier portfolio right now has a higher risk for me from a sustainability or from a general risk perspective or both? Which of those should I prioritize to find a reshore alternative? 

Then we come to the sub tiers, which obviously then helps you a lot with the regulations that are at hand and understanding where maybe, if at one point we will have to track scope three emissions, this is a great start. Very important is before we were doing this one by one, now that we started looking into with best practices from other sectors, building up a concept called the Supply Chain Risk Management Center of Excellence, we can enable you to really fit very quickly your processes, your organization and the technology together so you can essentially tackle all three problems at the same time. 

So moving to the next slide. Here are some examples from our system, how it can look like. This is now Explorer, which is our risk assessment module. You see here, on the left side, you see 30 risk scores that are prepopulated by us coming from natural disasters to sustainability to social political issues. On the right side, you can add your own scores or we can add partner scores. We chose here, because of the cyber risk as being a looming threat for medical device, we wanted to highlight here that we have partners to add cyber risk into your assessment and all of that will be automated. It’s not a big problem for you. It will make your life so much easier in assessing new suppliers or evaluating your existing suppliers where you have to take some action strategically. 

Then another thing that we wanted to highlight is this is what we call Reveal, which is essentially our alert functionality. All the good data that you heard from Mirko today essentially stems out of this module because he’s populating these alerts with his team. Here again, we highlighted cyber risk that essentially is a ransomware attack in this case. The reason again is because it’s just the most prominent risk right now in the medical device sector. You also see weather risks or you see a ship on the bottom right of the screen and that’s for things like port congestion. While it’s not a very predominant way of delivering freight in the medical device industry, it is still used quite a lot. So it’s still good to have those, but obviously we cover a lot of air freight and road freight movements as well. So with that, we want to open for questions. Lauren, over to you. 

Lauren McKinley: 

Great, thank you Ulf and Mirko. Again, if you’d like more in-depth coverage on some of the other trends and some of the predictions kind of moving forward for 2023 and industry insights, please reach out to us. Mirko and Ulf deliver these insights on a regular basis to our clients, which is important and we love to receive feedback and create content together. So thank you all for your engagement and time today. I see a couple of questions in. Please keep them coming if you have any additional questions. All right. The first question is around ESG. Are there medical device manufacturers opening to the public their supplier list for ESG reasons? 

Ulf Venne: 

So I have not seen that yet. We just see that there’s a massive demand for getting more information about their suppliers and sub tier suppliers. This is obviously something that we would tackle with Discover. I have yet to see somebody who does what I would call the Apple move to really just reveal their supplier base for sustainability reasons or also Scope 3 emission reasons. So I think that’s not the trend right now. 

Lauren McKinley: 

Okay, the next question, how do we support clients with supplier evaluation in the case of reshoring or needing to shift operations? 

Ulf Venne: 

So I’ll take that. That’s a two-pronged approach, right? First of all, you need to prioritize your existing supplier base out of regions where you might want to consider moving out a little bit. Then there, you can look at your existing suppliers in a dashboard and see all the risk profiles you find in different… First of all per supplier but also maybe per commodity or per material. With that, you can then build a prioritization plan. What do you want to tackle first, second, third? That also helps you, especially when there might be a rising conflict and you see that there’s a deep interdependency between one country and the other and there’s a looming threat coming, so that could be interesting. 

Then on the other hand, once you start reshoring based on your prioritization, you will probably do that through a supplier relationship management system or something similar where you enter your supplier. What you can then do is you have that API feed into our system and we feedback the risk score for this non-existing supplier in your supplier base and tells you already what are the 30 most likely risks that occur from natural disasters all the way to sustainability. That helps to then really find a good balance between cost and the risk factors. You might have a look for several options at the start and we help you sort out what are the most reasonable ones from a risk perspective and then you add your own cost layer to it and then you have a great solution to find the best suppliers for your supply chain. 

Lauren McKinley: 

Great, thank you so much. Okay, looks like we have time for one last question. Let’s see, let’s go this one. Can you explain a little bit more about the EPA regulation, Mirko, that you mentioned regarding ethylene oxide in the US? 

Mirko Woitzik: 

Yep. Basically recently the EPA has established a sort of link between the material that’s used mainly at these sterilization facilities, ethylene oxide, a chemical material, and sort of a higher risk of cancer in the surrounding areas. So it’s sort of currently conducting an overhaul of an existing regulation that was supposed to come out in 2022 but has been pushed into 2023. There hasn’t been really an update since August this year, but the EPA already sort of has identified a list of facilities, 29 in 23 different cities across the US, as I said, and Puerto Rico that are basically on their radar, that have sort of the highest risk of contributing to sort of higher cancer rates in the surrounding areas and will require them to start monitoring their ethylene oxide emissions from the start of 2023, so to do self-monitoring of these emissions. 

The geographical spread is quite interesting, right? There’s a lot of big companies that have been affected but also smaller players. As we said, according to our assessment, the risk is not equal across the United States, but most of the sort of facilities actually on that list are in California but also in Texas. Then there’s a couple of them in North Carolina, in New York, New Jersey, Massachusetts. We believe that the risk is definitely higher for some form of state or local regulatory action in states that have been sort of more active also in the past when it comes to sort of emissions regulations and emissions regulations enforcement. 

So you really have to look from a risk management perspective also at what the geographical location is of these facilities and also what maybe the history of the community is in terms of sort of local activism and so on. So we mentioned one example earlier, so this is definitely a two-prong approach to sort of one on the regulatory side, which might still take a couple of years. Then also there have been instances in the past where sort of local activism has led to earlier intervention from the government side, whether that’s on the state or on the local level. 

Lauren McKinley: 

Great. Thank you, Mirko. Again, thank you, Ulf, and thank you to all of our attendees today. We had a number of other questions that came in, which are great. We’ll make sure we will follow up with each of you individually and send those out following the session along with the recording. Again, you should be receiving that today. If you have any other questions, please reach out to us at [email protected] and keep an eye out on our social channels for upcoming events, new reports, and great insights from this team. So with that, we will end the session. Have a wonderful day. 

Mirko Woitzik: 

Thank you, everyone. 

Ulf Venne: 

Bye, bye. 

Share this post