Separating Pharma Distribution Entities Under One Roof

A HealthSec Engineering™ Case Study

Client: Anonymous Pharma Services and Distribution Subsidiary

Challenge

A pharma services subsidiary shared a facility, network, warehouse, and multiple enterprise systems with its parent entity. Both organizations handled federal contract data, but no formal technical separation existed between their operations. CUI flowed through shared platforms, employees crossed entity boundaries daily, and physical access controls did not distinguish between the two companies.

The subsidiary needed its own CMMC Level 2 compliance path, but its security posture was inseparable from the parent's. Existing entity separation agreements defined boundaries on paper, but enforcement was absent. The subsidiary required an honest assessment of where inherited controls were actually deficient and a remediation roadmap it could execute in parallel with the parent's effort.

Solution

HealthSec Engineering assessed the subsidiary as part of a multi-entity gap assessment, producing entity-specific findings and a separate remediation roadmap. We reviewed the shared infrastructure, evaluated the existing Shared Services Agreement against on-site reality, and identified where inherited controls imported gaps rather than satisfying them.

Our work included:

• Shared Infrastructure Analysis: Documenting how shared network, endpoints, cloud platforms, and physical access created cross-entity compliance exposure.

• Entity Separation Assessment: Reviewing the Shared Services Agreement and Warehouse Space Sharing Agreement against observed site conditions, identifying enforcement gaps.

• OT and Warehouse Security Review: Assessing Bluetooth scanners, IoT environmental sensors, and physical access controls specific to warehouse and distribution operations.

• Parallel Remediation Roadmap: Designing a 3-phase remediation plan sequenced alongside the parent entity's effort, with entity-specific actions for DSCSA compliance, CUI handling procedures, and control inheritance mapping.

Outcomes & Impact

We gave the subsidiary a clear, independent compliance path that protected over $5M in annual federal contract revenue while cutting remediation costs through shared investment:

• Delivered an entity-specific gap analysis identifying seven shared infrastructure elements (network, endpoints, cloud, physical access, personnel, Wi-Fi, and firewall) that imported the parent entity's deficiencies rather than satisfying controls

• Created a separation enforcement roadmap with a 3-phase timeline to align physical warehouse zoning, digital access controls, and CUI handling procedures with existing contractual boundaries.

• Sequenced parallel remediation to reduce the subsidiary's marginal compliance cost by leveraging the parent entity's infrastructure upgrades, policy templates, and vendor contracts across both entities.

• Documented DSCSA regulatory independence to protect the subsidiary's FDA Authorized Trading Partner (ATP) status, preventing citation risk under 21 CFR 211.22 for commingled operations.