“Err on the side of caution. One large data breach could [affect all] your patients, your employees, and yourself.”
When it comes to cybersecurity threats related to the Health Insurance Portability and Accountability Act (HIPAA), pharmacists are in a unique and rather unenviable position.
Joey Mattingly, PharmD, PhD, MBA, an associate professor and vice chair of academic affairs of Pharmaceutical Health Services Research at the University of Maryland School of Pharmacy in Baltimore, teaches a pharmacy management course that examines practical implications of HIPAA. Like all businesses, pharmacies are susceptible to cyberattacks, he said, so it is important to have an information security plan that covers everything from training to what to do if a breach occurs.
“Many large chain pharmacies have well-established policies and procedures, but a start-up pharmacy or smaller organization may not have as large of an infrastructure in place,” Mattingly told Drug Topics®.
Recent data breaches with large companies and potential interference in major political elections have heightened attention to cybersecurity concerns, and it is paramount that pharmacists understand their existing company policies, Mattingly said. Pharmacists starting their own businesses should consider hiring information technology experts to establish detailed standard operation procedures specific to security.
“Err on the side of caution. One large data breach could [affect all] your patients, your employees, and yourself. The fallout from a data breach could be devastating and potentially ruin your business, particularly since it involves our patients’ personal health information,” he said.
Investing in proper training is key. Mattingly advocates taking the time to teach, review best practices, and make sure all employees practice what they learned. “Test your processes and systems for security gaps,” he said. “Many retail stores use secret shoppers to test customer service, [and] a pharmacy can use this technique to see if any of your employees would fall for a basic hacking ploy [such as a phishing email].” Mattingly advises focusing on best practices rather than failures: “You should provide incentives for your pharmacists and technicians who do things right.”
Better Equipped to Combat Threats
Pharmacists now have more tools and technologies to protect their data, but cyber criminals have also developed new strategies, and the risk continues
to evolve, according to Mattingly. Protecting against a cyberattack should be viewed as a business expense or op- erating cost, he noted. “Pharmacies are already pressured with decreasing margins on pharmacy sales, so it is important that pharmacists advocate for either increased revenues for pharmacies or other financial support [such as low-interest loans and tax incentives] for technology and training investments,” he said.
Neil Edillo, PharmD, assistant direc- tor of pharmacy services and information management and medication safety at Oregon Health & Science University (OHSU) in Portland, said that as far as he knows, no cyberattacks have targeted only the pharmacy community.
“Pharmacists can fall victim to the same schemes that are applied broadly to everyone. There are quite a few ways that hackers can attempt to gain unlawful access to our systems, and as a health system, we have instituted a number of interventions at the individual level to help safeguard login information,”Edillo said. All systems should require strong passwords with special characters, and all employees should be required to change passwords every 90 days, he said, underscoring the importance of 2-factor authentication.
“The primary threat to obtain user log-in credentials is phishing. As great as our email servers are, some of these email attempts are able to find their way through to our end users. Our health system has provided education about what phishing attempts look like and what to do with them,”Edillo said. OHSU has instituted test programs in which they internally generate a phishinglike email that is distributed to all users across the university and health system from an outside mail server. “If the user clicks on the links contained in the email, they are immediately provided instruction on phishing attempts and to maintain their vigilance against cybersecurity threats,” Edillo told Drug Topics®.
A Potential Leak
Pharmacists interested in protecting themselves and their customers from cyberattacks need to invest in vendors that handle their data, according to investigators at American University in Washington, DC. They conducted a study and found that a data breach due to a third-party supplier was more likely to lead to an underinvestment in cybersecurity measures. The study authors wrote that all companies need to look at every entity that handles their data-just 1 weak link and the system is compromised. Study coauthor Jay Simon, PhD, an associate professor of information technology and analytics at American University’s Kogod School of Business, said there is a huge range of cybersecurity threats, depending on the systems, data involved, and the attackers’ goals. “A computer needs to have adequate security settings and software, but the user also needs to understand how to avoid installing malware or falling for phishing scams. Pharmacists face the added legal and ethical ramifications of having sensitive personal data compromised, which makes all these measures even more crucial,” Simon told Drug Topics®.
A few years ago, Merck was hit with a serious ransomware attack, which is a common issue for health care providers, according to Simon. Last June, 5 US health care organizations reported ransomware attacks, with some having to pay to regain access to files.
“Keep your security software up- to-date, and understand the common techniques that attackers use. Good password management and not clicking on anything suspicious goes a long way. Be restrictive about who’s allowed access to your computers and network, both physically and electronically,” he said.
Lisa Schwartz, PharmD, senior director of professional affairs at the National Community Pharmacists Association in Alexandria, Virginia, said that like any business, pharmacies face the threat of having digital records hacked. However, these vulnerable data include not just personnel and financial records of the business, but also patient health information, which opens pharmacies up to scrutiny by the US Department of Health & Human Services Office for Civil Rights, which enforces HIPAA.
“It makes sense for pharmacists and pharmacy owners to use many of the tools that are available to HIPAA-covered entities and organizations trying to improve cybersecurity. These include virtual private networks, firewalls, and antivirus software,” Schwartz said. “[Although] those tools help protect the pharmacy management system from cyberattacks, inappropriate access by employees of the pharmacy is another concern.” Pharmacy owners should seek advice from software vendors about the access controls and the best method of monitoring, according to Schwartz. “For example, the pharmacy’s privacy officer could have an alert in place anytime a high-profile patient’s record is accessed to prevent unauthorized use or disclosure,” Schwartz said.
Today’s tactics are more subtle than those of the past, Schwartz said. Cyber criminals often try to collect bits of personal data to trick individuals into replying to an email or clicking a link they would normally discard if it snuck though a spam filter. “Pharmacists and pharmacy staff can do their part to minimize cybersecurity threats by only using pharmacy computers to access trusted websites and to be careful about opening attachments or clicking links in email,” Schwartz said. “For example, if a technician receives an email that appears to be from a familiar vendor but contains an unexpected invoice, call the sender and ask if it is legitimate.” Fred H. Cate, JD, vice president for research and a professor of law at Indiana University, said pharmacists are seeing more desperate requests for help to provide a drug without a prescription or help a patient with shipping or supply chain delays related to the pandemic. “Most of these requests are almost certainly legitimate, but that is just how a criminal would approach a pharmacy, as well, whether in a classic fraud attack or in an effort to find access information [or] an unlocked machine or other ways to infiltrate the system,”Catesaid. In recent years, he said, many attacks originated from people sitting in cars in parking lots using wireless access through the payment or other systems. Cate added that because of the pandemic, pharmacists need to be vigilant. “These types of attacks are more likely to succeed and less likely to be noticed when there are other stresses on the system,” Cate said.