Barbara Giacomelli, PharmD
“A cybersecurity attack not only disrupts pharmacy services [but also] has the potential to [affect] patient care, increase liability, and [have] a negative financial impact.”
Focus on best practices and implement new technology to safeguard against security breaches.
With more work being done online, cyber protection in pharmacies is more crucial than ever. Pharmacies bear the responsibility to safeguard both provider- and patient- level information in their workflow, which can be especially challenging with enrollment in patient portals.
“Until recently, the concept of cyber protection has largely taken a back seat to general business operation,” said Chase Kassel, govern- ment relations manager for Acronis, a Tempe, Arizona–based cloud security provider. “Malicious actors have increasingly been turning their attention to the health care industry, [and] new threats to data security have been emerging.”
“A cybersecurity attack not only disrupts pharmacy services [but also] has the potential to [affect] patient care, increase liability, and [have] a negative financial impact.”
The internet and use of computer technology are the backbone of pharmacy operations, supporting the role of providing drug therapy oversight to patients, according to Barbara Giacomelli, PharmD, area vice president at McKesson Pharmacy Optimization in Vineland, New Jersey. Safeguarding against cyberattacks is critical to maintaining a secure drug database, financial transactions, and protecting confidential patient information, she said.
“A cybersecurity attack not only disrupts pharmacy services [but also] has the potential to [affect] patient care, increase liability, and [have] a negative financial impact,” Giacomelli added.“ Cybercrime continues to advance tactics to breach computer systems. It is important to stay ahead of cybercriminals by having the latest computer security software, maintaining backup, and considering regular security scans.”
Pharmacy personnel also need to be educated on the importance of cybersecurity and phishing risks. Many techniques can be applied to fortify against cyberattacks and protect customers’ data.
“You not only want to keep your customers’ trust but you [also] want to ensure that they feel safe leaving their details with you,” said Heather Paunet, senior vice president of product and marketing at Untangle, a leader in com- prehensive network security for small- to-medium businesses. “Since most pharmacies take customer details in order to help with prescriptions, there is a risk for those details to be hacked. Implementing the right security within your pharmacy will ensure that all that data are safe, keeping your customers safe and keeping your business safe from further damage.”
In this time of change and uncertainty, best practices can still be adopted to help protect pharmacies against breaches and other cyber threats. Giacomelli’s top recommendations include giving employees access only to information required to do their jobs, with individual sign-ons and passwords, and running regular system security scans.
One of the biggest threats to pharmacies involves phishing, a type of online scam in which hackers send an email that appears to be legitimate and asks for sensitive information, usually to be provided via a link. The information goes straight to the crooks behind these clever fakes.
Many small businesses, including pharmacies, have seen a huge increase in phishing scams related to coronavirus disease 2019 (COVID-19), mostly through emails that claim to have updates concerning the virus. Employees need to be trained to spot phishing attempts, and use phishing filters with any email service.
Pharmacies also must look out for ransomware attacks. These involve a form of malware that encrypts a victim’s files, and then the attacker demands a ransom to restore access to the data.
“Audit the effectiveness of your selected safety measures regularly, and take action if things are not working the way they should.”
“Ransomware is a major threat we’ve seen in recent years, which also often results in a data breach,” Kassel said.“ Any unnecessary PHI [protected health information] or PII [personally identifiable information] should not be retained, and what must be held on to should be encrypted and not accessible to any internet-facing location.”
Herb Brychta, security risk services manager at AE Works, noted that staff awareness and training are key to mitigating risk. “Even before COVID-19, human beings were vulnerable,” he said. “So many viruses happen because people click on a link
in their email, which deploys a virus. As we’ve transitioned to an environment where people are working from home where they are most comfortable, their awareness is not as heightened, and everyone is more susceptible when comfortable.”
Proper backups and an effective ransomware protection solution are also critical for both protection and continuity of operations. In addition, keep all software updated to help eliminate vulnerabilities, and run antimalware software to protect against other types of malware.
“[Internet of Things (IOT)] devices are another major concern in today’s world,” Kassel said. “These can be personal devices, like cell phones and smart speakers, or internet-connected equipment to improve efficiency with specific job functions.” He recommends keeping personal devices off any networks with any business systems and separating systems containing PII and PHI from any necessary IOT devices that are incorporated into the business operations.
To guard against e-commerce dangers, invest in and use antivirus software; run scans frequently and at the end of the day, Brychta suggested. Virus scans should filter out known hazards, especially for pharmacists who receive attachments such as order forms. Keep operating systems updated. “These help safeguard against risks. Having an up-to-date computer best protects you,” he said.
“If you can, I highly suggest using a separate computer to receive orders and using different one to do banking and books. If the order-taking computer gets infected, there is less risk because you aren’t logged into any secure sites like banking. While you’re at it, have separate email addresses for orders and administration.”
When COVID-19 hit, everyone rushed into working remotely. New tools were pushed, with little training, onto employees, and skipping critical steps to ensure correct operation introduced security risks.
“The most common mistake for virtual meetings is not protecting access with a password,” said Nick Santora, CEO of Curricula. "When you’re scheduling a virtual meeting, you can check a box requiring a password. Always make sure that box is checked. If you invite someone to a meeting with that link directly from the platform, it should automatically populate for a URL with the password to be included in the calendar invitation.”
Most companies with a proprietary code base, such as Skype, WhatsApp, and Slack, tend to be vague about how they manage or store customers’ data. Using those platforms means taking many risks, such as the data being routed out of the country and, in turn, not following data privacy laws such as General Data Protection Regulation, Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act.
By integrating patient linking and matching technology and adding the right layers of verification and authentication across workflow and platforms, pharmacies can remain HIPAA compliant and protect critical data such as patient names, birth dates, and prescription information, according to Mark Barwig, executive vice president of Epic Pharmacies, Inc, a network of independently owned pharmacies.
“Multifactor approach [MFA] to security and identity management extensively assesses the risk of both physical and digital identity attributes to enable accurate and timely risk detection and identity decisions,” Barwig said. “The MFA uses at least 2 independent elements, or factors, such as identity document authentication, knowledge-based questions, 1-time passwords, email verification, facial recognition, device analytics, or voice biometrics, to verify patients based on the criticality of transactions.”
As cybercrooks evolve with technology, so should pharmacies and staff. A service that receives regular updates and security fixes can help. “Familiarize yourself with the available features of the service of your choice,” Santora said. “Subscribe to newsletters, use available training and documentation material, and share it with all users. Audit the effectiveness of your selected safety measures regularly, and take action if things are not working the way they should.”