Street value exists on the cyber blackmarket for electronic protected health information (ePHI), which includes full names, social security numbers, dates of birth, addresses, medical history, and detailed financial information. Since pharmacies are known to collect this sensitive data, theft in the pharmacy arena is on the rise. With cyberattacks becoming a growing threat, pharmacies are strongly urged to build cybersecurity protocols into the core building blocks of their business infrastructure. Increased vigilance is necessary to stay compliant with Health Insurance Portability and Accountability Act (HIPAA) requirements and to safeguard ePHI.
Defining Cybersecurity In an increasingly interconnected world, the threat of cybercrimes is omnipresent, making cybersecurity critical for survival. While not yet familiar to everyone, cybersecurity is the “technique of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation.”1 Such protection requires protocols to anticipate and recover from cyber-attacks, which occur through complex processes and the efforts of highly trained individuals.
Examples of Cyberattacks Cybercrimes take on many disguises and are becoming more sophisticated and threatening to the healthcare sector. Cyberattacks are unlike any other threat to the core integrity of a business, as these attacks are sometimes very hard to predict, identify, or prevent. Phishing is one of the most common reoccurring cybercrimes impacting pharmacies, particularly spear phishing. In these cases, an email targets a specific business or individual. A spear phishing email appears to be from someone known to you or your employee. Clicking on the information (often a web link) automatically gives cybercriminals access to all your data. Fortunately, vendors and service providers have made great strides regarding this type of cybercrime, and most pharmacies have reasonably small amounts of spam or phishing emails. Nonetheless, many pharmacies still receive multiple phishing emails each day. With their ever-increasing sophistication, good phishing replicas can look like legiti10 |
Insight
mate emails. Since 91 percent of advanced cyberattacks begin with an email, even robust security protocols can’t prevent all attacks, and employees have a phishing email response rate of 31 percent.2 Just one employee falling for a phishing email can compromise an entire network. That’s why it is critical to protect your pharmacy by training yourself and your employees to be hyperaware of possible phishing activity and to scrutinize all incoming emails. Another cybercrime is importing malware. Socially engineered malware, often accompanied by data-encrypting ransomware, provides another method of attack. An end-user is somehow tricked into running a trojan horse program (a type of malware that may be disguised as legitimate software), often from a trusted, often-visited website. The otherwise innocent website is temporarily compromised to deliver malware instead of its normal coding. This software will encrypt the computer’s data and hold it hostage until the cybercriminals are paid a set ransom fee to release the information. Criminal gangs and opportunistic cybercriminals – termed the New Mafia in cybersecurity circles – have embraced ransomware as a quick and easy way to make money, damaging healthcare organizations in the process.
Protecting Your Pharmacy: More than HIPAA Pharmacies must increase cybersecurity and protect their financial data and individuals’ ePHI. Understanding and complying with federal regulatory and statutory mandates offers some basic protections. Since the late 1990s, most pharmacies have put practices in place to follow HIPAA laws that require providers to implement a minimum set of standards. But given the complex landscape that continues to emerge in our electronic healthcare delivery process, HIPAA compliance – once the gold standard for security protocols and processes – is no longer the benchmark for securing healthcare data. In fact, some states now require additional cybersecurity regarding sharing ePHI. For example, both prescribers and pharmacists in New York must have encrypted and encoded computer systems, and these systems must be certified by the Drug Enforcement Agency (DEA) or some other
organization to confirm that they meet federal standards.3 However, many cybersecurity experts believe more needs to be done. Pharmacies must infuse mandated federal and state security protocols with new, more advanced protective mechanisms to keep their healthcare data secure and confidential. These mechanisms are carefully crafted cybersecurity protocols and processes.
Important Cybersecurity Steps for Pharmacies Sophisticated and expensive methods are available to protect pharmacy information systems, but you and your employees can also take simple, effective measures to prevent cybercrimes. The following steps can prevent or mitigate cyberattacks: • Require Authentication Requiring authentication measures to limit unauthorized access is paramount. The first step is creating strong, secure passwords. Passwords are the first line of defense in preventing unauthorized access to any computer or electronic device. Regardless of type of operating system, a password should always be required to log into desktops, laptop computers, handheld devices, and smartphones. Cybersecurity experts recommend passwords that are at least 12 characters long and change every 30 to 60 days. It’s important to unilaterally apply these policies across the organization, from senior management to front-line staff – no one should be exempt. Although a strong password will not prevent attackers from trying to gain access, it can slow them down and discourage them. • Install and Maintain Anti-Virus Software The primary way that attackers compromise pharmacy computers is through viruses that exploit vulnerabilities on such machines. Even a computer that has all the latest security updates to its operating system and applications may still be at risk because of previously undetected flaws. In addition, computers can become infected by seemingly innocent outside sources, such as CDs, email, flash drives, and Web downloads. It is important to thoroughly research which antivirus software is right for your pharmacy and to make sure it is always kept up-to-date.