• Firewalls All pharmacies should have a firewall to protect against intrusions and threats from outside sources. While anti-virus software will help find and destroy malicious software that has already entered, a firewall is designed to prevent intruders from entering in the first place. A firewall can take the form of a software product or a hardware device. In either case, its job is to inspect all messages coming into the system from the outside (either from the Internet or from a local network) and decide whether the message should be allowed. Configuring a firewall can be technically complicated, and hardware firewalls should be configured by trained technical personnel. • Encrypted Data In today’s increasingly mobile world, workplace technology is not limited to the office. When placing ePHI on a mobile device, data should be professionally encrypted. Mobile devices that cannot support encryption should not be used under any circumstances. If a laptop containing ePHI must be taken out of a secure area, the information on the laptop’s hard drive must also be protected through encryption. Many pharmacies contract with outside information technology professionals to assist with encryption protocols. • Educate Staff about Cyber Risks Cybersecurity should be included with other staff training. Make sure your employees understand the seriousness of security risks and are aware of best cybersecurity practices. The effectiveness of a pharmacy’s cybersecurity plan directly correlates to employee willingness to consistently follow established protocols. Employees should be trained to recognize suspicious emails and to notify management if there is any doubt about the authenticity of an electronic communication or if they believe a security breach has occurred. Both orientation and refresher training can ensure employees
are regularly updated about new threats and security measures.
Educational Resources on Cybersecurity Cyberattacks have always been possible, and pharmacies are recognizing that personal health information must be kept safe, secure, and protected against cybercrimes. Many resources exist to help protect networks from attacks and assist pharmacies with developing effective cybersecurity protocols and security awareness programs. The Federal Communications Commission: Cybersecurity Planning Guide is a very useful recourse.4 Another is the HIPAA Journal’s Section on Cybersecurity.5 The HIPAA Journal offers valuable information relating to: • Healthcare cybersecurity best practices; • New guidelines for HIPAA-covered entities on data and device security; • Updates from the Healthcare Industry Cybersecurity Task Force; • Details of new malware and ransomware that threaten the confidentiality,
integrity, and availability of protected health information; • New vulnerabilities that could be exploited to gain access to healthcare networks; and • Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data.
Take Cyber Threats Seriously As technology continues to evolve, so do the opportunities and challenges it provides. Technology in healthcare is at a crossroads, as it promises better coordination and quality of care while at the same time offers new opportunities to disrupt technically dependent business operations. Network protection must be a long-term organizational strategy for all healthcare entities, including all classes of pharmacies. Cybersecurity threats are serious and demand proactive IT solutions, well-trained staff, and a culture focused on fundamental data protection.
Cybersecurity: A Five-Step Process6 The National Institutes of Standards and Technology (NIST) within the U.S. Department of Commerce created a five-step process that has become an internationally recognized standard for managing potential cybersecurity risks. NIST recommends that businesses: 1) Identify/Detect: Know what data and technology assets you have in your business. 2) Protect: Once you have thoroughly identified your technology assets, take proactive steps to protect the information by implementing cybersecurity protocols. 3) Respond: Notify the appropriate authorities if you are the victim of a cyberattack and immediately put a plan of correction in place to address the attack or breach. 4) Recover: Work with designated senior staff to determine a recovery plan and secure outside professionals who can also help with this process. 5) Educate: Train all staff on cybersecurity protocols and the importance of consistently adhering to them. Source: National Institutes of Standards and Technology (NIST)
REFERENCES 1. The Economic Times. 2018. “Definitions: Definition of ‘Cyber Security’” https://economictimes.indiatimes.com/definition/cyber-security. 2. PBA Health. “5 Easy Ways to Protect Your Pharmacy from Cyberattacks.” Elements, June 6, 2017. https://www.pbahealth.com/5-easy-ways-protect-pharmacycyberattacks/. 3. New York State Education Department. Office of the Professions: Pharmacy: Frequently Asked Questions. “Electronic Transmittal of Prescriptions in New York State.” Last updated: May 31, 2017. http://www.op.nysed.gov/prof/pharm/pharmelectrans.htm. 4. Federal Communications Commission. “Cyber Security Planning Guide.” https://transition.fcc.gov/cyber/cyberplanner.pdf. 5. “Healthcare Cybersecurity.” HIPAA Journal. 2018. https://www.hipaajournal.com/category/healthcare-cybersecurity/. 6. U.S. Department of Commerce, National Institutes of Standards and Technology (NIST). “Framework for Improving Critical Infrastructure Cybersecurity.” https://www.nist.gov/cyberframework.
Innovatix | innovatix.com 11