1. Objective Setting:
   • Define the scope and objectives of the penetration test. Focus on systems that store, process, or transmit patient data, including pharmacy management systems, electronic health records, and online prescription services.
2. Compliance Considerations:
   • Ensure the test aligns with NHS and General Pharmaceutical Council (GPhC) guidelines.
   • Understand the requirements of the DSPT and the UK’s General Data Protection Regulation (GDPR).
3. Choosing a Testing Provider:
   • Select a reputable and certified penetration testing provider.
   • Ensure they have experience in healthcare and are aware of the specific needs and regulations of the sector.
4. Pre-Test Preparations:
   • Notify all relevant parties, including staff and possibly the Information Commissioner’s Office (ICO), if required.
   • Back up all systems and ensure that there are contingency plans in place in case of system disruptions.
5. Conducting the Test:
   • Perform the test during off-peak hours to minimize disruption.
   • Include both external (networks, applications, and perimeter defenses) and internal (behind the firewall) aspects.
   • Test for a wide range of threats, including SQL injection, cross-site scripting, and ransomware.
6. Data Handling:
   • Ensure that all data collected during the test is handled securely and in compliance with GDPR.
   • Sensitive data should not leave the premises or be exposed to unauthorized personnel.
7. Post-Test Analysis:
   • Review the test results with the testing provider.
   • Prioritize vulnerabilities based on their potential impact and the likelihood of exploitation.
8. Remediation Plan:
   • Develop a prioritized action plan to address identified vulnerabilities.
   • Consider both technical fixes and changes in processes or staff training.
9. Documentation and Reporting:
   • Document the entire process and results for compliance purposes.
   • Report significant vulnerabilities and incidents to the relevant authorities as required by law.
10. Review and Continuous Improvement:
    • Schedule regular penetration tests (at least annually).
    • Review and update security policies and procedures in light of test findings.

Additional Considerations:

• Staff Awareness and Training: Ensure staff are aware of the test and understand the importance of cybersecurity.
• Legal and Ethical Considerations: The test should be legal, ethical, and not harm patients or their data.
• Budget and Resources: Allocate sufficient budget and resources for both the test and the subsequent remediation actions.

Remember, the specifics of the plan will vary based on the size of the pharmacy, the complexity of its IT systems, and the types of data handled. It’s also important to stay updated with NHS and GPhC guidelines, as they may change over time.

• Pharmacy Name: [Your Pharmacy Name]
• Date of Analysis: [Date]

2. Objectives:

• To assess the current knowledge and skills of pharmacy staff regarding data security and protection.
• To identify gaps in knowledge and skills.
• To determine the specific training needs required to enhance data security and protection.

3. Data Collection:

A. Staff Roles and Responsibilities:

• List all job roles within the pharmacy.
• Describe the responsibilities of each role regarding data security and protection.

B. Skill Assessment:

• Conduct an initial assessment of each employee’s knowledge and skills related to data security and protection.

4. Identify Training Needs:

A. Training Objectives:

• Define clear training objectives for data security and protection. These objectives should align with the pharmacy’s compliance requirements and best practices.

B. Training Topics:

• List the key areas of data security and protection that are relevant to the pharmacy setting, such as patient data protection, secure handling of prescriptions, and cybersecurity.

C. Training Gaps:

• Based on the skill assessment, identify the gaps in knowledge and skills of employees in each of the training topics.

D. Prioritize Training Needs:

• Prioritize the identified training needs based on the level of risk and importance to the pharmacy’s operations and compliance.

5. Training Methods:

• Identify the most suitable training methods for each topic and audience. These may include:
  • In-person training sessions
  • Online courses or modules
  • Workshops or seminars
  • On-the-job training
  • Self-paced learning materials

6. Training Plan:

A. Training Schedule:

• Create a training schedule that outlines when and how often each training session will be conducted.

B. Training Materials:

• Develop or source training materials, including presentations, handouts, and digital resources, for each training topic.

C. Trainers or Facilitators:

• Identify who will deliver the training sessions, whether it’s internal trainers, external experts, or a combination.

7. Evaluation:

A. Pre-Training Assessment:

• Conduct a pre-training assessment to measure participants’ baseline knowledge before the training.

B. Training Delivery:

• Ensure that training sessions are delivered as planned and that participants actively engage in the learning process.

C. Post-Training Assessment:

• Conduct post-training assessments to evaluate the effectiveness of the training in addressing identified gaps.

D. Feedback and Improvement:

• Gather feedback from participants and trainers to make improvements to the training program for future sessions.

8. Monitoring and Continuous Improvement:

• Establish a system for ongoing monitoring of data security and protection practices in the pharmacy.
• Regularly review and update the training program to adapt to evolving threats and regulatory changes.

9. Conclusion:

• Summarize the key findings from the TNA and the proposed training plan to enhance data security and protection within the pharmacy.

10. Approval and Implementation:

• Seek approval from pharmacy management or relevant authorities to implement the training plan.

One major concern is the potential for hackers to access and manipulate pharmaceutical supply chain information, which could lead to the distribution of counterfeit or contaminated drugs. This could pose a serious threat to public health and safety.

There are a number of steps that pharmaceutical companies can take to protect themselves and their customers from cyber-attacks and data breaches. These include:

1. Implementing strong passwords and regularly updating them
2. Ensuring that all employees are trained on cybersecurity best practices
3. Using encryption to protect sensitive data
4. Regularly backing up data to prevent loss in the event of an attack
5. Working with a trusted cybersecurity firm to conduct regular assessments and implement appropriate security measures

By taking these precautions, pharmaceutical companies can help to ensure the security and integrity of their systems and protect their customers from the potential consequences of a cyber attack.

Recently cybersecurity has become a hot topic within the pharmacy sector. As such, as we intend to be responsive to any new emerging threat to pharmacy technological or otherwise we have created a Standard Operating Procedure to manage Pharmacy Cybersecurity.

Standard Operating Procedure for Pharmacy Cybersecurity

Purpose 

To allow for safe and secure transactions over the internet, applying the utmost care to patient safety and data security.

Scope

Our organisation is committed to and is responsible for ensuring the confidentiality, integrity, and availability of the data and information stored on its systems.The main scope of this SOP covers data security of pharmacy systems. 

General Cybersecurity Measures

1. Vulnerability testing.

Before training can be given to staff about data security, management must first understand the key risks to their organisation in respects to cybersecurity. A vulnerability assessment should be produced to evaluate information system vulnerabilities and the management of associated risk. A vulnerability assessment should include the following:

• servers used for internal hosting and supporting Infrastructure
• servers which will be accessed through a reverse proxy
• desktops and workstations
• perimeter network devices exposed to the internet
• all external-facing servers and services
• network appliances, streaming devices and essential IP assets that are internet facing.
• public-facing applications and devices (wifi connected blood pressure machines, weight scales, BMI calculators etc)
• cloud-based services 

2. Ensure that all staff understand the main cybersecurity threats, more specific detail can be seen below.

Either create your own course for your staff or use a reputable provider like Voyager Medical (courses can be found within the hubnet.io). Within a high-quality cybersecurity, course staff will learn about the importance of using two-factor authentication, enabling automatic updates and the use of anti-virus software / ad-blocking browser plugins.

Specific cybersecurity measures

3. Protection from Malware.

• Detection, prevention and recovery controls – supported by user awareness procedures – must be implemented to protect against malware. Key methods to avoid malware include:
  • installing, updating and using software designed to scan, detect, isolate and delete malicious code.
  • preventing unauthorised Users from disabling installed security controls.
  • prohibiting the use of unauthorised software.
  • checking files, email attachments and file downloads for malicious code before use.
  • maintaining business continuity plans to recover from malicious code incidents.
  • maintain a critical incident management plan to identify and respond to malicious code incidents.
  • maintaining a register of specific malicious code countermeasures (e.g. blocked websites, blocked file extensions, blocked network ports) including a description, rationale, approval authority and the date applied.
  • developing user awareness programs for malicious code countermeasures.

4. Limiting Operation Software.

The installation of software on production information systems must be controlled. To protect the general cybersecurity health of the organisation when installing new software responsible persons should ensure:

• updates of production systems are planned, approved, assessed for impacts, tested and logged.
• operations personnel and end-users must be notified of the changes, potential impacts and, if required, given additional training;
• production systems must not contain development code or compilers.
• old software versions must be archived with configuration details and system documentation; and updates to program libraries must be logged.

5. Limiting patient wifi access.

Some pharmacies offer patients free access to their wifi network. The pharmacy should ensure that this wifi network sits separate from the mechanism by which they communicate patient medical records to the central health authority. If the pharmacy offers a separate wifi access point, the password for guest access should be rotated at a minimum of once a month and staff should be trained to spot potential “man in the middle attacks“.

6. Backup.

Backup copies of information, software and system images must be made, secured, and be available for recovery. More specifically:

• Information Owners and System Owners must define and document backup and recovery processes that consider the confidentiality, integrity and availability requirements of information and information systems. Key aspects all processes must address include:
  • use approved encryption;
  • physical security;
  • access controls;
  • methods of transit to and from off-site locations;
  • appropriate environmental conditions while in storage; and
  • off-site locations must be at a sufficient distance to escape damage from an event at the main site.

7. Event logging.

All staff should be appropriately trained to constantly monitor for cybersecurity threats. In the event that an event occurs this should be reported directly to the staff members line manager. This should be done using the hubnet.io error reporting system, an event should be logged and details recorded. This log for every location within an organisation should be monitored by an authorised management team. Once an event has been identified appropriate corrective action should be taken which includes a report which details:

• identification of the event;
• isolation of the event and affected assets;
• identification and isolation of the source;
• corrective action;
• forensic analysis;
• action to prevent recurrence; and
• securing of event logs as evidence

Review Procedure

This SOP will be reviewed in the event that there are any changes to best practice concerning pharmacy cybersecurity or in the event of staff changes. It will also be reviewed in the event of incidents or errors that have been logged. In the absence of any of these events, it will be reviewed yearly from the date of publication.  

Known Risks

• Security gaps.
• Malware.
• Man in the middle attacks.

“Maybe there’s something to the Hollywood adage of not negotiating with terrorists?!?”

This emerging risk is being reflected in pharmacy regulatory inspections around the world, for instance, a key inspection point of the pharmacy regulator in the UK, the GPhC, specifies in Standard 5.3” of its 5 Principles that “Equipment and facilities are used in a way that protects the privacy and dignity of the patients and the public who receive pharmacy services“. As inspections in the UK can now be fully unannounced, the GPhC expects that at any time, a pharmacy organisation needs to prove that patient data access is fully secure. The question here is what exactly will they be looking for?

In reference to the GPhC, they mainly focus on whether NHS Smartcards have been shared or not but also whether other third-party services which handle data on behalf of the pharmacy are compliant. This may relate to:

• PMR access – every PMR used in the UK for NHS services are required to have a smartcard as above, however, if the pharmacy is private this may not be the case. Private Patient Medical records may only have password protection, in this case, each staff member should have their own login and password which may be compromised.
• Digital Controlled Drugs Registers – some pharmacies use digital controlled drugs registers to record their CD balances. In this case, again, each user should have a unique username and password.
• Online repeat services – these services take patient information and relay prescription requests to the pharmacy.

“Access sharing” is one of the main causes of data breaches from organisations, this is where one email address is shared between multiple users. It is highly recommended that each pharmacy team member needs to have their own unique login for each website that the pharmacy uses. This is contrary to some pharmacy operations where “shop emails” are used and shared between the teams. To add to the weight of access issues, there are also a myriad of malware systems used by “black hat” hackers to circumvent even secure passwords:

How to perform a quick pharmacy cybersecurity check…

The first action point to consider is to get a list of your organisations email addresses (which can be found in the HubNet.io Team Builder) and use a service like Have I Been Pwnd? The service will tell you whether that specific email address has been compromised. As password sharing between sites is so common (users often find it difficult to remember multiple secure passwords and often use one across multiple sites), it is highly recommended if the email has been “Pwned” that it should be changed across all sites.

The issue with cybersecurity in pharmacy is because organisations often employ multiple people there will be multiple points of failure, i.e. not only could your password get hacked but everyone else’s can as well. So as a business owner, you are not only responsible for your personal cybersecurity but also for the people that work for you. In this regards sharing to your staff members via Social media. can be a great way to keep them on their toes. This password word cloud is a great example of an easily digestible cybersecurity reminder.

How to protect your organisation from an ongoing potential threat…

There are three ways:

• Education and training – get your staff to take a cybersecurity course, they will learn things like the importance of using two-factor authentication, enabling automatic updates and the use of anti-virus software / ad-blocking browser plugins.
• Protection and inoculation – use a vulnerability scanner to identify unpatched software or other insecure computer settings.
• Cyber protection insurance (CPI) – this may already be included within your existing insurance, however, CPI could be purchased as a standalone. CPI is a relatively new form of cover, it’s designed to help protect your business from the financial impact of computer hacking or a data breach.

Digital Amalgamation

Lastly, one great way to protect against cybersecurity threats is a digital amalgamation service. For instance, if you use multiple third-party providers for services as listed above this opens multiple avenues for hackers to penetrate into your organisation, however, if you had one port of call which amalgamated a Controlled Digital Drugs Register, a PMR and a repeat service into one this will reduce your orgnisations exposure to threats. For more information have a look at our Pharmacy Cyber Security SOP.