Cybersecurity is becoming a greater focal point of pharmacy organisations around the world. According to the Council of Small Business Organisations of Australia (COSBOA) 20 per cent of small businesses were affected by a cyber attack in 2016. Some 11 per cent of those surveyed were hit by ransomware with the average ransom paid being $4,500. However, 8 per cent of those who paid a ransom did not get their files back.
“Maybe there’s something to the Hollywood adage of not negotiating with terrorists?!?”
This emerging risk is being reflected in pharmacy regulatory inspections around the world, for instance, a key inspection point of the pharmacy regulator in the UK, the GPhC, specifies in Standard 5.3” of its 5 Principles that “Equipment and facilities are used in a way that protects the privacy and dignity of the patients and the public who receive pharmacy services“. As inspections in the UK can now be fully unannounced, the GPhC expects that at any time, a pharmacy organisation needs to prove that patient data access is fully secure. The question here is what exactly will they be looking for?
In reference to the GPhC, they mainly focus on whether NHS Smartcards have been shared or not but also whether other third-party services which handle data on behalf of the pharmacy are compliant. This may relate to:
- PMR access – every PMR used in the UK for NHS services are required to have a smartcard as above, however, if the pharmacy is private this may not be the case. Private Patient Medical records may only have password protection, in this case, each staff member should have their own login and password which may be compromised.
- Digital Controlled Drugs Registers – some pharmacies use digital controlled drugs registers to record their CD balances. In this case, again, each user should have a unique username and password.
- Online repeat services – these services take patient information and relay prescription requests to the pharmacy.
“Access sharing” is one of the main causes of data breaches from organisations, this is where one email address is shared between multiple users. It is highly recommended that each pharmacy team member needs to have their own unique login for each website that the pharmacy uses. This is contrary to some pharmacy operations where “shop emails” are used and shared between the teams. To add to the weight of access issues, there are also a myriad of malware systems used by “black hat” hackers to circumvent even secure passwords:
How to perform a quick pharmacy cybersecurity check…
The first action point to consider is to get a list of your organisations email addresses (which can be found in the HubNet.io Team Builder) and use a service like Have I Been Pwnd? The service will tell you whether that specific email address has been compromised. As password sharing between sites is so common (users often find it difficult to remember multiple secure passwords and often use one across multiple sites), it is highly recommended if the email has been “Pwned” that it should be changed across all sites.
The issue with cybersecurity in pharmacy is because organisations often employ multiple people there will be multiple points of failure, i.e. not only could your password get hacked but everyone else’s can as well. So as a business owner, you are not only responsible for your personal cybersecurity but also for the people that work for you. In this regards sharing to your staff members via Social media. can be a great way to keep them on their toes. This password word cloud is a great example of an easily digestible cybersecurity reminder.
How to protect your organisation from an ongoing potential threat…
There are three ways:
- Education and training – get your staff to take a cybersecurity course, they will learn things like the importance of using two-factor authentication, enabling automatic updates and the use of anti-virus software / ad-blocking browser plugins.
- Protection and inoculation – use a vulnerability scanner to identify unpatched software or other insecure computer settings.
- Cyber protection insurance (CPI) – this may already be included within your existing insurance, however, CPI could be purchased as a standalone. CPI is a relatively new form of cover, it’s designed to help protect your business from the financial impact of computer hacking or a data breach.
Digital Amalgamation
Lastly, one great way to protect against cybersecurity threats is a digital amalgamation service. For instance, if you use multiple third-party providers for services as listed above this opens multiple avenues for hackers to penetrate into your organisation, however, if you had one port of call which amalgamated a Controlled Digital Drugs Register, a PMR and a repeat service into one this will reduce your orgnisations exposure to threats. For more information have a look at our Pharmacy Cyber Security SOP.
