Cyber, Internet, and Pharmacy system security…are you secure? Part I
- By
- Jonathan Jacobs
Cyber security and your Pharmacy’s operations
A few weeks back was Cyber security week. We had a discussion around the office about how this relates to Independent Pharmacy and Healthcare operations in general. This is especially important for smaller stores or practices without departments focused on protecting your computing environment. Current events and two years adjusting how we work in a Pandemic only highlight the need for all of us to be aware of the pitfalls, perils, and risks to all things electronic. We must consider the various solutions to improve/enhance security. This will be the first of a three-part series as we examine system security, protecting your business and personal information, all while computing and browsing safely. Note, we aren’t specifically talking about a Pharmacy here – this could apply to any small business. But as always, we will frame it for you and your pharmacy.
As we put the pieces together for this article, Russia has invaded Ukraine. Prior to this military event, there were a few major cyberattacks on the Ukrainian Parliament and other government websites. Microsoft says it began detecting “destructive cyberattacks directed against Ukraine’s digital infrastructure” several hours before the Russian military began launching missiles or moving tanks into the country. It probably started even earlier than that. We now know there were simultaneous attacks here as well. These attacks only highlight the need for security on your internal network systems. These include your pharmacy system and the connecting computers/workstations, point of sale registers, and other connected devices in and around your store including cell phone and tablet use of Wi-Fi, etc.
First, Some Insight
Kevin Haley, director of Symantec Security Response, says, “They {the cyber attackers} have extensive resources and a highly-skilled technical staff that operate with such efficiency that they maintain normal business hours. We are even seeing low-level criminal attackers create call center operations to increase the impact of their scams.” Independent pharmacies of all sizes need to make peace with the fact that hackers won’t be neutralized any time soon. And, they need to be honest with themselves that their current computer defenses are probably Silly Putty in the hands of experienced hackers.
The best way to begin hardening the digital perimeter of your pharmacy is to realize that the person or staff responsible for your web security is the overarching factor in keeping your pharmacy data safe. It’s not just about the security technology that they happen to administer and oversee. The lack of security software because it wasn’t installed or updated is the number one fail here. You know that new system you picked up to add another workstation at the store? Did you tell your network guy about it or did you just do it and leave him out of the loop? Anti-virus software, firewalls, cloud-based security packages, and endpoint security offerings will only work as long as they are maintained and updated. We have seen many pharmacies ignore the annoying pop-up to renew anti-virus subscriptions when it is a simple, inexpensive step to take in security.
Working with your staff
A large part of securing your pharmacy and its critical Personal Health Information, or PHI, begins with educating and communicating the importance of security i.e. training of your pharmacy staff.
What HIPAA considers PHI, a reminder
HIPAA lists 18 different information identifiers that, when paired with health information, become PHI. Some of these identifiers on their own can allow an individual to be identified, contacted, or located. Others must be combined with other information to identify a person. This list includes the following:
- name
- address (anything smaller than a state)
- dates (except years) related to an individual — birth date, admission date, etc.
- phone number
- fax number
- email address
- Social Security number
- medical record number
- health plan beneficiary number
- account number
- certificate or license number
- vehicle identifiers, such as serial numbers, license plate numbers
- device identifiers and serial numbers
- web URL
- Internet Protocol (IP) address
- biometric IDs, such as a fingerprint or voice print
- full-face photographs and other photos of identifying characteristics
- any other unique identifying characteristic.
Procedures, Good Practices, and Training
Before training can be given to staff about data security, management must first understand the key risks to their organization in respect to cybersecurity. A pharmacy should give some thought to what their standard operating procedures will be related to cybersecurity concerns.
A vulnerability assessment should be produced to evaluate information system vulnerabilities and the management of associated risk. This assessment should include the following:
- servers used for internal hosting and supporting Infrastructure
- servers which will be accessed through a reverse proxy
- desktops and workstations
- perimeter network devices exposed to the internet
- all external-facing servers and services
- network appliances, streaming devices, and essential IP assets that are internet-facing.
- public-facing applications and devices (Wi-Fi connected blood pressure machines, weight scales, BMI calculators, etc)
- cloud-based services
Some pharmacy systems will now interface through the cloud, and most pharmacies today have a system that communicates with an e-prescribing network. Pharmacists should request that a vulnerability assessment be carried out on a regular basis for all such systems so that potential security gaps can be identified and mitigated. Critical security controls should be in place to monitor the activities of all pharmacy systems.
NOT Sharing, … is Caring
Also, pharmacy store owners need to ensure that their systems employ a comprehensive strategy of data defense with robust firewalls. This includes encryption and safe access between data exchanges. Further, access to data (PHI) should be limited based on the roles of individuals, so that only those with a genuine business need have access to certain confidential patient data; this includes remote access to the store’s systems. Minimum necessary should be kept in mind for all staff as it relates to PHI.
Pharmacists should ensure that credentials for system access are in the right hands, IDs and passwords are not shared, and are changed on some routine basis. This is a process that should be constantly reviewed. Oh, and if people complain about the extra ‘work’ typing in passwords all the time, you deploy fingerprint readers, barcoded ID badges, and/or proximity badges to speed up the process without sacrificing security. For many stores, one of these technologies will be a higher level of security than they use today without affecting the speed at which they work.
Social Media use in the Pharmacy
In order to decrease attention and thus lower your chances of an unwanted advance or scheduled attack, you want to always use best practices with your social media and browsing tactics which we will discuss in another part of this series. However, below are some simple rules or behavior modifications regarding the internet and social media in general:
- Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
- Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.
- If a company reaches out to you from a particular institution asking for account details or personal information, call them back on a line that you are familiar with to be sure they are who they say they are. Spoofing numbers makes pretending someone calling you from a familiar number may not actually be from that company.
- Avoid posting personal information online, such as mobile phone numbers, addresses, or other personally-identifying information.
- Use a variety of unique passwords longer than 8 characters with upper and lower case letters, numbers, and some special symbols to access online accounts. Read more about this via our link below as well. Don’t use the same passwords across different platforms. If one is compromised, they will have your password to try on other platforms.
- Be aware of any changes in SMS-based connectivity. SMS is basically referring to texting activity
- Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
- Do not store passwords, usernames, or other information for easy login on mobile device applications unless they are specifically designed for that purpose, one example of this is a tool like 1Password which is a highly secure, multiple platform program to manage and even generate secure passwords for your (and even team or family) logins.
Many of these bullet points may seem like personal security considerations. People manage these accounts. It’s not so different in that sense from their personal account security. It can just have a more serious impact on your business when something goes wrong. Your pharmacy’s security starts with every member of your staff {and family} that comes into the store accessing the store’s network and utilizing their own personal devices such as a cell phone from within your store.
Data Recovery and Back-Up
Should your PMS (Pharmacy Management system) be corrupted or infected, it is paramount you have reliably backed up your systems data and have an off-site service that backs up your data regularly. Natural disasters or an “act of God” can have the same effect on your store’s PMS. A total loss of your system’s data is akin to ‘starting over’ or closing the doors for good! The easiest way to avoid such calamity? Having offsite data storage for starters. It’s not just a recommendation anymore. Backup data must be stored off-premises, this way it won’t be lost if damage occurs to computer equipment, malware encrypts your systems for ransom, etc. Keeping storage devices on-site nowadays creates additional unnecessary risk.
Talk to us
We here at Point of Care systems have both system and off-site recovery services available built-in with real-time data transfer. If you would like to see how our all-new RxInsight Suite handles this, please contact us at sales@pocsrx.com
There is so much to cover in this wide-ranging topic. Please come back soon to take a look at Part II in this series: Protecting your personal information.
Check out the links below to view previous articles written by us here at Point of Care regarding cybersecurity and working from home during the pandemic, as well as additional links for related information.
Some Business Resources In The Time Of Covid-19 – Part I
Security tips for working from home
Protecting Your Business. Questions YOU Should Ask Your System Vendors Today – Part III
More related articles to read through:
Most common passwords to avoid!
40% of all emails are potential threats!
5 Smart Data Storage and Management tips for the small business owner