Pharmacy is a prime target. Research in England for example, revealed that 13% of respondents had been the victim of personal medical data theft. 35%, happened not in a hospital setting (29%) or at the GP surgery (19%) but in pharmacies.
It’s not just the theft of the data that links to pharmacy, but the subsequent use of that stolen information. The same research suggested that in the majority of cases (42%) it was used to fraudulently fill prescriptions.
Despite this, some 77% of those polled said they still had trust in their pharmacy to secure their health data.
Just last month, The National Cyber Security Centre (NCSC) Ireland highlighted increased threat arising from the Covid-19 pandemic. This has not only caused health concerns and significant disruptions in businesses, but also created growing uncertainties among the public, health care workers, managers and policy makers.
Head of Information and Technology with the Irish Pharmacy Union, Alan Reilly says, “Anecdotally there has been an increase in cybersecurity attacks and in particular ‘phishing’. Phishing is where someone fraudulently attempt to trick users into disclosing sensitive information, such as usernames, passwords or credit card details. However, the IPU has not received a noticeable increase of such reports,” he says.
“In most cases, the pharmacy’s system vendor is responsible for the protection of patient information and provides the pharmacy with the necessary information security measures e.g. anti-virus software and firewalls.” The problem is not just confined to Ireland and the rest of the UK but is indeed worldwide. Globally, pharmacies have been targets for ransomware actors, rather than just collateral damage as the NHS was in the WannaCry affair. A number of Australian pharmacies were held to ransom in 2014, and German pharmacies were also targeted last year as electronic prescriptions and digital records become the norm.
In the USA, HHS reported 12 data breaches this year where more than 100,000 patients’ information was affected. This included over 650,000 in Portland, 550,000 in Elkhart and over 166,000 in Atlanta.
“Security awareness training remains a major challenge,” says Meta Compliance, training providers in this field. All employees, at every level of the organisation should receive security awareness training to ensure they have the skills required to identify an attack. Cyber awareness training should be engaging and informative to ensure that staff understand what is required of them and the importance of their role in safeguarding the organisation’s sensitive data.”
“Pharmacy IT security keeps me awake at night!”, said Keith McLernon, MD of McLernons. “I know that sounds a bit melodramatic, but it is true. Every day I receive multiple emails advising of cyber attacks on community pharmacies and other healthcare facilities all around the world, and the figures are mind-boggling.
“If a pharmacy is the subject of ransom ware, they could potentially lose their business overnight. And that doesn’t take into account any fines which might be imposed by the Data Protection Commissioner should they be found to have been in breach of the legislation!”
Keith added, “We have a great relationship with our customers, built up over years and decades, and they regard us as their pharmacy IT partner. However, there are some things that we cannot do for them, and one of them is retrieve data if they have been hacked into. We have safeguards and checks built into our software, but the pharmacist is still ultimately responsible for their IT network, for the provision of firewalls, for the regular changing of passwords, for carrying out frequent backups and for the training of their staff. We can help give advice on our preferred partners but the pharmacist must make the decision to make increased cyber security a priority. My worry is that at the moment, this isn’t seen as a big deal, and it won’t be a big deal until your system is hacked into and you phone our Customer Service team asking for help.
“That is not to say that we can’t help – but it must be proactive on your part. If you are hacked, if you reply to a spam email because you use a cheap or free-to-use email account which doesn’t filter suspect messages, if you are using an old operating system such as Windows 7, if you allow access to other websites from your pharmacy computer, then there is very little we can do to help you.
“We have recently switched our remote monitoring and management service, with enhanced antivirus, and we will be rolling this out to all our customers in the next few months. However, individual pharmacies need to carefully review their current cyber security provisions and seek to upgrade them as soon as possible. There are some frightening statistics out there:
- 41% of Irish firms have experienced at least one cyber attack event in the six months from September 2019 to February 2020, according to recent report by the Hiscox Insurance Group
- 6.5% of Irish firms had to pay a ransom following a ransomware attack, with the median cost of these attacks around ¤92,000.
- 57% of Irish people admit to opening emails from people they don’t know
- Only 26% of Irish internet users regularly change their passwords
- 7% were victims of Ransomware
Keith concluded, “We are very grateful to the IPN for bringing attention to this very important issue for community pharmacy – the number of phishing attacks on Irish businesses has increased during the Covid-19 pandemic as opportunists seek to exploit weaknesses as people are forced to adapt to new ways of working. Is the laptop that you use at home secure?
“Are your CCTV and credit card units on your pharmacy network? I would strongly urge all our customers to review their IT security arrangements and call one of the McLernons team for advice and information, before it is too late.”
Alan continues, “The IPU publishes a guide for members called the IPU Information Security Guide for Community Pharmacy, which explains topics such as: Access to information; Password Protection; Data Backup; Data Recovery; and, Disposal of Equipment. The number one key measure to protect a pharmacy from cyberattacks is staff awareness of information security risks and preventative measures.
“Pharmacies should promote acceptable use of computer equipment in your pharmacy as a measure to protect employee and patient information; inappropriate use exposes a pharmacy to risks including virus attacks. By promoting a ‘think before you click’ ethos, pharmacy staff will be less likely to open email attachments or click on web links which could infect your computer system with a virus.”
