Ransomware and cybersecurity threats expose patients to risks.
Pharmacists strive to do no harm. However, they could be unintentionally exposing patients to risk through gaps in cybersecurity and outdated technology.
Across the globe, health-care systems have become the targets of ransomware attacks-attacks where hackers gain access and essentially kidnap data and patient information to hold it hostage until a ransom is paid.
In May, a ransomware attack known as WannaCry affected more than 200,000 computers in 150 countries with victims including hospitals, banks, and telecommunications companies.
The attack crippled the National Health Service (NHS) in the United Kingdom, impacting information technology and phone systems in NHS hospitals. The computer systems had to be temporarily shut down and hospitals were forced to ask patients not to come in unless it was an emergency.
Related article: Data threats: How prepared is your pharmacy?
Just a month later, another ransomware strain known as NotPetya, spread even faster through computer systems across the globe.
While each attack is slightly different, experts say the key message remains the same. “We all have basically the same level of vulnerabilities if we do not do the basic type of housekeeping that we need to do around our technology and our cultures within our organizations,” said Rod Piechowski, MA, Senior Director of Health Information Systems at HIMSS, a nonprofit organization seeking to improve health through information technology.
Afton Wagner, PharmD, Senior Manager of Federal Affairs and Pharmacy Initiative at HIMSS, said that although pharmacy has not traditionally been considered a stakeholder in this issue, cybersecurity should not be a foreign concept to the industry in light of the sensitive patient information and billing data pharmacies have at their fingertips. “Because of all this different access to information, pharmacy can be an attractive point of system intrusion,” she said.
U.S. hospitals are vulnerable to attack. “I don’t think there’s enough accountability and responsibility in the hospitals right now,” said Mick Coady, Health Information Privacy and Security Partner at PwC, the professional services firm. “I don’t think they’ve spent enough money through the IT budgets versus what you would see in retail or banking right now.”
For years, Coady said, hospitals have spent their budgets on patient care or medical equipment, leaving less of a budget for IT.
“You are now sitting in a place where everyone is trying to play catch up,” he said.
Up next: Educate and Maintain
Coady said regional hospitals are particularly vulnerable because many are trying to put large electronic medical records systems in place, but the IT networks themselves are often not ready to withstand security threats. Many lack modern firewalls, threat intelligence, data loss prevention tools, or access management tools.
“The network itself becomes a very vulnerable spot and in the meantime we’re taking everything from paper into electronic medical records, so it just becomes kind of a whirlwind of a place where more risk is exposed than needs to be at the time,” Coady said.
Medical records can be appealing to attackers because of all the personal and medical data the records typically include, especially financial or billing information. For example, when a patient walks into an emergency room, they typically provide a driver’s license, insurance card, and credit card or other form of payment, which is all stored in an electronic system along with that patient’s health data and medication information.
Related article: Protect your pharmacy against cyber and physical attacks
Coady said PcW has seen medical record sales in some countries going for anywhere from $800 to $1,100 per record on illicit sections of the internet. This data can then be used in identity theft or filing false insurance claims. Coady said some attackers are also playing more of a long game, gathering genomic data to either use for nefarious reasons or to produce genomically-based drugs.
Piechowski added that when an IT system is compromised, it can affect the confidentiality, integrity, or availability of data. If a breach occurs it can impact the validity of the data and can bring an organization to a halt.
“Ransomware can also effect the integrity of the data and that’s a really important thing I believe, especially if you are talking about pharmacy,” he said. “If someone can get in there and change the data, corrupt it somehow, in a way that’s may be not obvious at first but just different enough to endanger someone, that’s a problem.”
To help mitigate the risk within the health-care system, pharmacies and hospitals can take several steps to practice better cybersecurity and ensure that all employees are more mindful of the security risks that exist.
According to Piechowski, many of the recent ransomware attacks including WannaCry, Petya, and NotPetya, were all dependent on vulnerabilities that remain in out-of-date technologies. Many systems or medical devices may be running older technology or software systems, such as Windows XP, that can leave systems vulnerable when those systems are not updated or are no longer supported by the manufacturer.
According to Wagner, unmaintained systems are one of the largest causes of data breaches.
“Something in the pharmacy sector that might be helpful, especially in smaller community pharmacies or even within health systems, is education and training of all pharmacy and health-system staff,” she said. “Education across the board of all health-care professionals of best cyber-hygiene practices is really paramount.”
Education can also help eliminate human error-another potential cause of data breaches-and create an environment where cybersecurity is valued.
“If the top management exhibits cyber-awareness and good cyber-hygiene practices and acknowledges that it is everybody’s responsibility, then that leadership from the top will start to become absorbed and become part of the culture, and that’s a really, really big part of it,” Piechowski said.
Wagner said pharmacies should also develop a plan and discuss with their employees what to do in the event of a system shut down. “What is the pharmacy department going to do? Do they have enough supplies in place? Are they able to make sure that the team is aware of best practices in terms of a system shut down, because systems need to shut down to make sure that more data is not lost,” she said. “Educating staff on those operating procedures is really important to make the process smooth and speed up recovery.”
Another prime area for data leakage is through business associates or third-party vendors, so experts recommend having contracts and service level agreements in place with vendors that include good security procedures to try to reduce vulnerabilities.
“That’s very important because you can be doing everything you should be doing but if one of your vendors is not, it may as well have been you that compromised the data,” Piechowski said.
He recommends working with vendors and companies where security is an integral part of the software development process and is not considered an afterthought.
Related article: Top 7 Weirdest Pharmacy Robberies
Good cybersecurity policies also include controlling who has access to data and what kind of access they have.
Wagner said pharmacies need to ensure that passwords are up-to-date and that if employees leave the pharmacy their access or account is deleted from the system.
“Two-step authentication and passwords could also be another step to mitigate risk,” she said.
The key to sound cybersecurity practices is being proactive and creating policies and patterns that best protect a system before a breach occurs.
“Everyone plays a role in securing information,” Piechowski said. “They are responsible for their patient data and the information that they use in their day-to-day jobs. Everyone at an organization is responsible and plays a role.”