Black Market Boom: Protecting Pharmacy Data from Cybercrime

Best Value Pharmacies is under attack. Every week, the 13 Dallas-Fort Worth area stores stop multiple online attacks every week. Some cyberattacks are as obvious as a receipt of invoices from vendors the company has never used, sent from online accounts outside the United States—and sometimes not even in English. Some of these attacks look like legitimate emails but carry hidden malware designed to open the company up to ransom and theft.

“Some of those cyberattacks have gotten through our outer defenses, firewalls, antivirus programs, and other protections,” said Jason Carter, chief technology officer at Best Value Pharmacies. “Luckily, we train all our employees to think before they click. Knock on wood—our staff have stopped the intruders.”

Best Value isn’t alone: Every pharmacy, large and small, as well as every health care provider and organization, is in the crosshairs.

“Hackers see pharmacy and health care as low-hanging fruit,” Carter said. “Any organization that has protected health information (PHI) is a rich target. Independent pharmacies don’t always have the advanced firewalls and security that larger organizations have.”

“It’s all about value,” said Jeff Hedges, president and CEO of R.J. Hedges & Associates, a pharmacy compliance consultant group in New Florence, Pennsylvania. “The black-market value of a Social Security number is under $1, [and] a credit card [is] maybe $5,” he explained. Patient health records, on the other hand, are valued at $250. “It’s not a matter of if you will be attacked—it’s when and how you protect yourself.”

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 defines PHI as inclusive of any information within an individual’s health record that can identify them. Unlike a credit card that can be cancelled, PHI can’t easily be cancelled or changed.¹

PHI typically contains multiple types of health, financial, personal, social security, and insurance information, among others. Stealing multiple types of data fuels multiple criminal uses, from accessing bank accounts and other financial assets to fake prescriptions, receiving treatment, filing false claims, and beyond. Because PHI is difficult to cancel or change, misuse can generate illicit income for years after a breach has been identified and plugged.

More Than PHI

Pharmacies offer other targets for cyber criminals as well, including employee data and financial assets. Ransomware programs can be introduced into any computer system, often by opening an infected email attachment. These nefarious programs encrypt system data and hold it for ransom. Ransomware is widely available online and is often employed by groups with a global reach.

“These gangs carefully vet their targets before attacking,” said Nick Dorazio, president of LVTech LLC, a health care cybersecurity provider in Greensburg, Pennsylvania. “I’ve seen pharmacies hit for $10,000 ransom, and the same program used against larger pharmacies to collect millions. It’s a massive, organized operation run by people who go into the office every day, and their only job is to break into you.”

Six Steps to Protect Your Pharmacy From Cyberattack

More than one-third of health care organizations in the United States were hit by ransomware attacks in 2020, Hedges said. Approximately 65% of these attacks were successful, and approximately one-third of the organizations that had data stolen paid up. However, only 69% of organizations that paid ransom actually got their data back.²

“Don’t think that just because you are a small independent pharmacy that you are safe,” said Dallas Moore, PharmD, MS, director of pharmacy informatics and technology at the University of Utah Health Hospitals and Clinics in Salt Lake City. “We are all targets, all the time. The problem is only going to get worse.”

ECRI, a global health care quality and safety group, identified cybersecurity attacks as the top health technology hazard for 2022.³ Health care is a popular target, along with accommodation, the public sector, retail, and finance, according to digital security specialists at Ekran System. IBM Security reports health care has had the most expensive cyber breach costs for the past 11 years and an average of $9.23 million per breach in 2021.⁴

Insurance policies rarely cover the entire financial cost of a cyber breach, Hedges cautioned. Any HIPAA breaches can lead to massive fines that are not discharged in bankruptcy, and no insurance policy can restore patient trust lost in a cyber breach.

A Safer Pharmacy

“Protecting yourself starts with pharmacy leaders and staff educating themselves about the risks and the impact cyberattacks can have on your organization and your patients,” said Melissa Skelton Duke, PharmD, MS, BCPS, FAPhA, executive director of population health pharmacy solutions at Banner Health in Phoenix, Arizona. “The second thing is to minimize the risk of cybersecurity attacks in day-to-day operations. It’s a cat-and-mouse game that is always evolving.”

Solid cybersecurity takes a layered approach. The first layer is a private domain—something like fredspharmacy.com, Dorazio said. A private domain enables company email, which is easier to secure than multiple employee email addresses. “We still see pharmacists using AOL for their email, which is anything but secure,” said Dalton Fabian, PharmD, data scientist at UnityPoint Health in Des Moines, Iowa. “Not using a company email for your pharmacy, or allowing employees to log in using their personal email, is inviting attack.”

Just as physical security starts with an alarmed wall, cybersecurity starts with a firewall that can be tuned to stop threats from the outside, block outgoing connections to unsafe locations, and prevent downloads of content, such as online games that may harbor malware. A virtual private network encrypts traffic, which is a key safeguard when staffers log into the pharmacy system remotely.

“Work with your IT [information technology] vendor to design your protection, first by finding an IT security vendor who knows health care—preferably pharmacy,” Fabian said. “We have specific cybersecurity needs and vulnerabilities.”

The next layer of security is antivirus. Dorazio recommended active EDR/XDR (end point detection and response/extended detection and response) antivirus. With cyber crooks using artificial intelligence (AI) to create malware, pharmacies need AI protection. “EDR/XDR is AI-based to detect [emerging] threats,” he said. “Having these active protections on each device is one of the best ways to stop intruders.”

The final layer is staff training. Phishing—emails designed to trick users into disclosing information, opening infected attachments, or visiting infected websites—is the source of most ransomware and other malware, Dorazio explained. Every person with any access to any part of the pharmacy system—from the owner to the newest part-timer—should be trained to recognize phishing.

“The most effective approach is a short training session with a surprise phishing test from you or a security firm like ours,” he said. “That [instantly] tells you who got the message and who needs to pay more attention.”

The key is to look at where the email came from and where any active links lead, Dorazio explained. Before visiting any links, right-click to see the true source of an email and the true destination of a link. “Think before you click,” he said. “If there is one-half of 1% of doubt, don’t click on it. If you’re not expecting something, chances are it’s not real.”

References

1. Why is PHI valuable to hackers? Accountable. Published January 25, 2022. Accessed February 10, 2022. https://www.accountablehq.com/post/why-is-phi-valuable-to-hackers
2. Hedges J. Dreaded reality of ransomware in pharmacies part 1 [podcast]. R.J. Hedges and Associates blog. Published January 6, 2022. Accessed February 10, 2022. https://www.rjhedges.com/blog/how-to-protect-your-pharmacy-against-ransomware
3. Top 10 health technology hazards for 2022. ECRI. Accessed February 10, 2022. https://assets.ecri.org/PDF/White-Papers-and-Reports/ECRI_Top10Hazards_2022_ExecutiveBrief.pdf.
4. Tunggal AT. What is the cost of a data breach in 2021? UpGuard blog. Updated January 14, 2022. Accessed February 10, 2022. https://www.upguard.com/blog/cost-of-data-breach
5. How to be a healthcare BA and not lose 25 million PHI records. Agio blog. Published November 29, 2021. Accessed February 10, 2022. https://healthcare.agio.com/newsroom/how-to-be-a-healthcare-ba-and-not-lose-25-million-phi-records/