Cybersecurity: Safeguarding Your Pharmacy from Hackers

May 15, 2019
Joe Dysart
Volume 163, Issue 5

Some of the most notorious hacks during the past few years have been, and most likely will continue to be, perpetrated by a shadowy group of computer wizards known as Anonymous.

Independent pharmacies that are uneasy about the increasing frequency of hacking in today’s business world can take heart: With a bit of planning, you can significantly reduce your vulnerability to a computer break-in via the internet.

“In this climate, I believe we all need to be on ultra-high alert,” says Kari VanderHouwen, RPh, owner of Duvall Family Drugs Health Mart in Duvall, WA. 

“Naively, I would like to believe that we are so small we wouldn’t be worth their time,” VanderHouwen says. “But I do know that they are looking for the low-hanging fruit.”

Some of the most notorious hacks during the past few years have been, and most likely will continue to be, perpetrated by a shadowy group of computer wizards known as Anonymous.

“Anonymous is heroic to many people who are sick of government lies and weary of government intrusion -unwarranted and warrant-less-into the lives of U.S. citizens,” says Sharon D. Nelson, president of Sensei Enterprises, a computer security consulting firm.

“They have become very much like-in ‘The Terminator’ movies-the Resistance fighting Skynet,” she says. “Many are ‘script kiddies,’ casual computer users without deep knowledge of computer code, or amateur hackers. But there is a core group of hackers who have extraordinary skills. They present one of the greatest security threats in recent years. And we have not, so far, done a lot to counter their intrusions.”

Trending: EPA’s New Rules On Drug Disposal Begin In August

Perhaps even more sinister than Anonymous is the professionalization of hacking that has emerged in recent years-scores of hackers have become 9-to-5 workers in today’s world, with jobs that include holidays, vacations, and many of the other trappings associated with legitimate employment.

Kevin Haley, director of Symantec Security Response, says, “advanced criminal attack groups now echo the skill sets of nation-state attackers. They have extensive resources and a highly-skilled technical staff that operate with such efficiency that they maintain normal business hours. We are even seeing low-level criminal attackers create call center operations to increase the impact of their scams.”

Ransomware

One of the preferred ploys of these organized crime rings is ransomware: malware that downloads onto your PC or business network. It then secretly encrypts all your business data and the hackers demand a ransom for your files to be restored.

Rich Conklin, an IT security consultant and owner of Executive Computer Solutions, says one of his clients was recently hit with ransomware that brought down 28 of its computers. 

“Because they had a formal data back-up program for their business-which I recommended and maintain-I was able to get most of their data restored later the same day,” Conklin says.

Ryan Naraine, a head of global research and analysis at the cybersecurity firm Kaspersky Lab, hears network take-over horror stories like Conklin’s every day. 

“Right now, ransomware is an epidemic,” Naraine says. “Although it has been around for more than a decade, we have seen a recent explosion of new ransomware families that is cause for serious concern.”

Indeed, some of the newest variants of ransomware are now popping-up on smartphones and other mobile technologies, according to a report released by Christian Fredrickson, CEO of F-Secure.

Take Cybersecurity Seriously

The security take-away? Independent pharmacies of all sizes need to make peace with the fact that hackers won’t be neutralized any time soon. And they need to be honest with themselves that their current computer defenses are probably Silly Putty in the hands of experienced of hackers.

The best way to begin hardening the online digital perimeter of your pharmacy is to realize that the person or staff responsible for your web security is the overarching factor in keeping your pharmacy data safe, rather than the security technology that they happen to administer and oversee.

“Fundamentally, good security really is just good systems administration,” says Ira Winkler, founder of Internet Security Advisors Group, a computer security consulting firm. “And if you can’t afford or can’t get a good system administrator, I recommend outsourcing that.”

In fact, Winkler says the smallest of independent pharmacies will probably be best served by using an outsourced third-party computing solution, given that the entire focus of a top-notch network systems provider is on configuring, maintaining and securing computer systems 24 hours a day and seven days a week. 

Read More: Generic VESIcare Tablets To Launch In U.S.

In other words: You might want to move the critical computer applications of your pharmacy to the cloud, so you can take advantage of the relatively sophisticated web security offered in those systems, Winkler says.

“We utilize a company called NuArx to manage our firewall and virtual private networks,” says Paul Grisnik RPh, CEO of  RxXpress Health Mart Pharmacy in Grove City, PA. “They, in real-time, monitor the data streams for viruses and possible attempted attacks on our computer network.”

Ram Subramanian, PhD, vice president of research and development at PerciptiMed-a software company specializing in making sure drugs are dispensed correctly-says, “Pharmacies should partner with IT service providers specializing in computer support and security that gives them 360-degree protection from various modes of digital threats.”

At a minimum, Sensei’s Nelson recommends a quality internet firewall that’s properly configured; and internet security software that guards against viruses, malware, and spyware. Both are available with software packages like Symantec’s Internet Security, Kaspersky Security, Trend Micro Security, and the like.

And you’ll also need to be sure your staff gets the message that your pharmacy’s security must be taken very seriously. “Education of your employees is key,” Conklin says.

Continue reading on page 2...

Avoid Custom Software

Staying a step ahead of hackers also means being careful with any custom-made software, Nelson adds, since these programs are rarely subjected to the rigorous security testing that popular established software undergoes. 

Content management systems (CMS)-software designed to enable independent pharmacies to easily update their web sites-for example, are often custom-made. “A custom CMS is usually a bad idea,” Nelson says. 

Guard Passwords 

Many employees also tend to get lazy about passwords. Surprisingly, one of the most commonly used passwords is still “password,” a seemingly trivial oversight that has spelled the undoing of otherwise stellar computer security systems. 

Nelson recommends complex passwords of more than 12 characters, both letters and numbers, which are tough to crack even by software specifically designed to crack passwords. And she reminds people to use different IDs and passwords to enter different applications and networks. 

Independent pharmacies looking to be especially vigilant about passwords can also use free online password generators, like Secure Password Generator, which will instantly generate long complicated passwords for you. 

As an alternative, pharmacies can purchase password management software such as Dashlane 4 or LastPass, which auto-generate complicated passwords, and centralize all your IDs and passwords into a single easy-to-use program.

Product Updates: New Combination Therapy for Renal Cell Carcinoma

Independent pharmacies also need policies in place to establish lock-outs after a system user has entered a predetermined number of incorrect IDs or passwords, Nelson adds. The same lock-out fail-safe needs to be activated the moment an employee departs or is terminated from your pharmacy.

For protection of especially critical data, Winkler also advises multiple authentication, such as the use of two or three passwords to access a web site maintenance account, rather than just one. Businesses whose data privacy is especially critical should consider investing in data leakage prevention software, he says.

Keep Data Off the Internet

You also may want to consider keeping patient data and credit card data on a separate system that is always completely disconnected from the internet. “Restricting web access to a separate network-isolated from patient records and credit card transactions-is a good idea,” says Michael Deninger, RPh, PhD, owner of Towncrest Pharmacy in Iowa City, IO.

Employees should also stay on the look-out for ”social engineering” ploys-when a hacker tricks someone at your pharmacy into surrendering digital information with a phone call or innocuous email, as opposed to online hacking tactics.

Regular meetings, e-newsletters, or memos about security vigilance also offer an opportunity for you to update pharmacy staff about the latest smoke-and-mirrors tricks that are in vogue among hackers. 

A popular recent hacker ploy, for example, is to regularly spam employees with marketing emails that seem to originate from a legitimate business and include a handy unsubscribe link at the bottom. Unbeknownst to the recipient, clicking that link activates an invisible download of malware to their PC or other computer device-software that can be used to steal IDs, passwords, credit card numbers, client data, and more.

“Look at the link, and see where it’s coming from,” Winkler advises. If you don’t recognize the company, or the link seems hinky, don’t click it.

You should run any security solution you choose past your attorney or any personnel hired to ensure that the software you use complies with all government regulations for pharmacies.

Get Insurance

You’ll also probably want to consider buying insurance against a cyber-attack and data breach. “Since most policies do not have sufficient coverage, I recommend purchasing additional coverage to protect your assets,” says RxXpress’ Grisnik. “We must all continuously review and update our policies and operating procedures for our employees to ensure we protect our own and our patients’ information.”

Mona Ghattas, BSPharm, owner of Duran Central Pharmacy in Albuquerque, agrees: “My business has a separate insurance policy that addresses cyber security, both externally and internally. Every business must own a policy like this in today’s world.”

Read More: CBD Products: Confusion, Hype, and Hope

If all else fails, you’ll also want a backup plan-just in case your pharmacy gets hit by a hacker despite all your efforts. “If there is one thing I want to strongly recommend to all pharmacies, it is that they all need a disaster recovery plan, security awareness training, and have daily offsite backups of their data,” says Jason Carter, chief technology officer for Best Value Pharmacies.

There are of course other ways to further toughen your security and protect your pharmacy. But at a certain point, you’ll probably need to concede that your Internet security will never be perfect.

“Anybody who sells you ‘perfect security’ is a fool or a liar,” Winkler says. “What security is about is risk management. The more you elevate security, the more you’re raising the bar, and the more exponentially you’re decreasing your risk.”

download issueDownload Issue : Drug Topics May 2019