Data threats: How prepared is your pharmacy?

September 10, 2015

70% of small businesses that suffer a data breach go out of business within a year of the attack. Here are some strategies to keep your pharmacy strong.

A recent survey, the 2013 Verizon Data Breach Investigations Report, reported that 70% of small businesses that suffer a data breach go out of business within one year of the attack. Clearly, in a sector as competitive as retail pharmacy, data security has moved beyond the realm of IT and become a general business concern.

According to the industry research firm IBISWorld, despite profit setbacks, healthcare reform and an aging population will spur growth for the U.S. pharmacy market, the sheer size of which will make it a target for increasingly aggressive cybercriminals. In the competitive and patient-focused retail pharmacy market, this should serve as a clarion call to data defense.

An area of particular concern for pharmacies is point-of-sale (POS) systems, as recent attacks indicate that installation of malware is on the rise. This point of attack can be particularly vulnerable to unauthorized capture of payment and consumer data, more so as pharmacies increasingly employ POS data for advanced analytics and business intelligence.

See also: Electronic discovery: What every pharmacy needs to know

Defend the data

There are three principal methods of defense that pharmacy retailers would be wise to employ in mitigating the risk of data breaches.

First and foremost are the commonsense methods for prevention of unwarranted access: ensure that firewalls are in place; install and properly operate up-to-date anti-virus software; and train employees in appropriate security procedures (e.g., do not open suspicious e-mails, safeguard and change passwords frequently, and do not download files from untrusted sites). When these measures are taken and enforced, it is much more difficult for outsiders to access business data.

See also: Employees pose greatest threat to PHI security

Internal security

Second, many data security issues arise from a company’s own employees. Analysts have suggested that the increased focus on external threats may result in a lack of attention to internal ones, despite the fact that the leading causes of security incidents in the near future are expected to be employees and negligence.

It is imperative that business systems be locked down so that only those who need access to data can get it. If your pharmacy has credit card numbers or checks in a safe, ensure that only the proper personnel has access to it. The same principle holds for data security. If an employee doesn’t need access to patient records, don’t grant it to them.

 

"Killing" data

Finally, and perhaps most important, businesses can use tools such as point-to-point encryption and tokenization to make data inoperable to those who access it without authorization. This has sometimes been referred to as “killing" data.

Point-to-point encryption translates data into a form that outside parties can neither decode nor use. Similarly, tokenization is a method whereby transactional systems provide a “token” that represents a payment card number; it is still unique, but cannot be used outside the system.

A token replaces all major-brand bankcard numbers transmitted to payment processors, as well as those stored internally for house accounts. Even if a breach or theft allows a third party to acquire a transaction or house account file, the data won’t reveal a card number that can be reused.

These tools should be part of the data defense strategy for any POS or transactional system used by pharmacy businesses.

Continuous vigilance

As new regulations to help secure data are developed, the window of opportunity will shrink or close for hackers, and they can be expected to step up their activities as these regulatory deadlines approach. Ultimately, pharmacies must be vigilant, even as these laws will help boost public confidence in data security.

It’s an old saying that the way to be safe is never to be secure - something that retail pharmacies need to remember as they setup defenses to protect their own data and that of their patients in an increasingly data-driven market.

Keith Lamis senior product marketing manager, Epicor Software Corporation, a company in Austin, Texas that markets business software solutions to the manufacturing, distribution, retail and services industries.