Protect your pharmacy against cyber and physical attacks

Small businesses like independent pharmacies are just as vulnerable to physical and cyber attacks as large businesses, according to two experts who led a continuing education course October 10 during the 2015 annual convention of the National Community Pharmacists Association held in Washington, D.C.

The course, “Physical and Cyber Security,” was taught by Page Moon, chief information officer of Focus Data Solutions in Alexandria, Va., and Eddie Reyes, deputy chief of the Alexandria Police Department.

See also: Data threats: how prepared is your pharmacy?

“Small businesses, regardless of what type of business it is, are usually very vulnerable to the type of cyber criminal element operating today,” Reyes said.

Moon added, “Small businesses spend very little money securing their networks,” which makes them very attractive targets to governments and foreign entities. “They love small businesses. If they can get into your network, they can use your network to get into other ones.”

Pharmacies are attractive to thieves because of the drugs they stock as well as the confidential patient information that can aid identity thefts. While pharmacies are not likely to become less of a magnet for thieves any time soon, there are steps pharmacy owners can take to curb or prevent attacks. They include:

Don’t operate in a vacuum. Pharmacy owners should meet regularly with other pharmacy owners to share information, said Reyes. Criminals tend to employ the same methods time and time again. Sharing information about attacks, successful or thwarted, can help prevent attacks.

See also: Six tips on preventing pharmacy data breaches

Use external video cameras. Not only should pharmacies install external video cameras, but pharmacy owners should review that footage regularly. “[Criminals] are going to case your store,” Moon said. “In some cases, you can go to the videotape and see this and alert police. Reyes added: “The day that they commit the break-in is not the first day they were there.”

Observe your business after hours. Drive by the pharmacy during the hours when it is closed. Sometimes you will spot something out of the ordinary. “We had a business owner who discovered a homeless person had been [camping out] in back of the store,” said Reyes. “Check out the store on a physical level, to get a sense of what happens at your business after hours.”

Protect against backlash from disgruntled employees. Sometimes, a former or soon-to-be former employee orchestrates the physical or cyber attack. Pharmacies should have a checklist of steps to complete during the termination process, including retrieving keys, changing alarm codes, and disabling company-related e-mail accounts. “Don’t take a termination [especially of a disgruntled employee] lightly,” Reyes said. “Because often those are the people who want to do the greatest damage to your organization, as opposed to the criminal elements.”

Maintain your property. “[Unkempt property] is the best sign to a criminal that security is low,” Reyes said. “Whether you own [the building in which the pharmacy is located] or are a tenant, make sure that the property is in good condition.”

Be vigilant against social engineering attacks (SEAs). SEAs happen when someone takes advantage of your good nature. For example, your pharmacy does not provide a public restroom. However, you feel sorry for a well-dressed person who claims to have an emergency and you break your policy. Then that person uses that time to plant a device or lifts a ceiling tile to explore access to network wires or other things.

Use electronic safeguards. Pharmacies should have someone - either in-house or a third party - who monitors its firewall. “Such a service is well worth the money,” Moon said. He also urged pharmacy owners to install malware filters and to have a disaster recovery plan.

Eliminate soft targets. This includes making sure that you have good locks and video surveillance, and that items such as laptops and purses are locked away. It also means making sure that computers are not accessible to criminals who can insert thumb drives to steal information or disrupt system operations.

“Also, everyone needs to be aware of where the exits, entrances, and cameras are,” Reyes said. Pharmacies also should shred documents that contain confidential information, should report suspicious activities to the police, and should change their business patterns when possible. “Anything that can make you unpredictable is obviously good,” Reyes said.