What should pharmacies do to keep patient data and credit- and debit-card information secure? Start with these steps.
The data breach that occurred in late 2013 when cybercriminals stole 40 million credit and debit card numbers from 70 million customers has now cost Target Corp. more than $200 million. In addition, Target’s brand has been severely compromised, resulting in the resignation of Target’s CEO and CIO.
Unfortunately, many retailers large and small are vulnerable to data breaches, and thousands of smaller businesses are being breached, according to Chad Leedy, director of retail compliance, ANXeBusiness Corp. He spoke about what pharmacies can do to protect themselves from data breaches involving patient information and credit and debit card information during the National Community Pharmacists Association meeting in October last year.
The costs of a data breach
A data breach costs, on average, a total about $80,000 per pharmacy location. Once a data breach is detected, a forensic audit is necessary, at a price tag of between $20,000 and $30,000.
Then determination is made as to how far out of compliance the pharmacy was and how many credit cards were comprised and will have to be replaced - at a cost between $20 and $50 per card from the bank.
On top of that, there will be fines and fees and the expense of getting the pharmacy back into compliance. During that time, the pharmacy cannot accept any payments made with credit cards.
“If your pharmacy had to pay $80,000 and couldn’t take credit cards for two to three months, how devastating would that be to your business? You might have to go out of business or declare bankruptcy,” Leedy said. “Unfortunately, one in six small businesses will suffer a credit card breach in the next 24 months.”
For pharmacies and other retailers that store, process, or transmit credit/debit card data, PCI compliance is mandatory. All businesses must comply with the Payment Card Industry Data Security Standard (PCI-DSS), a set of more than 300 requirements that businesses using point-of-sale (POS) systems need to meet annually.
According to the PCI Security Standards Council, the PCI-DSS is a framework for payment-card data security that includes prevention, detection, and response to data breaches. The council has lists of qualified security assessors (QSAs) and approved scanning vendors (ASVs) to help businesses with compliance at www.pcisecuritystandards.org/security_standards/.
When you check the qualifications of PCI vendors, find one that is a QSA or ASV, Leedy said. “A QSA is the highest level of credentials that you can get with the PCI Security Standards Council. Make sure the vendor understands the pharmacy business, so it is aware of your unique challenges,” he said.
Six goals for PCI compliance
PCI lists six objectives that businesses need to follow to secure sensitive data.
Firewall.Your firewall needs to be secure and fully managed by a security company. Make sure that the default passwords are changed and regularly updated. A structure needs to be in place to change passwords on a regular basis.
Encrypted data. You need to protect sensitive data, such as credit card and patient information, and ensure that it is encrypted across all open public networks. Contact your information technology professionals for their expertise.
Maintenance. Every business must maintain its system with antivirus software, and systems and applications need to be updated regularly. This includes Microsoft patches and patches for many different pharmacy applications.
Access limitations. Be sure to have strong access-control measures in place. Restrict access to a need-to-know basis. Do not allow employees to share access to the system. Make sure that remote access from outside the pharmacy is secure.
“Never use a free version of a remote-access tool. It should have two-factor authentication, which is usually something you know, like a password, and something you have, like your cell phone number,” Leedy said.
Internal and external testing. Track and monitor access to your system and test network security internally and externally. An outside company will have to test your network externally.
Security policy. Develop and implement a security policy that includes PCI compliance. Your employees need to read it and acknowledge their awareness.