It is important that pharmacists are not lulled into a false sense of security, says cybersecurity expert Mike Gillespie, because attacks are often indiscriminate. Using words like ‘attack’ and ‘hack’ breeds the misunderstanding that these data breaches are targeted. In reality, they are hit-and-hope operations – and your business is just another IP address.
“Your size or your business is irrelevant. Even if you are a small pharmacy, for example, you will have on your system personal information related to your [patient] base,” says Gillespie, who is managing director of security consultancy Advent IM.
“That information on its own has a degree of value, but it can then be aggregated with lots of other sorts of information and used for fraudulent activity. Personal information has a value, a currency value, on the dark net.”
If the attacks sound Matrix-level mind-spinning, then the advice to protect against them can seem quite basic. Anti-malware, passwords, phishing... surely we know all this by now?
Mike Gillespie likens it to the work the police did over a long period to raise awareness of how to protect against household burglaries. “If you’re going away, close your windows, lock your doors, cancel the milk and papers, let a neighbour know, leave a radio or TV on a timer so it looks like the house is occupied,” he recites.
“We are not applying these basics to cyberspace, so our networks aren’t being locked, we’re not locking our valuables away at night, we are not putting the front door latch down and, as a result, the criminals are having a field day. It is not rocket science. If you do the basics, it massively increases your ability to defend against an attack.”
To help, pharmacy IT experts have outlined 12 cybersecurity steps that you should follow to protect your pharmacy.
Information, as a resource, is your responsibility. You need to have a greater understanding of what you’ve got and why you’ve got it, and a greater understanding of the risks concerning the way you use, share and exploit that information. It is not your system supplier’s responsibility; it is down to you because it is your information.
You may be working through your information governance (IG) toolkit every year (the latest version was released in July) but you can’t stop there, warns Jenny Williams, information systems security officer at Cegedim Rx. “Merely complying with NHS information governance rules – once the gold standard for security protocols and processes – is no longer the benchmark for securing healthcare data,” she says.
Your system supplier will already be doing a lot of the work for you in the background, so you should understand as far as possible what that is. “Where people have concerns, they could talk to their system suppliers about what protection is in place or what protection they might like instead,” suggests PSNC community pharmacy IT lead, Daniel Ah-Thion.
Gill Price, marketing lead at Cegedim Rx, points out that data protection regulations will, from May next year, require pharmacies to have documentation from their supplier to show that all data is encrypted.
“As a supplier, we can’t overstate the importance of using the latest operating systems and running regular security updates,” says Steve McGee, head of sales and marketing at systems supplier Positive Solutions. “Microsoft only provides security updates for operating systems which they consider to be supported. Using an older, out-of-date and unsupported operating system such as Windows XP exposes the user, and their data, to attacks.”
“Pharmacists should always assume that a data compromise is possible and ensure that they have a strong defence in place against cyberattacks” says Cegedim Rx support manager Gary Wake. “This includes ensuring all operating systems, anti-malware software, web-filtering and antivirus software on all servers and end-point devices are updated with the most recent patches.”
There are new attacks and new threats coming out all the time, says Mike Gillespie, so it is no good just updating your anti-malware once a month.
You really can’t back up enough, says Mike Gillespie, and you must do it regularly with at least one back-up carried out offline. “You need to make sure you are resilient to attack. If something does go wrong, you don’t want to be held hostage. You want to be able to just shut your system down and rebuild it and reinstall the data from a safe back-up.”
You may want to familiarise yourself with the process for PMR and electronic prescription service back-ups, suggests Daniel Ah-Thion. “If your system crashes you will need to revert to back-up – and how old will that be? If your system is being backed up every few days, for instance, it may be that you’ve lost some work or you need to update the system again with anything done in the past few days. That is why it is useful to have something in the first place that backs up frequently.”
“Access to data should be limited, based on the roles of individuals, so that only those with a genuine clinical need can access certain confidential patient data. Pharmacists should ensure that credentials for system access are in the right hands,” says Jenny Williams.
“If you can, use access controls to segregate off the more sensitive – the ‘crown jewels’ – of your information. Put more security around those, so that even in the event of a breach you’ve still got some effective security in place,” advises Mike Gillespie.
“It could be as simple as having an additional folder that is properly password-protected with a good quality password to protect it in the event of someone getting access to a computer.”
Remembering passwords is the bane of modern life but the constant requests for new, more complicated – and therefore less memorable – access codes are for good reason.
“Password management is critical; passwords should be complex enough so they are not easily breached by hackers,” says Jenny Williams. “In this regard, system policies should be in place to enforce password rules. This should include a two-step authentication process. Staff should be advised to never share passwords or hardware tokens.”
“Because flash drives or other devices can be infected with malware, employees should not bring them into the pharmacy,” advises Gary Wake.
They should also not be used for normal business practice, says Daniel Ah-Thion, but if you must, “as a last resort”, you should scan them for viruses.
Jenny Williams stresses that sensitive information on mobile electronic devices, including USB flash drives and laptops, should be routinely encrypted. “This prevents accidental exposures such as dropping an unencrypted flash drive in the street or losing a laptop with unencrypted patient data on it.”
It may be unpopular but staff should not use pharmacy systems for personal e-mails or personal cloud-based applications, says Jenny Williams.
Many users still fail to recognise phishing emails. “If you get an email that has got an internet link in it, you need to be very conscious of whether that link could be a risk,” says Daniel Ah-Thion.
Know who your system supplier is, who the main contact is and what their phone and email details are so you can chase them up to get the issue solved. “It is about knowing who to contact to get it fixed,” says Daniel Ah-Thion.
“Security is first and foremost a people problem,” says Mike Gillespie. “Almost all malware starts and ends with the user. Malware attacks are only successful because a member of staff clicks on something.
“Anyone who has access to your information and systems needs to have effective and appropriate awareness training so that they understand the threat, they understand how to recognise potential attacks, and they understand what to do in the event of something going wrong.”
This should include much of the above (e.g. good password practice, mobile device rules, personal use restrictions, recognising phishing and what to do in an emergency), which you should make into a formal policy in your pharmacy.
May’s NHS cyberattack was serious enough in itself but could be considered a warning shot across the bow. Don’t be caught out.
Access to your data should be limited
Do act immediately.
Disconnect the network cable, switch off the wifi network, power that computer down and call your system supplier or IT provider’s help desk.
Don’t attempt to fix your system without contacting your supplier. Consult your supplier if you are doing anything that might impact your system.
Do report it.
Contact the police through Action Fraud (actionfraud.police.uk).
Don’t pay the ransom.
In many cases, even when the ransom is paid, the attackers don’t release the data or unlock the system. Once you’ve paid a ransom, you are seen as a soft target – so people will come back for more.
The National Cyber Security Centre: ncsc.gov.uk
Cyber Aware: cyberaware.gov.uk
Information Commissioner’s Office: ico.org.uk/media/action-weve-taken/audits-and-advisory-visits/2013919/community-pharmacy-outcomes-report.pdf