Know the Risks, Your Pharmacy Can Be Hacked

Think your independent pharmacy isn’t affected by hackers? Think again.

As a pharmacy consultant, I talk to many pharmacy owners across the country. I would say a good 60% of pharmacy owners believe their pharmacy isn’t susceptible to any type of cyber security threat or data theft. Of course, they all hear the security and data breaches on the news. But it would never happen to an independent pharmacy, right? Wrong. Independent Pharmacies are more at risk now than ever before.

Example: Patient records stolen from pharmacy – PHI data included. Over 50,000 patient affected

Pharmacies are an excellent resource for hackers to steal PII (personally identifiable information) and PHI (patient health information). Why? Because pharmacies are easy to hack. They usually have an outdated firewall, if they even have a firewall. (A firewall is a device that protects the pharmacy internet network from the outside network or internet) Their router is usually of home grade security or hasn’t updated it’s firmware in years. Pharmacies usually are on outdated version of their operating system (WindowsXP, Windows 7). Pharmacies are also susceptible to social engineering attacks (see below).

What threats should my pharmacy worry about?

Pharmacies rely on a lot of different vulnerable technology. This is going up every day as pharmacies increase their reliance on tech. Let’s take a brief look at some of the threats facing independent pharmacies and pharmacists.

Malware – These are often found on social media, websites and email. Malware includes worms, trojans, viruses, spyware etc.. Where in pharmacies? Pharmacies usually get infected with malware by staff clicking on the links in social media or opening attachments in emails. Another place we see malware in pharmacies is when a staff member is doing research online and clicks the wrong link.

Social Engineering – This is when someone tries to manipulate pharmacy staff into giving them confidential or personal information that may be used for unintended purposes. Where in pharmacies? We see this when someone visits or calls into the pharmacy asking various questions, in an effort to receive valuable information. A recent situation with a client of ours was the following: A scammer from India called into the pharmacy claiming they were “MIcrosoft Technicians” and needed access to the computers for a “required security update”. These attacks happen everyday on small businesses and only awareness can prevent them. If you allow these scammers to connect to your computer they usually install ransomware.

Ransomware – This is software designed to encrypt your files on your computer or lock you out. The only way to remove this is to pay the “ransom” according to the ransomware. Where in pharmacies? This is found anywhere online. E-mail and websites being the most vulnerable to this attack. Hackers will send out mass emails with ransomware and hope someone opens the attacgment. Once a user opens the attachment it takes away the availability to certain data or systems unless the ransom is paid.

E-mail is the most vulnerable

E-mail – Pharmacies use email everyday to talk to patients, vendors, precribers etc.. However e-mail isn’t secure no matter your provider. These often can carry virus/malware attachments or phishing links. Proper training is needed with all pharmacy staff that uses e-mail. Getsafeonline.org offers a great article regarding e-mail safety.

Phishing – Unusually accomplished through e-mail phishing attempts to trick users into thinking they are submitting info to a secure site. Where in pharmacies? We have seen this as scammers/hackers try to send pharmacist to fake federal and state websites to steal credentials.

Vishing – This attack is becoming more and more prevalent. With VOIP phones being very popular a hacker can spoof/fake their caller ID. Where in pharmacies? Patients are being contacted by scammers using the pharmacies caller ID. Scammers are asking patients for credit card info, personal information and more. Scammers target the patients within a radius around the pharmacy. This attack is never good for the pharmacy because patients lose trust in the pharmacy. However, the pharmacy has nothing to do with this attack.

If your pharmacy is a victim of vishing contact us. We have experience on how to respond to this attack.

Pharmacists and pharmacy owners shouldn’t be thinking if  but when I get hacked.

What should a pharmacy protect? 

A pharmacy has a slew of information and technology they are obligated to protect. Everything from your pharmacy phone number – to patient info – to your digital certificate to order CII’s. These are just a few items to protect. A pharmacy is full of PII and PHI info.

Today pharmacies and health care providers are becoming even more connected through e-scribing portals and eMar systems. These provide additional gateways for hackers to cause problems. While these systems are usually somewhat secure, your pharmacy is still at risk just due to association.

Is my pharmacy liable?

Ultimately everyone should be responsible for protecting data, PHI, PII etc.. However if your pharmacy uses a persons data, you have an obligation to protect it. Currently it’s unclear who is ultimately responsible for small businesses. However, you can bet – if your pharmacy is the target of breach your reputation will take a huge hit. Many businesses never overcome a security breach and some ultimately go out of business. If you’re not taking security seriously this will eventually become a reality. The average costs to recover after a cyber breach for a small business is around $500,000.

If you are a victim of a data breach, you are required to notify your patients of this breach. The matter of notice time depends on your state. Each state address security breach notifications differently. Take a look at the NCSL (National Conference of State Legislators) website for your state regarding data breaches.

Does your Pharmacy System have a cloud environment?

Almost all pharmacy systems house all their data on a local server in your pharmacy. This creates even more data for a pharmacy to protect. However some pharmacy systems like McKesson Enterprise RX has a cloud (hosted) version of their pharmacy software. By using a cloud version of the pharmacy system you are transferring the risk to your software company.

Not all pharmacy systems have this option currently. Check with your pharmacy system to see if this is an option. If not – ask them some tips they recommend to protect your pharmacy data stored on their server.

Website Security / Patient Refills

Does your pharmacy have a website? A website is an extension of your business and you are responsible to protect it. Pharmacy websites are prime targets for “PharmaHack” – a hack where rogue injection are applied to pharmacy websites. They usually promote Viagra, Cialis etc..items that are illegal to promote online. If you click them you are sent to an illegal website to purchase these items. In most cases if you’re hacked with the PharmaHack any link on your website is redirected to the illegal website.

Does your website have online refills where patients enter prescription information? If so be sure your website is up-to-date with the latest updates and patches. Patients are trusting your website it secure when they enter their personal health info.

If you are concerned about your website might be hacked or susceptible contact us. We design custom pharmacy websites that are secure and professional. ConfigRX understands cyber security and the risks associated with running a pharmacy.

How to mitigate risk to your pharmacy

To be fair, managing your pharmacies security does take some time and money. However, time and money is something pharmacies usually don’t have to dedicate to security. So how do you protect yourself and your pharmacy from cyber threats? What we recommend to pharmacies who can’t afford manage services is to:

  • Install anti-virus software, and keep it updated!
  • Upgrade to business grade firewall/router
  • Do awareness training to pharmacy staff member about security threats (E-mail, Phones, Fax, Internet Browsing etc)
  • Use a policy of least privilege. If they don’t need access to it – don’t give access.
  • Isolate your wireless network from your local area network (where your data resides)
  • Reach out to your pharmacy management system. Ask them how they protect your data. What do they recommend?
  • Install BitLocker on your workstations and servers
  • If you don’t recognize it delete it – DON’T OPEN IT
  • Keep pharmacy private information off social media
  • Look for insurance related to cyber security

Pharmacy Website Security

  • Keep your plugins and CMS (WordPress, Joomla etc) up-to-date
  • Install HTTPS on your website so website data isn’t in plaintext.
  • If using a theme make sure it’s the most current version
  • Monitor your website and block unwanted countries from access your website

Document document document your security

A good practice with security is to document everything you do. If the pharmacy does get breached you will want to have proof you did your due diligence. Although it can be tedious and time consuming, documentation can provide you with a record. This also helps for insurance and legal matters.

Don’t overlook pharmacy cyber security

Cyber Security is often added on after and owners do not consider security when planning a pharmacy. Which means most pharmacies are just doing patchwork to protect their systems and data. Always try to consider cyber security in any business venture from the ground up. That way you aren’t playing catch-up.

Sad truth is, you can never be 100% hacker proof. With technology changing everyday, new hacks and viruses are there to exploit the same technology. If you aren’t keeping your patches, operating systems and firmware updated, you will always be at a higher risk.

Managed pharmacy services with cyber security

Most pharmacies simply do not have the time to devote to security. With pharmacy managed services by ConfigRX we can help you reduce your security risk. We designed our managed services to include cyber security threats. We work with Intrusion Prevention and Detection Systems to monitor your network traffic. This allows us to find unusual or unwanted network traffic, prevent unauthorized access, and protect your pharmacy technology.

Managed services by ConfigRX is designed to improve your pharmacy operations. On top of security can also provide you with IT support, IT monitoring, data backup and more. Get out of the “break/fix” mentality and take control of problems before they happen with managed services.

Our team has over 8 years of pharmacy IT experience. ConfigRX understands the pharmacy industry better than anyone. We work with you to come up with a security solution that fits your budget. To learn more about our managed services, visit our pharmacy managed services page.

Learn more