December 15, 2016
Is your pharmacy prepared for a cyberattack?
Even though you can’t see them, cyberattacks, or cybersecurity breaches, are very real threats. And, your independent community pharmacy may be a likely target.
Forty-three percent of cyberattacks targeted small businesses in 2015, a number that has been steadily increasing over the last five years, according to the 2016 Symantec Internet Security Threat Report, an annual report that analyzes trends in cyberthreats and attacks, by Symantec, a global leader in security and information management solutions.
“We communicate and operate on the Internet as though this is a secure system, while in reality it’s far from secure,” said Tim Campen, a mentor with the Washington, D.C., SCORE chapter, a nonprofit association dedicated to educating entrepreneurs and helping small businesses through mentoring in partnership with the U.S. Small Business Administration (SBA).
Seventy-eight percent of small business owners don’t have a cyberattack response plan in place, according to the second annual Small Business Indicator, an online survey conducted by Nationwide Mutual Insurance Company in June 2016.
Kristin Judge, spokesperson for the National Cyber Security Alliance (NCSA), said businesses need to protect themselves. “We live in a connected world, and just as we have learned how to protect our physical security, we need to protect this new aspect of our lives with just as much vigilance,” she said.
Protection starts with prevention, which means implementing better cybersecurity practices. And, if your pharmacy does fall victim to a cybersecurity breach, you need to be prepared to mitigate cyber liability in order to help your business survive.
“The internet has become the communication backbone of major parts of our economy and our social and business community communications,” Campen said. “The impact of cyber breaches can spread very quickly and can have industry-wide cascading results.”
Cybersecurity is defined as the measures taken to protect a computer or computer system against unauthorized access or attack.
The NCSA prefers to describe cybersecurity in a positive way. “Cybersecurity allows you to use the Internet with more confidence, because you’re putting safe practices in place,” Judge said. “Cybersecurity can empower you to use more Internet resources with trust and confidence.”
Judge said cyberattacks are a growing threat, and independent pharmacies need to build cybersecurity into the culture of their businesses. “You’re responsible for peoples’ very sensitive data, so it’s something you need to be paying attention to,” she said.
Mike Warren, risk manager at Pharmacists Mutual Insurance Company, a provider of life, disability, financial planning, investment and professional liability products to the pharmacy community, said that about 25 billion devices in the world can theoretically talk to one another, a number that’s expected to double over the next 20 years. “You’re seeing more press about cyberattacks and how they’re impacting companies,” he said. “We’ve gotten a lot of feedback from pharmacists that are waking up to the potential threat.”
One problem with cybersecurity in small businesses is the lack of time and resources to devote to the issue. “Small business owners unfortunately are busy running their businesses and they don’t have a lot of spare time to focus on this topic—it can seem overwhelming,” Judge said. “Criminals know that these smaller businesses can be vulnerable, so they take advantage of them.”
Additionally, Campen said one of the most problematic elements of cybersecurity is the quickly and constantly evolving nature of security risks. If your pharmacy doesn’t have the right practices in place, it can be devastating.
And, Judge said pharmacies are starting to take note. “We are always looking to improve the adoption of cybersecurity best practices for consumers and businesses,” Judge said. “We do see pharmacies putting some cybersecurity practices in place in order to follow Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA) laws, but more can be done.”
Mike Egan Jr., pharmacy program director at The Selzer Company, an insurance broker and consulting company in the Mid-Atlantic region that offers its Pharmacy Insurance Network, said cyberthreats are unlike any other threat. “You can see a storm coming from far away, but you can’t easily see cyberthreats,” he said.
The majority of cyberattacks on businesses are done through phishing, which Symantec defines as “an attempt to illegally gather personal and financial information by sending a message that appears to be from a well-known and trusted company.”
Judge said that for independent pharmacies in particular, phishing scams are a big concern. “Medical data is worth money on the black market,” she said. “Pharmacies have access to valuable data without having staff whose expressed responsibility is securing that data.”
Egan agrees. “Pharmacies tend to have more exposure than that of other businesses because pharmacies combine risks to both retail payment data and health care exposures, two big areas experiencing lots of attacks and losses,” he said.
The most common type of phishing used by attackers today is spear phishing, where an email targets a specific business or individual. A spear phishing email appears to be from someone who you know, and when clicked on, gives criminals access to your data.
Judge said when businesses fall victim to spear phishing, the number one concern becomes ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid. “Similar to kidnapping in the movies where a person is held for ransom, criminals hold data for ransom hoping to extract money out of the victim who needs access to the data in order to run a business,” she said. “Ransomware is a fancy name for a corrupt program put on your computer because you clicked on a link or downloaded an attachment that was infected.”
Egan said generally these threat vectors, tools cybercriminals use to attack a target, reveal internal risks and external risks, both accidental and malicious. “The exposures range from theft of data, to extortion to regulatory fines and penalties, not to mention exposures like cyber extortion,” he said. “The risks and threats are simply too vast to ignore.”
Independent pharmacies need to take measures to increase cybersecurity and protect their businesses.
Judge said that education and adding authentication to accounts are the first steps to protect your pharmacy from a cybersecurity breach. “It’s important to train your staff to build cybersecurity into your business,” she said.
For example, she suggests having a lunch-and-learn once a month or holding staff meetings to discuss the importance of your pharmacy’s data, and the roles each employee plays in keeping it safe.
Campen said insider threat is usually the greatest risk for small businesses. “Get training for your employees, and have a written security policy in place so they can learn what to avoid and how to respond to ‘strange’ things on their computers,” he said.
STOP.THINK.CONNECT.™ is a global cybersecurity education and awareness campaign that works to reinforce safe online habits, such as taking caution before clicking on emails and downloading attachments. The idea is to stop, think about what you’re doing and then connect. The campaign was created by a coalition of private companies, nonprofits and government organizations with leadership provided by the NCSA and the Anti-Phishing Working Group (APWG). The U.S. Department of Homeland Security (DHS) leads the federal engagement in the campaign.
“It’s really become very easy for the bad guys, because we’re not educating people enough about how to secure their accounts and refrain from clicking on things,” Judge said.
It’s equally important to protect your data by increasing cybersecurity on your computers. Warren said to minimize the risks of cyberthreats, you should encrypt your data, secure your hardware and use—and update—antivirus and malware protection software. He said although people tend to ignore notices to update their software, it’s really important to make updates to keep your computers safe.
Additionally, Judge said pharmacies need to have a cybersecurity specialist who checks on their business regularly. “We encourage all businesses to have relationships with these specialists before there’s a problem,” she said.
Independent pharmacies have many helpful resources available to them to learn about cybersecurity and how to protect their businesses from an attack. The NCSA, SBA, Federal Trade Commission (FTC), and DHS all offer helpful tools and information on their websites.
But it’s not just about prevention; it’s about preparation. Because with a cybersecurity breach, comes cyber liability.
“Cyber liability is a fairly new category of business liability risks associated with electronic information and computer systems not covered by traditional insurance,” Egan said.
And pharmacies face cyber liability. “The liability part of it is that the pharmacy can be held responsible for damage or even perceived damage to the parties whose data has been compromised,” Warren said.
Warren said cyber liability generally falls under two categories: first party liability and third party liability.
“First party liability is damage to your own information, while third party liability is where you lose somebody else’s data—and that can be really expensive,” he said.
If your pharmacy experiences a data breach, you can be fined by multiple agencies. “When they impose these penalties, they look at what the company did before the event to prevent it, and what actions they took in response,” Warren said.
A cyberattack is likely inevitable. “You have motivated and dedicated adversaries intent on stealing from or extorting businesses and creating thousands of new malware each day, going up against folks that run a business and everything it entails,” Egan said. “Experts say it is not a matter if an incident will happen, but when.”
Warren said that handling cyber liability is like handling any other risk. “You have to educate yourself about the potential threats when you hear about them,” he said. “Consider transferring the risk to insurance, and have measures in place to mitigate the risks.”
Similarly, Egan said everyone needs to take the threats seriously and practice risk management, get proper insurance and have access to experts if an incident occurs. “The cyber risk and threat landscape is really quite scary; it’s not a fair fight going on right now,” he said.
Cyber liability insurance is becoming standard for businesses today, and some vendors and states are requiring businesses to have cyber coverage. “Pharmacists are more aware of cyber liability because of the regulatory environment and the presence of huge data breaches at health care-related entities,” Egan said. “Losses are in the news every day.”
According to Egan, reliance on computers combined with the value of information and the evolving risk environment, makes cyber the main exposure businesses face. “Because this exposure is so vast and the uncertainties so great, cyber insurance is now being mandated in many circles,” he said. “Every business should cover the gaps that exist in traditional insurance policies by obtaining comprehensive cyber insurance.”
But, while Egan thinks pharmacists are generally aware of cyber liability, he also said there’s room for more education about evolving exposures and coverages, such as cyber liability insurance, that can cost-effectively address them.
Warren said the size of a cyber loss can be so huge that it can cripple a pharmacy, or even put it out of business. And, most small companies don’t have the financial resources to protect themselves.
“With cyber liability, some of the costs people think about is notifying the affected parties and doing credit monitoring, but there’s also legal defense costs, regulatory fines and penalties, data loss and business interruption,” Warren said.
“If your company has a data breach and you send out a notification or it hits the press, imagine hundreds of your customers calling your business all at once,” he said. “How will they feel when they don’t get an answer or can’t get a hold of somebody?”
Cyber liability insurance is a way to offload some of the costs, should your pharmacy fall victim to a cyberattack.
Egan said each legal entity should have cyber insurance coverage. “It is simply becoming part of best practices as each of the stakeholders, including customers, owners and vendors, have an interest in making sure these assets are protected and that remedies exist if they are lost or stolen,” he said.
And, it’s important to look for a policy with proper terms and conditions that provides broad coverage, few exclusions and a price point that makes sense. “You definitely want broad coverage that essentially provides coverage for “any” type of breach, whether accidental or malicious and no matter where your data is, because at the end of the day, the pharmacy is responsible,” Egan said.
Warren said pharmacies need to look for certain features in a cyber liability insurance policy, including an aggregate limit (to apply resources where you need to apply them); recovery and restoration of data; lost income due to inoperable systems; data breach response services such as forensics, legal, public relations and customer notification expenses; and fines and penalties for violations.
“It‘s imperative to have adequate coverage and limits that address these cyber, privacy and computer security risks,” Egan said. “Having dedicated and tailored cyber coverage for pharmacists will help fill gaps in traditional coverages and help ensure the business survives a malicious attack or ordinary accident.”
Judge said the FBI is the number one resource for small businesses in the case of an attack. “They want to know what’s going on, as they may see trends,” she said. “They’re not going to fix it for you, but they want you to report it so they can continue helping to stop this problem.”
The SBA also recommends informing local law enforcement or your state attorney general, as appropriate.
Additionally, you should contact your insurance company and consult legal counsel to initiate a response plan and determine what next-steps you need to take.
The FTC offers valuable resources at ftc.gov to guide businesses through the steps they should take in response to a data breach, including how to secure your operations, fix vulnerabilities and notify the appropriate parties. You can also download a model letter for notifying people.
Now’s the time to secure your pharmacy from cyberthreats.
“Cybersecurity has always been important and pharmacists have always recognized the threats of the personal health information, but the world has changed and it matters now more than ever,” Warren said.
And independent pharmacies can’t ignore it. “Don’t look the other way,” Judge said. “Make sure this becomes a part of what you do. You need to build cybersecurity into the culture of your business because it is a growing threat.”
Cybersecurity is more important now than ever. Small businesses, including your independent community pharmacy, need to be aware of the threats out there. Here are some key cybercrime terms you should know.
A remote attacker controls a large number of compromised computers over a single reliable channel in a botnet, which can then be used to launch coordinated attacks.
Denial of service
An attack on a computer or network in which bandwidth is flooded or resources are overloaded to the point where the computer or network’s services are unavailable to clients.
Software that can track every keystroke typed on a computer.
A type of malware that encrypts computer data and holds it hostage until a fee is paid.
The act of taking advantage of other people’s instincts to be trusting and helpful.
Remotely controlled, compromised systems specifically designed to send out large volumes of junk or unsolicited email messages.
An email that appears to be from an individual or business you know, but that is actually from a criminal hoping to trick you into divulging your passwords.
Source: Symantec Corporation
Use these cybersecurity tips to help protect your pharmacy from a cyberattack.
Source: Federal Communications Commission (FCC)
The National Institute of Standards and Technology (NIST) created a five-step process that has become an internationally- recognized standard. NIST uses these steps as the ve ‘functions’ of its Cybersecurity Framework Core, which aids businesses in managing cybersecurity risks.
Follow this process when addressing cybersecurity in your pharmacy to help protect your business and recover from an attack if necessary.
Know what data and technology assets you have.
Once you’ve identified what you have, take steps to protect it.
Have a means to detect when a problem occurs.
Have a response plan that focuses on fixing the problem and business continuity while you’re resolving the issue.
Work with your staff to determine what recovery looks like and have relationships with professionals who can help.