May 12, 2020
Small businesses make up 58 percent of all targeted cyberattacks, according to a 2019 study on data breaches from Verizon. That’s because hackers assume small businesses won’t have the same ironclad defenses as large companies.
As a pharmacy, if you fall victim to a cyberattack, you risk losing not only money, but also your patients’ private health information. To protect yourself and your patients, you have a duty to stay vigilant and up to date on all the ways cybercriminals can breach your pharmacy’s defenses.
As technology has advanced, so has the way hackers do business. Cybercriminals are more sophisticated than ever — here’s how they might come after your pharmacy.
Phishing scams are far and away the most common cyber-threat faced by small businesses. And over the years, cyber criminals have gotten better at them.
Instead of arriving as mass emails asking for credit card numbers or bank account information, phishing operations now target small businesses specifically, imitating employees, vendors, or clients of your pharmacy.
These seemingly authentic emails will trick recipients into entering sensitive information like passwords and financial information or clicking on a malicious link. And they occur frequently — one in 99 emails is a phishing email, according to the digital security company Avanan. It only takes one employee engaging with a phishing email to expose your entire pharmacy.
One of the most pernicious consequences of a phishing email is ransomware. If someone in your pharmacy clicks a malicious link, it can download software on your computer that takes your data hostage. Then, the creators of the ransomware will demand money from the pharmacy so they can get data back.
This kind of cyberattack is especially harmful for businesses in the healthcare sector that handle private health information, and small and medium-sized healthcare organizations were the most common target for ransomware attacks in 2018, according to a report from Beazley Breach Response Services. The average demand from hackers was $116,000 in 2018, but some companies faced ransoms of millions of dollars.
The tools in your pharmacy are getting “smarter” with everything from your POS system to your thermostat. But the more smart devices you have in your pharmacy, the more at risk you are to cyberattacks.
If the vendor of one of your smart devices experiences a security breach like a DDOS attack, the hacker can wreak havoc on your pharmacy. The video from your security camera could be streaming online, or sensitive financial information from your POS could be exposed.
Many manufacturers of smart devices aren’t transparent about experiencing unusual network issues, leaving their clients exposed.
Phishing and ransomware operations often cast a wide net, trying to secure information from any business that takes the bait. But increasingly, healthcare businesses like pharmacies are subject to targeted attacks.
These have been on the rise in relation to COVID-19. The U.S. Cybersecurity and Infrastructure Security Agency is currently investigating a largescale effort to target pharmaceutical organizations and other healthcare organizations and disrupt the supply chain during the pandemic.
There are also accounts of password spraying, which is when a cyber attacker tries to break into an organization by testing commonly used passwords against multiple accounts.
While cyberattacks can happen to any business, you don’t have to be a computer whiz to protect your pharmacy. Use these best practices to keep your pharmacy’s data secure.
One of the best ways to protect your pharmacy is for you and your staff to practice good password hygiene. This means creating a different, strong password for every single account. The Small Business Administration recommends strong passwords include:
These passwords can be made even stronger by using multi-factor identification, meaning users must enter a security code that has been sent to their phone to log in.
If remembering so many passwords seems impossible, use a password manager like LastPass to keep passwords securely stored.
Make a conscientious effort to keep your staff informed about digital best practices.
Since phishing is the most common way that data gets compromised, you can run a phishing test as a teaching opportunity. If you send out a fake phishing email, those who get caught in the net will be more careful about opening suspicious emails in the future.
Warn staff about downloading files, because one errant download can lead to a ransomware attack, and make sure they keep their web browsers up to date with the latest security updates.
Not every staff member needs to have unfettered access to all the pharmacy’s accounts. Grant permissions for every program you use on a need-to-use basis to lower the risk of unauthorized individuals gaining access, and don’t use shared accounts where multiple people are accessing a program with the same username and password.
Laptops are especially easy targets — they can easily be lost or stolen — so make sure to lock them up when they aren’t being used.
Be cautious about you grant administrative privileges to. Only key staff members should be given that much power.
If you lose data in a cyberattack, you may find yourself up a creek without a paddle if you haven’t been backing up your computers. Automate your backup system so you are saving your critical information every single day.
An ideal backup is kept offsite — that way if a natural disaster strikes and destroys your entire pharmacy, you’ll still have your important data. Cloud storage is an ideal way to accomplish this, but if you are wary of the cloud, you can also backup on a local drive — just make sure to store that drive securely in a fireproof safe or take it with you when you leave the store. To be extra cautious, you should keep backups in multiple locations.
Even if you take every precaution, you can still end up falling victim to a cyberattack. It’s a good idea for your pharmacy to carry cyber liability insurance.
A cyber liability insurance policy will cover any expenses related to a data breach. If you’re being extorted through ransomware, it will cover the demand. It also covers the cost of notifying patients about the breach and any HIPAA fines you might incur, as well as credit monitoring services for the affected patients.
Cyber liability insurance may seem like overkill, but considering a single breach can cost hundreds of thousands of dollars, it’s a smart move to have it in your back pocket.
PBA Health is dedicated to helping independent pharmacies reach their full potential on the buy side of their business. The company is a member-owned organization that serves independent pharmacies with group purchasing services, expert contract negotiations, proprietary purchasing tools, distribution services, and more.
PBA Health, an HDA member, operates its own NABP-accredited (formerly VAWD) warehouse with more than 6,000 SKUs, including brands, generics, narcotics CII-CV, cold-storage products, and over-the-counter (OTC) products.
Want more pharmacy business tips and advice? Sign up for our e-newsletter.