June 28, 2017
You’re probably wondering why your independent community pharmacy should care about cybercrime. What does anything cyber have to do with you?
The truth is, cybercrime affects everyone, but it’s especially dangerous for small businesses like your pharmacy.
Experts say it’s a matter of when, not if, a small business will be the victim of a cyberattack.
The numbers say that 71 percent of cyberattacks occur at businesses with fewer than 100 employees.
Those are scary facts. Especially if you don’t understand cybercrime.
If you’re like many small businesses and wonder what exactly cybercrime is and what it means for your business, you’re not alone.
We’ve put together the basics for you. Here’s what your independent pharmacy needs to know about cybercrime.
Cybercrime is a catch-all term that describes any digital crime, like theft of personal or financial data occurring through a computer or mobile device.
For retailers, such as your pharmacy, cybercrime also includes any crime involving your point-of-sale systems (because they’re considered computers), like theft of credit card information.
Cyber security describes measures taken to prevent cybercrime. It can include numerous actions, like installing anti-virus software or encrypting data.
Cybercrime takes many forms. Nearly all of them can be used against your pharmacy.
The most common threat is a phishing email, used in 91 percent of cyberattacks. Phishing emails appear to come from a trusted source and typically ask for personal and financial information.
For example, the email might use an IRS logo requesting your social security number. Or, your “bank” might ask you to verify your credit card information. Sometimes, even clicking on a link in the email is enough to grant criminals access to your information.
Once you grant them your sensitive information, they can use it for identity theft and financial theft, or they can sell the information to others for a high price.
Some other common threats include:
Denial of service
An attack on a computer or network in which bandwidth is flooded or resources are overloaded to the point where the computer or network’s services are unavailable to clients.
Software that tracks every keystroke typed on a computer.
Malware that encrypts computer data and holds it hostage until a fee is paid.
The act of taking advantage of other people’s instincts to be trusting and helpful.
Remotely controlled, compromised systems specifically designed to send out large volumes of junk or unsolicited email messages.
Becoming a victim of a cybercrime can cost as little as nothing (except the time it takes to contain the threat) or as much as your entire business.
More than likely, it’ll cost you a lot. Sixty percent of businesses that suffer an attack are out of business within six months.
The average cost of a data breach for small businesses, according to Keeper Security’s “The State of SMB Cybersecurity” report, is $900,000. And, restoring the business back to normal costs an additional $1 million.
Costs are associated with theft of data, extortion, business interruption, regulatory fines and penalties, and lawsuits.
In addition, during recovery, you may have to pay for a third party to review and contain the attack, as well as legal counsel and associated legal fees.
Pharmacies also face cyber liability. A data breach affects your patients, your partners and your third parties. Your pharmacy can be held responsible for damage or even perceived damage to the parties whose data has been compromised.
The consequences will always vary depending on the depth and type of attack and the people affected by the attack.
Bottom line, the risk to your pharmacy is too high to take any chances.
Your pharmacy holds lucrative customer information on credit cards and personal data.
In addition to basic customer financial data, medical data is worth money on the black market.
Your pharmacy houses electronic health records (EHRs), which contain much of our identities, ranging from social security numbers to dates of birth, addresses and prescriptions.
A stolen EHR might make 10 times the amount of money as a stolen credit card, according to a report from the Workgroup for Electronic Data Interchange.
And, health care data breaches may take months or even years to identify, and there’s no simple remedy once an EHR has been breached. This makes it more likely for cyber criminals to get away with stealing EHRs.
For some crimes, it doesn’t matter what information you have access to as long as you rely on your computer for anything. Instead of stealing information, those types of cyberattacks, like ransomware, work by holding your system hostage or reducing your network ability until you pay a large fee.
Lastly, small businesses are often targeted because they usually don’t have the resources to heavily invest in cyber security, making them easy targets.
The best way to protect your pharmacy is to focus on the most common vulnerabilities. Common vulnerabilities include untrained employees, poor passwords, broad data access by those who don’t need it and non-encrypted electronic equipment.
To counter those vulnerabilities, implement these simple strategies:
Independent pharmacies have many helpful resources available to them to learn about cyber security and how to protect their businesses from an attack. The National Cyber Security Alliance (NCSA), U.S. Small Business Administration (SBA), Federal Trade Commission (FTC), and U.S. Department of Homeland Security (DHS) all offer helpful tools and information on their websites.
How you handle a cyberattack can make the difference between minimal or permanent damage to your pharmacy. Take these steps for a smooth recovery:
Find the root cause. The first thing to do after you’ve been hacked is to find the source of the data breach and fix it. Hire an independent third party of forensic IT experts to do the work. These organizations have the tools and expertise to quickly determine the root cause of an event and to repair it and prevent it in the future.
Get legal counsel. Don’t risk legal ramifications or costly liability for your data breach. Reach out to a legal representative to guide you through your response to ensure it meets all legal requirements.
Contact your insurance company. If you have cyber liability insurance, the insurance company will often guide you through the process and hire several third parties, like system engineers, for you. Cyber liability is offered separate from your general liability, so make sure you have it.
Change your information. After your system has been recovered and the threat removed, you need to start making calls and changing online account information. Change all your passwords, notify the credit bureaus, and tell your banks and credit card companies to lock your accounts.
Notify affected parties. If other people have been affected by the breach, inform them as soon as possible. Speak to your lawyer beforehand to know what’s required to share and what’s wisest not to share.
(For more detailed advice on how to recover from a cyberattack, read this.)
Now that you understand cybercrime, your pharmacy can combat it.
Want more pharmacy business tips and advice? Sign up for our e-newsletter.