You cannot go more than a day or two without hearing about another cyber attack in the United States. More importantly for pharmacy owners, Health Care has become a frequent target for phishing and ransomware attacks. These can devastate an organization, so protecting your pharmacy infrastructure is critical, but have you ever stopped to think about what that protection encompasses? In this blog, we want to cover some essential areas that need to be addressed to ensure your compliance with HIPAA, PCI, and consumer data regulations, along with your general ability to operate “safely” on a day-to-day basis. As you will see, there are many things to think about when it comes to protecting your pharmacy infrastructure from a security standpoint, so let’s jump right in.
Computers / POS Systems
Whether it is the computer that runs the pharmacy software, your POS systems, or personal devices connected to your network, you need to ensure that these systems are up-to-date. You need to ensure your essential software and firmware need to be installed or updated, including:
- The Operating System
- Microsoft Office or other productivity suite being used
- Drivers for devices
In most situations, it is best practice to enable the ability to perform updates automatically when possible so you can focus on your customers. You should consult with your computer vendor, pharmacy software vendor, and IT team to ensure the proper updates are being applied.
As mentioned above in the bullets, you need to make sure you have Anti-Virus and Anti-Malware installed on all of your computers, and any subscriptions you have are kept up-to-date. These services typically work via an annual or even monthly subscription process. Once you have confirmed they are installed, up-to-date, and paid for, make sure they are actively scanning your computers to prevent the introduction of a virus or malware.
One other important factor when it comes to the computers and POS systems in the pharmacy is maintaining proper access to them. What I mean by this is that you should ensure that only the pharmacy staff are aware of the login credentials and protect those credentials at all times. All employees should also have their own usernames and passwords that are not shared with other employees.
The Software and Computers should also be set up to automatically log off, go to a lock screen, or even shut down after an extended period of non-use – a good rule of thumb is five minutes.
The last item we want to discuss is the physical security of the devices themselves. This security includes laptops, tablets, smartphones, and other devices that may be loaned out to remote or traveling employees. You need to ensure your Facility’s security to prevent someone from walking off with a piece of equipment with sensitive information.
You should follow the same best practices as above with the computers and POS systems for updates to printers, copiers, or faxes you may be operating in the pharmacy. These devices usually require updates, whether for the driver software that operates them or the firmware associated with the hardware itself. You should consult with your vendor or device manufacturer, pharmacy software vendor, or IT team to ensure the proper updates are being applied.
Some of these devices may be set up to retain data in their memory or on a hard drive. This onboard memory means it will be another area you need to consider if you ever dispose of these devices (or return leased equipment) as they may still hold confidential information, including PHI. You will need to consult with your vendor or device manufacturer, pharmacy software vendor, and IT team to ensure this data is removed.
The phone system is another critical piece of your business. In some cases, your Phone systems (especially if they are interfaced with your Computers and Network) will also require updates of some kind, whether it be the firmware that controls the physical components of the phone system or the software that allows for many functions and features that phone systems possess today. If these updates are not performed, they can create security holes and vulnerabilities.
Ensure the phone system components are installed in a location only accessible to individuals who have permission and require it as part of their job responsibilities. This will also help prevent unnecessary tampering with the system.
Internet and Email Service
The final item we will discuss is the all-important Internet access, which is undoubtedly crucial to the pharmacy’s operations. You should consult with your Internet provider, store management, and IT team to ensure all devices required to run your Internet services are up-to-date, including software and firmware.
In most setups, a gateway device is installed at the location to access the Internet, and this gateway can usually provide some basic security. Further protection can be provided by implementing a firewall that all Internet traffic routes through and provides more security features than the gateway might be capable of offering. Of course, the firewall must be maintained as well when it comes to updates. You should consult your Internet provider, pharmacy software vendor, store management, and IT team to ensure the proper amount of security is in place.
As far as email is concerned, be very cautious about who has access to the credentials for all email accounts associated with the pharmacy. Ensure policies are in place to update those accounts when employees leave the company regardless of the reason. Finally, ensure your employees receive some training related to phishing emails and other social engineering tactics to help prevent your pharmacy from being a victim of a cyber attack.
The human factor in IT Security is typically the weakest. You can get everything else right above, but a poorly trained or unobservant employee can take you down the IT Security rabbit hole. For the sake of brevity, we want to list the areas that employees should be trained on when it comes to Computer Security:
- Password Usage and Protection
- Physical Security of loaned devices (laptops, smartphones, and tablets)
- Email Security
- Phishing attempts
- Not installing software without approval
- Not inserting unknown storage media into computers (CDs, DVDs, USB Drives, etc.)
There are a few key takeaways here, namely:
- Keep all of your software and devices up-to-date
- Ensure you have installed Anti-Virus and Anti-Malware software
- Ensure you have turned on security settings
- Ensure you have changed default passwords
- Ensure your employees are trained
- Security is an ongoing process that will require diligence
And most importantly, this blog is not an exhaustive list of everything you need to consider when setting up your Pharmacy IT infrastructure to prevent security incidents.
How Can PRS Help?
PRS has been at the forefront of HIPAA Compliance for Pharmacy since the beginning of HIPAA in 2003 with a HIPAA Compliance Program developed by individuals who work in Pharmacies.
PRS’s HIPAATrack is designed to walk you through the process of implementing and maintaining your Pharmacy’s HIPAA Compliance Program. The Program provides Policies, Procedures, and Forms following the HIPAA Regulations, including IT Security as required by the HIPAA Regulations. The HIPAATrack program also contains online HIPAA Training based on the included Policies and Procedures, so there are no worries whether your employees are receiving training or just education. The training is also designed to cover the employee training items listed above.
For more information about PRS Pharmacy Services’ Pharmacy Compliance Offerings, click on one of the following links, HIPAATrack and COMPLIANCETrack, or call PRS at 1-800-338-3688. Join the thousands of independent pharmacies that currently enjoy the benefits of PRS’s Compliance Programs.
October is Cybersecurity Awareness Month. For more information on Cybersecurity, please visit the Cybersecurity & Infrastructure Security Agency’s (CISA) Cybersecurity Awareness Month website here.