Pharmacies – be they chains or independents, on the high street or operating within a hospital setting – remain a prime target for cybercrime.
Research published by Accenture in the spring revealed that 13% of respondents in England had been the victim of personal medical data theft. What interested me most about that particular survey was that most of these breaches, 35%, happened not in a hospital setting (29%) or at the GP surgery (19%) but rather in pharmacies.
It’s not just the theft of the data that links to pharmacy, but the subsequent use of that stolen information. The same research suggested that in the majority of cases (42%) it was used to fraudulently fill prescriptions.
Despite this, some 77% of those polled said they still had trust in their pharmacy to secure their health data. Which begs the question whether that trust is misplaced and, indeed, if enough is being done to protect this hot spot in the health data threat landscape?
Let’s start with the obvious threat analysis. Pharmacies tend to be highly exposed in terms of the threatscape as they combine retail (payment systems and data) with health. That these are two of the hottest spots on the cyber-criminal radar right now makes the pharmacy a prime target.
So what should pharmacies be doing to fend off the attention of the attackers? It could be said that they are doing a decent enough job as it is, when you consider that pharmacies managed to avoid – on the whole – getting dragged into the ransomware cyber-cesspool that was WannaCry earlier in the year. I’m certainly not aware of any community pharmacies being shut down by the attack. In fact, many acted as a crucial crutch for patients who found themselves unable to get their meds at the hospital. Sure, some GPs got caught up in the mess and couldn’t issue ‘digital’ prescriptions or printed ones, but on the whole there wasn’t as much disruption as one might have expected.
This is not cause for complacency though. Globally, pharmacies have been targets for ransomware actors, rather than just collateral damage as the NHS was in the WannaCry affair. A number of Australian pharmacies were held to ransom in 2014, and German pharmacies were also targeted last year as electronic prescriptions and digital records become the norm.
The General Pharmaceutical Council (GPhC) is the independent regulator for pharmacists, pharmacy technicians and pharmacy premises and issues guidance regarding the protection of patient data. This includes risk assessment covering areas such as business continuity, staff training, Payment Card Industry Security Standard (PCI DSS) implementation and systems for receiving and processing Electronic Prescription Services (EPS).
All of which is good advice, but may appear overwhelming to the smaller, family-run community pharmacies which have neither the budgets nor necessarily the skillsets to properly tackle cyber security issues.
Which is where CareCERT comes into play, with help for such organisations to enable them to improve the cyber-resilience of their operations. In particular, community pharmacies should be taking advantage of the risk assessment and e-learning services on offer, which will hopefully prevent the need to consult CareCERT experts on hand to help with post-breach response.
This latter comment should not be taken too flippantly though. While it is, of course, preferable not to require post-breach help (because no breach has occurred), it’s vital to have incident response planning in place. Not only to make the process of dealing with an attack less prone to stress-related errors, but also to help highlight where the weak spots in your security strategy might lay. It always amazes me how often an organisation hits that eureka moment regarding cyber security during the incident response plan phase of establishing an overall data protection posture.
For further reading, I suggest taking a look at the Pharmaceutical Services Negotiating Committee briefing Ten steps to help improve data and cyber security within your pharmacy which was published in August this year. It contains lots of useful information.
Digital Health is hosting a new dedicated conference focused on protecting health and care and other citizen-facing public services. Public Cyber Security takes place on 7 December at the ICC Birmingham, and is free to attend for information security, IT and IG professionals.