There are direct and indirect effects from the COVID-19 pandemic. Direct effects like death, mental illness, drug overdoses, and financial losses due to lockdowns are easily identified. Indirect effects are more challenging to pinpoint. We think of indirect effects as those outcomes that are enabled or facilitated by the pandemic but are not specifically caused by the pandemic. In many cases, indirect effects occur because our attention is diverted due to the pandemic. Here in the Auburn, Ala., area, our friends in the community pharmacy setting have described to us the realities of the pandemic diverting their attention from normal routines.
Even in situations of “normal” operations, we must prioritize our attention to address the most pressing issues. Patients standing at the counter are going to receive high priority, as are prescribers returning a call to clarify a patient’s therapy. And while payers may not always prioritize calls from the pharmacy, the pharmacy staff certainly prioritizes conversations with payers to clarify a patient’s coverage. Other times, our prioritization may be driven by external forces. For example, prescriptions for Schedule II medications obviously require a higher level of attention than most all other prescriptions, at least from a regulatory standpoint.
Other components of pharmacy operations may not receive attention until a problem is identified. Does your pharmacy have a schedule for routinely checking automation devices for signs of pending failure? Is the staff routinely updating software critical to pharmacy operations? In many cases, updates may occur automatically and are pushed to the pharmacy by the vendor. Does your website vendor provide a service to monitor your site’s availability and uptime?
These are all important topics. But what about systems security? Are you devoting the necessary attention to ensure your pharmacy management system — the foundation of operations — is secure? Privacy and security are the two key terms in this space. Privacy is the state of maintaining control over information and its use. Security is the ability to protect information from unauthorized access. These concepts are closely related, but we will focus on security.
The pandemic led to loosening of regulations around telehealth, and information technology allowed people to reconsider where they lived due to the new ability to work remotely. While many businesses (i.e., hospitality, restaurants, travel, etc.) were profoundly impacted, technology enabled many personal and business interactions to continue. This collective shift to new digital and internet-based work and personal life activities does pose challenges for healthcare, including pharmacy.
While the United States, and the world, have been fighting the pandemic and simultaneously adjusting to new personal and business normals, nefarious individuals and groups launched unprecedented cyberattacks on hospitals and health systems (after a brief ceasefire). Due to a variety of factors, hospitals and health systems are popular targets for hackers. Reports of cyberattacks on community pharmacies are currently more common outside of the United States. This does not mean attacks have not occurred here. ComputerTalk readers are likely familiar with local incidents that did not receive widespread media attention.
Accordingly, community pharmacists must be vigilant in efforts to ensure the security of their critical software and hardware infrastructure. The first term to know is ransomware, which was the primary method of attacks against hospitals in 2020. McAfee.com defines ransomware as, “malware that employs encryption to hold a victim’s information at ransom.” Essentially, the victim’s data is encrypted by hackers who do not provide access until a ransom is paid. The recent attack on Colonial Pipeline was a ransomware event. Phishing (another key term) occurs when a hacker sends an email appearing to be from a reputable company or known individual. The email recipient is tricked into providing personal information (e.g., passwords, Social Security number, etc.) that is subsequently used for unauthorized purposes. Phishing emails often contain active hyperlinks, which are sometimes used to install malware on the recipient’s computer. This is a common method to initiate a ransomware attack.
So what can you do? The first step in securing your pharmacy’s system is to talk to your vendor. They can — and should — be a partner in securing your system. They can likely provide training for your team. Beyond training, how do they proactively help secure your system? How are firewalls and encryption deployed to minimize risk? What security-related support options do they provide (e.g., antivirus software, multifactorial authentication)? Depending on your system’s design, are there reconfiguration options that minimize risk? Can your vendor conduct a vulnerability assessment to identify potential security gaps? Can you designate specific patient records as “high profile” and receive a notification whenever they are accessed?
Training Tops the List
There are a variety of measures that can be deployed at the pharmacy. Regardless of the source, training is a key method to minimize security risks. Training should raise employees’ awareness of the problem, its causes, and the implications for patients, the pharmacy, and employees. Training should also emphasize specific threats (e.g., ransomware, phishing) and how employees can fight these threats. Employees should be trained on how to recognize phishing emails.
HELPFUL RESOURCES > Click to access Federal Trade Commission information about how to recognize and avoid phishing scams.
It is generally advisable that internet use and personal email access are not allowed on computers that are used for patient care. If this cannot be avoided, employees should understand safe email and browsing practices (e.g., avoid questionable links and downloads). It is also generally advisable that portable devices (i.e., USB drives) are not connected to patient care computers. If this is necessary for patient care purposes, the drives should be encrypted. Similarly, if patient data is stored on laptops, their hard drives should be encrypted. Lastly, patient care computers should not be used to access personal cloud storage services.
Password hygiene is a critical step as well. While your vendor likely has password requirements, the Small Business Administration recommends passwords contain at least 10 characters with one uppercase and lowercase letter, at least one number, and at least one special character. Passwords should never be reused. A variety of free and fee-based password management apps are available for smartphones and computers. Your author has more than 500 unique passwords in one such app.
Speaking of your computers, it is important to know where the most valuable data is stored — if your data is stored in the pharmacy. This piece of equipment may need additional access restrictions, depending on the physical design of the pharmacy. Related backup procedures should ensure that data is routinely stored in a secure, physically safe location. In today’s pharmacies, this is often handled by your vendor partner. Additionally, user management principles should ensure that access to your system is limited to those who need it to perform routine pharmacy functions.
In reviewing this list of steps, it is somewhat daunting to consider the array of threats and the variety of measures that can and should be leveraged to secure your pharmacy. If we had to pick three recommendations from above as the minimum, we recommend (1) calling your vendor, (2) training employees about phishing and password hygiene, and (3) ensuring software is up to date. We sincerely hope ComputerTalk readers use the tools at their disposal to avoid becoming victims of an attack. CT
Brent I. Fox, Pharm.D., Ph.D., is an associate professor in the Department of Health Outcomes Research and Policy, Harrison School of Pharmacy, and Joshua C. Hollingsworth, Pharm.D., Ph.D., is an assistant professor, Pharmacology and Biomedical Sciences, Edward Via College of Osteopathic Medicine, Auburn Campus, Auburn University. The authors can be reached at firstname.lastname@example.org and email@example.com.