Expert: Pharmacy is Just as at Risk of Ransomware Attacks as Other Health Care Providers

Ed Zacharias, a managing partner of the Boston office at McDermott Will & Emery and a partner in the health industry advisory group, discusses the intersection of telemedicine and cybersecurity, specifically in relation to ransomware attacks.

Pharmacy Times® interviewed Ed Zacharias, a managing partner of the Boston office of McDermott Will & Emery and a partner in the health industry advisory group, to discuss the intersection of telemedicine and cybersecurity, specifically in relation to ransomware attacks against telemedicine platforms and vendors.

Zacharias explained that pharmacies are just as at risk of ransomware attacks as the rest of the health care ecosystem. The risk posed by ransomware came to the forefront over the past week after a cybersecurity attack halted the operations of Colonial Pipeline, which produces nearly half of the fuel consumed by the East Coast of the United States.

“There are examples of pharmacies who have been subject to ransomware,” Zacharias said. “You can just simply do an internet search for pharmacy and ransomware and you'll see some very recent examples. So, it is an issue for all health care providers, and I would include pharmacies in that.”

Ransomware attacks against telemedicine platforms and vendors have also increased during the COVID-19 pandemic. Zacharias noted that this may be due to how many people are working from home and using telemedicine platforms instead of in-person visits.

Additionally, the speed of the switch to remote work expanded the surface area of potential attack vectors and created more opportunities for ransomware attacks. Also, due to the speed of the transition, some companies may not have quickly issued devices with security measures in place to all employees for secure work from home purposes, which may mean that employees used their personal computers to access work files and software instead.

“A lot of folks just were using their own devices to connect in because there just wasn't enough time, and the cost to issue all workforce members who needed them devices that were sort of staged with the organization's information security platform on them—that was a challenge initially,” Zacharias said.

Furthermore, Zacharias explained that the Department of Health and Human Services, which is the entity that enforces the Health Insurance Portability and Accountability Act (HIPAA), early in the pandemic came out and said they are not going to enforce HIPAA against organizations that use video and voice platforms for patient-provider interactions even if those organizations and telecommunication technologies are not necessarily compliant with the HIPAA security role.

During the interview, Zacharias also discussed how pharmacies and hospitals can proactively defend their organizations against ransomware attacks, details of success stories of health care organizations effectively defending themselves against ransomware attacks, and the value of the pharmacist in successfully navigating the rapidly changing space that is the intersection of telemedicine and cybersecurity.