Is Your Pharmacy Ready for a Data Hack? Take These 3 Steps

Community pharmacists are vulnerable to security threats, resulting in bad outcomes for both patients and pharmacies. Here’s how to evaluate risk and find the right technology partner to help protect and defend you from cybercriminals.

The threats to community pharmacists are many, such as discount cash cards eating into business. But one often overlooked threat is getting hacked. In 2021, nearly 50 million patient records were compromised according to incidents reported to the federal government.1

Health care data are particularly at risk because these data are more valuable on the black market.2 Whereas the value of a social security number is about 53 cents, the value of just one health record is a whopping $250 because it includes personal details rather than just a credit card number.

And yet, pharmacies store both health care and financial data, making advanced security protections even more important. Community pharmacies are seen as relatively soft targets for nefarious players seeking access to patient health care data.

Breaches are very bad for your patients, but they impact your business as well, by taking your systems offline, disrupting care, adding costs for fixes, ruining your pharmacy’s reputation, and even opening up the potential for lawsuits. Just because you are not part of a large health care system or chain does not exclude you from being a target.

But there are things you can do right now to take steps to improve security. Start by evaluating your vendors.

Three questions to ask when evaluating a technology partner

Vendors are cited as the reason for breaches more often than the pharmacy itself. For example, in February 2021, the Kroger Co. had a breach affecting 3.82 million pharmacy customers and employees – the result of vulnerabilities in their vendor’s file transfer service.3

Even if you are a small independent pharmacy, cybercriminals are interested in your data. Many small and medium-sized community pharmacies have been breached through company email accounts, unsecure servers, and ransomware attacks.

And yet, pharmacies need vendors for reliable services. So, the first step is to review all vendor agreements. What data are being shared and how are the data being used? Choose a vendor who is natively health care-focused, and don’t cobble too many vendors together to create a solution.

All in all, there are 3 big questions you need to ask your current and potential vendors about their technology:

  • Is it private and secure?
  • Is it flexible and scalable enough for my future needs?
  • Does it interoperate well with what I already have?

Privacy and security: What to ask your vendor

A vendor who is focused on health care data should be able to properly protect and defend your sensitive digital assets. Here are some questions to ask of a potential vendor to ensure privacy and security.

Data compliance

  • Are you HIPAA-compliant?
  • How are the data encrypted, stored, and/or backed-up?
  • Provide a list of proofs/certificates showing how you are compliant with the latest security standards.

Process and experience

  • Provide the documented policies and procedures in the case of a data breach or other disaster.
  • Have you had a data breach before, what was the outcome, and what did you do to improve the system to keep it from happening again?
  • Is your staff trained well enough to troubleshoot and answer questions?

Education and training

  • Do you provide training for my employees?
  • Do you have references from other pharmacies similar to my own?

Scalable and flexible: What to ask your vendor

Your business needs to change along with the market and your customers’ needs. Your software must keep up. Look for a vendor who offers scalability and flexibility, meaning the system can increase or decrease in performance and cost in response to changes in application and system processing demands. Here’s what to ask a potential vendor:

Feedback and enhancements

  • How do my business needs get added to your product roadmap?
  • How often do you add features?

Process and updates

  • What will the upgrade process feel like for me? Are there time or money costs on my end?
  • How do you communicate the status of those requests?
  • Based on the size of my business, how will my priorities rank against the rest of your customers?

System installation

  • Are your data systems installed on premises or built in the cloud?
  • If not, do you have a cloud strategy and what is it?

Interoperability: What is it and what to ask your vendor

Interoperability refers to the capability of different solutions to communicate with one another freely and easily. Systems that are interoperable exchange information in real-time, without the need for specialized IT support or behind-the-scenes administrative work.

That makes for secure, more efficient, and coordinated care for your patients. Here’s what to ask of a potential vendor:

Definitions and capabilities

  • What is your corporate definition of interoperability?
  • What are the major aims of your interoperability capabilities?
  • What industry standards, initiatives and networks do you support and participate in?

Data

  • What is your position on patient data ownership?
  • What constraints do you place on patient data access?

Costs and monetization

  • What are the costs associated with interoperating your system?
  • How do you monetize access to patient health information?

Blockchain is a pharmacy-friendly solution for managing risk

As a secure, distributed ledger that tracks transactions over time while protecting those transactions, blockchain streamlines complicated processes while protecting them from tampering. Blockchain offers control over information, with trust built in that the information is accurate.

Blockchain can improve privacy and confidentiality, enhance patient safety, and provide a higher level of clinical care to consumers. Because of a few unique features, blockchain may be a solution for your pharmacy:

  • Creates trust across stakeholders—ownership and any changes are transparent.
  • Security and privacy—reducing tampering, fraud, and cybercrime.
  • Time and cost savings without duplication of efforts—all stakeholders have shared access to the network.
  • Auditability and timely follow-up—avoids potential longer-term problems.
  • Overall efficiency—streamlines the transfer of responsibility and ownership.

Bottom line: Don’t neglect security fundamentals and find a technology partner who can protect your patients’ data while helping your business grow.

About the Author

Paige Clark, RPh, is the VP of Pharmacy Programs and Policy at Prescryptive, overseeing the company’s policy work to drive awareness, utilization, and scope of trusted independent pharmacists nationally. Prior to Prescryptive, Paige spent 11 years at Oregon State University's College of Pharmacy, driving policy initiatives for the state’s licensed pharmacists, including the prescribing of birth control and tobacco cessation services. Paige also worked as the Staff Pharmacist Consultant for the Oregon Board of Pharmacy, managing rule writing, legislative endeavors, and regional and national policy work. She is a frequent speaker and presenter at national industry conferences and a multi-award winner, including several Pharmacist of the Year recognitions.

References

  1. “Health data breaches swell in 2021 amid hacking surge.” Politico report, March 23, 2022. Accessed June 22, 2022.
  2. “Why is PHI Valuable to Hackers?” Accountable, January 25, 2022. Accessed June 22, 2022.
  3. “Kroger agrees to pay $5 million over Accellion data breach.” Reuters, July 1, 2021. Accessed June 22, 2022.