US Pharm. 2016;41(2):26-28.
The healthcare landscape is evolving and becoming more decentralized, creating a globally connected environment with health information technologies and solutions at its core. Stakeholders are also recognizing that technology solutions and healthcare information are strategic assets for the healthcare environment. These assets synergize into a powerful new paradigm for all healthcare professionals by ensuring that data are available at the point of care and whenever else they are needed.
These technology enablers and solutions must be secure, not only for supporting patient care, but also for governmental programs. It is critical to maintain the integrity of data delivered for programs such as Meaningful Use, research protocols, health exchanges, and even for physician alignment and physician networks.
Increasingly, stakeholders are accepting the introduction of these technologies into the healthcare environment. Various key players can now access, send, and receive electronic data supporting diverse healthcare functions. This, in turn, is spawning a healthcare delivery service available to not only those who suffer from chronic diseases, but also empowering those who are—and want to stay—healthy and well.
Coupled with this advancement is our reliance on massive collections of data needed to improve healthcare outcomes; no longer are technologies simply transferring data from site to site, but rather they are transferring actionable data for clinical use and for decision-making opportunities supporting patient care. Simultaneously, the technology must be able to protect all healthcare consumers’ confidential data along the way.
Given this complex landscape that has emerged in our healthcare delivery process, merely complying with HIPAA rules—once the gold standard for security protocols and processes—is no longer the benchmark for securing healthcare data. Considering the advancement and scope of technologies on the market, we need new, practical steps infused into older security protocols to further our protective mechanisms and keep our healthcare data secure and confidential.
The Allure of Electronic Health Records
Electronic health records (EHRs) contain much of our identities, ranging from social security numbers to dates of birth, addresses, and even prescriptions. Unfortunately, these data are potentially valuable to would-be thieves, and unlike our credit cards wherein we can almost immediately detect fraud, healthcare data breaches may take months to even years to identify, and there is no simple remedy once an EHR has been breached. Additionally, it might take years to fully understand the ramifications of any such healthcare security breach.
A report from the Workgroup for Electronic Data Interchange notes that medical records contain a wealth of information.1 As a result, a stolen EHR might fetch an estimated $20 on the black market versus a credit card, which generally brings only $2.1 This is because the data value is much greater in a medical record, not only by virtue of the information itself, but also because identity theft is much harder to uncover and resolve when it involves a medical record, despite the otherwise strict privacy and security guidelines in place.1
As a result, theft in the healthcare arena—along with the sophistication of healthcare cyber attacks—is on the rise.1 For example, a recent estimate states that between 2010 and 2014, approximately 37 million healthcare records were compromised, with reports suggesting that almost half of healthcare organizations have experienced cyber attacks in the past 12 months, leading to at least $6 billion in damages.1 Furthermore, in the first 4 months of 2015 alone, 93 separate attacks—most of them launched by criminal activity—were responsible for the potential breach of over 99 million healthcare records.1
These attacks continue despite the introduction of even more robust IT security measures. Health data in EHR systems such as EHR interfaces, repositories, databases, connected mobile and medical devices, and even personal devices are now at risk for security breaches. In order for our healthcare system to advance and benefit from the newly emerging electronic infrastructure, we must redouble our efforts to improve cyber security.
To further put the severity and scope of this challenge into perspective, there was recently (in 2014) a 25% increase in healthcare data breaches (2% more than “all industries”), with human error/device theft still making up the majority.2 Lost or stolen devices account for 44% of healthcare breaches (10% higher than in 2013).2
Additionally, the number of identities being accidentally exposed were up 11% in 2014, while the number of data breaches in healthcare that were the result of insider theft doubled in 2014. Overall, data breaches resulting from cyber attacks were up 82% in 2014, with healthcare being one of the four most vulnerable industries for exposing individual identities.2
These alarming statistics have helped us to focus our energies on protecting patient data without jeopardizing the access to clinical information. So given these data breach occurrences, what can pharmacists do to be better prepared to minimize—if not eradicate—cyber security attacks?
Risk Factors for Cyber Attacks in Healthcare
First, let’s understand some of the reasons behind cyber attacks in healthcare. These risk factors include: vulnerabilities associated with an inexperienced workforce having access to data that is not needed for their roles and responsibilities; access to electronic equipment that is not only nonencrypted, but mobile; and finally, the lack of systematic tracking of possible breaches, with no formal cyber breach plan or response plan in place when a breach occurs.
Pharmacies potentially run the same risk as all other healthcare professionals, because they have not only introduced common technologies into our practices but also the same monitoring protocols. Pharmacies are also processing more and more electronic prescriptions, and they are increasingly functioning as medical clinics, creating additional access opportunities into our data systems.
What can pharmacists do to combat cyber security threats? First, pharmacists need to build a culture within their organizations for prevention of cyber breaches.1 Pharmacists can advocate for implementing secure protocols and standards for data interchange between systems.3 Such systems can include those that communicate between the pharmacies and payers, including government programs. Other systems within pharmacies might communicate with healthcare organizations, and even with such technologies as medical devices in cases where there is a clinic within the pharmacy.
Some pharmacy systems will now interface through the cloud, and most pharmacies today have a system that communicates with an e-prescribing network. Pharmacists should request that a vulnerability assessment be carried out on a regular basis for all such systems so that potential security gaps can be identified and mitigated.3,4 Critical security controls should be in place to monitor the activities of all pharmacy systems.3
Second, pharmacists need to ensure that their systems employ a comprehensive strategy of data defense with robust firewalls. This includes encryption and safe access between data exchanges.4 Further, access to data should be limited based on roles of individuals, so that only those with a genuine business need can access certain confidential patient data. Pharmacists should ensure that credentials for system access are in the right hands.4
Password management is critical; passwords should be complex enough so they are not easily breached by hackers.3 In this regard, system policies can be created to enforce password rules. This can include a two-step authentication process featuring a hardware token and a biometric credential such as a fingerprint.4 This security effort requires that any system user has two out of three types of credentials when accessing a pharmacy system and adds a layer of security and protection for more secure healthcare access overall.
Third, pharmacists need to adequately train staff so they appropriately recognize security risks and are cognizant of pharmacy security systems, realizing that data integrity is necessary for clinicians and the security of that data is key to patient management.3,4 Staff should be reminded to never leave passwords on a piece of paper or somewhere else easily accessed by others.5 Because flash drives or other devices can be infected with malware, employees should not bring them into the pharmacy.3 Further, pharmacy staff should be taught to recognize phishing attacks embedded in e-mails, as they may allow malicious software to gain access to the system.3In this regard, staff should not use pharmacy systems for personal e-mails or personal cloud-based applications.5 Staff should be advised to never share passwords or hardware tokens. Any mobile electronic devices with sensitive information should be routinely encrypted, including USB flash drives and laptop hard drives. This prevents accidental exposures such as dropping an unencrypted flash drive in a parking lot or losing a laptop with unencrypted patient data to theft.3
Software Security Up to Date?
Fourth, pharmacies need to practice being proactive with practical, yet comprehensive, strategies on how to prepare for and monitor potential breaches.1 These often come in the form of audits and authentication steps designed to retrieve data. Pharmacists should always assume that a data compromise is possible and ensure that they have a strong defense in place against cyber attacks.1,4 This includes ensuring that all operating systems, antimalware software, web-filtering, and antivirus software on all servers and endpoint devices are updated with the most recent patches.
Firewalls should be in place at all critical points to stop known attacks, while automated alerts and notifications should be employed to mitigate the effects of actual attacks.1 Encryption should be employed wherever possible to minimize identity theft in a successful attack.4 Creative use of analytic tools to enable more vigorous threat management will also come into play, whether it be additional layers of firewalls and securities within the technologies themselves or simple steps in a workflow process to verify and re-verify accuracy and authenticity.
Excellent guidance for minimizing cyber security threats in our pharmacies is found in EPCS (electronic prescribing of controlled substances) rules. For instance, in order for EPCS to meet the necessary requirements set forth by the regulations, processes such as ID proofing must be established.6 In addition, administrators must assign different role-based access levels for the actual writing and dispensing of these prescriptions, while ensuring that only authorized Drug Enforcement Administration registrants sign the prescriptions.
There is also a strict requirement for two-level authentication, as discussed above, which creates an added level of security. The authentication credentials currently approved for EPCS include: biometrics such as fingerprint readers, one-time password tokens, or smart cards.6 Additionally, controls for prescription writing, auditing, and reporting provide other proactive steps to avoid fraud and optimize security.6
EPCS, unlike the old paper prescriptions, eliminates the opportunity for signature changes. So, not only are we being proactive by having identified a possible breach in a prescription’s security, but we are also helping to minimize addiction and deaths due to prescription drug diversion and abuse. This is a win-win for all of the stakeholders in this process.
Technology tools and solutions have helped to strengthen the care we can now deliver to our patients. We want to minimize data loss and minimize the consequences of any cyber attack without jeopardizing the care we deliver to those in need.
Due to the continued expansion of healthcare and its services, we will continue to manage complex healthcare environments while maintaining the security of the data we collect and store. Hence, healthcare organizations, including pharmacies, need to understand necessary workflows and processes to accomplish core clinical functions and simultaneously support security policies, controls, and oversight mechanisms.
The risk of a healthcare cyber attack is no longer just an IT-specific concern, but rather a long-term business strategy for healthcare, including the retail pharmacy enterprise. Hence, pharmacists must take these threats seriously and implement proactive IT solutions, while providing staff training to support a culture focused on providing excellent healthcare while maintaining data privacy and security.
1. Workgroup for Electronic Data Interchange (WEDI). Perspectives on cyber security in healthcare. June 2015. www.wedi.org/docs/test/cyber-security-primer.pdf?sfvrsn=0. Accessed October 18, 2015.
2. Symantec. Internet Security Threat Report 2015, vol. 20. www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf. Accessed October 18, 2015.
3. Filkins B. SANS Institute. New threats drive improved practices: state of cybersecurity in health care organizations. December 2014. www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652. Accessed October 18, 2015.
4. Calatayud P. The Surescripts Blog. Cybersecurity: defense is the best offense. http://surescripts.com/news-center/blog/!content/posts/2014/09/08/cybersecurity-defense-is-the-best-offense. Accessed October 18, 2015.
5. Calatayud P. The Surescripts Blog. Five tips for cybersecurity, and why they should matter to healthcare professionals. http://surescripts.com/news-center/blog/!content/posts/2014/10/15/five-tips-for-cybersecurity-and-why-they-should-matter-to-healthcare-professionals. Accessed October 18, 2015.
6. Imprivata. A quick guide to EPCS. What you need to know to implement electronic prescriptions for controlled substances. www.imprivata.com/resources/whitepapers/quick-guide-epcs-what-you-need-know-implement-electronic-prescriptions. Accessed October 18, 2015.
To comment on this article, contact firstname.lastname@example.org.