Community pharmacies in Ireland are essential pillars of the healthcare system, providing critical services to local communities. Pharmacies handle a wealth of sensitive data, including prescription information, patient records and financial transactions, and personal information, which can be valuable for criminal organisations and hackers. Any cyber-attacks may result in loss of trust, loss of revenue, negative media coverage, and brand damage. Above all, it could result in a breach of our patient’s information.
Cyber-crime is on the increase globally and there is a growing risk of cybersecurity threats that can compromise sensitive patient data and disrupt operations. As such, implementing robust cybersecurity measures is not just an option, but a necessity for community pharmacies in Ireland.
This article explores the importance of cybersecurity in Irish community pharmacies and offers insights into effective implementation strategies.
There are several threat vectors that all types of businesses are exposed to, and they can be split into two:
Human error is the biggest threat to cybersecurity. Social engineering attacks rely on exploiting human trust, rather than technical exploits. Social engineering attackers have one of two goals:
1. Disrupting or corrupting data to cause harm or inconvenience; or
2. Obtaining valuables like information, access, or money.
Malware is intentionally designed to cause disruption to a computer or a service where Ransomware is a type of malware that threatens to publish or block access to data, unless a ransom is paid.
Both are typically delivered by email where it transmits viruses via attachments or a link that the recipient is misled into opening.
USB keys also spread viruses. If one is left on the counter, the instinct is to plug it in to identify the owner — which is a big mistake! Cybercriminals use these tactics to spread their viruses or attacks.
Cybercriminals also use different techniques to get around one-time passwords and digital tokens to get access to information.
Insider threats
If you have people in your organisation, you have an insider. This does not mean individuals are acting deliberately, or recklessly, but accidents happen, and bad habits can seep into practice. By simply browsing the internet, users can unknowingly end up on malicious websites.
Email compromise could result in an unwitting staff member clicking on a malicious link or being re-directed to a malicious site. The end result could be malware infection, a ransomware attack, or a payment scam.
Cyber-attacks can exploit systems, computers and devices where security updates and patches (to fix problems in software) have not been applied.
The Big One
One of the most serious vulnerabilities with pharmacies is the use of outdated operating systems (such as Windows 7), and unpatched systems and applications. Security vulnerabilities in unpatched systems may allow an attacker to gain access to your system, without you even knowing about it.
Unmanaged devices
This could be a mobile phone or other mobile devices. These days we all use IOT devices — internet of things — such as your fridge monitoring service or Blood Pressure monitoring devices or Continuous Blood Glucose Monitors; how are these being managed? Staff’s personal device(s) should be considered unmanaged device(s).
Other vulnerabilities
Allowing the use of personal devices on the same network as your critical systems may result in a malware attack on your systems or exfiltration of sensitive patient data, resulting in a serious data breach.
It is possible that secondary systems such as CCTV or till systems could be compromised if they are not properly maintained or patched with the latest security patches. This could allow a malicious user to gain access to your network environment. Attackers could use a secondary system as a back door to launch attacks on other critical systems in your network.
Personal devices and IOT devices should only be used on pharmacy networks where it is absolutely essential to do so. Personal devices such as phones and laptops could be compromised without the owner knowing it, and this could result in the propagation of malware onto the pharmacy network.
To protect your patient data and maintain operational continuity, community pharmacies must adhere to a comprehensive cybersecurity framework.
Avoid sharing user accounts (where possible). This could result in failure to have the ability to monitor activity for critical systems by individuals in the event of a cyber security incident. Always remember to disable user accounts when they are no longer required.
Weak passwords are a vulnerability to accounts and are commonly and easily exploited by hackers. Passwords should be changed regularly, never shared between users and if you suspect that your password has been compromised, you should change it as soon as possible. Never write passwords or usernames down.
Pharmacy staff must be educated about cybersecurity best practices. Regular training sessions can help employees recognise phishing attempts, secure their devices, and follow data handling protocols. Staff awareness is a crucial line of defence against cyber threats. There should be a good communications channel for staff in the pharmacy to report suspected cyber weaknesses and not be afraid to speak up if they suspect something is not quite right.
All critical data and systems should be backed up in the event that it needs to be recovered. Backups should be encrypted and not kept on the same device as the system/ data that it is backing up. Backups should be tested regularly for preparedness and effectiveness.
It is not recommended that pharmacy staff have access to personal email or webmail (Gmail etc.) on pharmacy computers. Remember, sometimes it is not the system that is targeted, it is the human.
Ideally USB devices should not be used to store or transport information. It is very easy to mislay or lose a USB device. In the event that USB or portable devices are absolutely necessary, the USB or portable device should be encrypted with the latest encryption technologies.
Never connect or plug an untrusted device into your network. If you find a USB device, or someone has left one behind in the pharmacy, never plug it into your computer. It may have been left there deliberately and could contain viruses.
Location of devices is an important part of cybersecurity that is sometimes overlooked. It is important to keep any onsite servers in a secure area away from the public. Monitors should not be visible to members of the public. Never leave a laptop or other portable device unlocked in a public area or a consultation room when you are not there.
Develop a comprehensive incident response plan that outlines the steps to take in the event of a cybersecurity breach. This plan should include procedures for reporting the breach, containing the incident, notifying affected parties, and cooperating with relevant authorities if necessary.
Cybersecurity in Irish community pharmacies is not merely about protecting data; it’s about safeguarding patient health, maintaining trust, and adhering to legal obligations. The ever-evolving threat landscape necessitates proactive cybersecurity measures, and pharmacies must continually adapt and enhance their security practices. By conducting risk assessments, educating employees, securing networks, and following best practices, community pharmacies in Ireland can establish strong defences against cyber threats. Cybersecurity is an ongoing process that requires commitment and vigilance, ensuring that pharmacies can navigate the complexities of an interconnected healthcare ecosystem while safeguarding patient wellbeing.
We will be going into more detail over the next few months. In the meantime, for more information, go to ipu.ie/it-information-security and bhconsulting.ie/cybersecurity.
Brendan Mooney
Highlighted Articles
