ASHP InterSections ASHP InterSections

February 23, 2018

Health-System Cyberattacks: The Pharmacist’s Role in Prevention, Mitigation

THE THREAT OF CYBERATTACKS used to be just that— a threat. However, recent ransomware attacks targeting health systems and hospitals, among other institutions, have elevated the threat to a widespread reality. According to cybersecurity experts, pharmacy systems specifically have not yet fallen victim to such attacks, but they are vulnerable, and pharmacists should take steps to help prevent cyberattacks and mitigate their impact.

Dr. Barbara Giacomelli, Pharm.D., M.B.A.

“Pharmacy operations are increasingly reliant on technology and automation, which both raises the risk of an attack and heightens the likelihood that attacks may have an impact on patients’ health,” said ASHP member Barbara Giacomelli, Pharm.D., M.B.A., FASHP, Area Vice President at McKesson Pharmacy Optimization in Vineland, N.J.

Growing Number of Cyberattacks
In some recent ransomware attacks, hackers have prevented healthcare providers and administrators from accessing medical records, said Dr. Giacomelli, who moderated a session on cybersecurity at ASHP’s 2017 Summer Meetings and Exhibition.

In March 2016, MedStar Health, a network of 10 hospitals and 250 outpatient centers located in the Greater Washington, D.C., area, had to turn patients away after ransomware attackers blocked hospital and clinic staff from accessing medical records.

More recently, the “WannaCry” ransomware attack in May 2017 crippled systems in many countries and, most notably, hit the United Kingdom’s National Health Service, leading to cancelled surgeries and unavailable patient records. In the same attack, two medical devices in the Unites States used to monitor the injection of contrast for medical imaging had their displays obscured with a WannaCry ransom message, leading to suspension of their operation for 24 hours.

Dr. Dennison Lim, Pharm.D.

“It doesn’t take a leap of the imagination to see how lack of access to critical patient care systems could be a serious patient safety issue,” said Dennison Lim, Pharm.D., a Medication Management Informaticist at Mayo Clinic in Rochester, Minn. The ransomware attacks have led to a shift in what healthcare cybersecurity has traditionally been concerned with, he explained. “For a long time, cybersecurity was thought of in terms of ensuring HIPAA compliance, but the new focus is on data integrity and intrusion prevention,” said Dr. Lim, who is an ASHP member.

HIPAA compliance remains the minimum standard of cybersecurity, but the ransomware attacks on healthcare organizations have highlighted the potential for patient safety impacts far greater than privacy violations alone.

“Ransomware attacks could play out across multiple systems throughout a healthcare organization and grind normal operations to a halt,” Dr. Lim emphasized.

Pharmacists and Cybersecurity
Since pharmacy has not traditionally been a stakeholder in information security, it can be particularly vulnerable to attacks, Dr. Lim explained. Additionally, pharmacy staff are often not experts in security risk evaluation and mitigation.

“Pharmacy is responsible for understanding the security risk within its systems and should cultivate pharmacy staff expertise in cybersecurity and engage with information technology and security departments, as well as vendors,” he urged. An effective proactive approach incorporates safety measures — including regular security assessments of systems and devices — to help prevent an attack and should also include mitigation strategies to reduce the impact of an attack on pharmacy operations and clinical practice, Dr. Lim added.

Mr. Walter Ray

Cybersecurity expert Walter Ray, Chief Information Security Officer at Augusta University Medical Center, Augusta, Ga., said a mix of reliable technology and effective processes should be used to maintain the security and integrity of the data used in the pharmacy. “You need to look at the entire process through to the administration of a medication to the patient,” said Ray. “Ask questions like ‘What controls are in place to make sure the correct dose is given?’ and ‘How do you make sure medications have been accurately reconciled?’ Every technology component throughout the process should be evaluated for security risks and locked down as much as possible.” He also suggested using a multifactor or two-step verification process for access to more sensitive systems or highly privileged accounts as well as using up-to-date secure encryption algorithms.

Although pharmacists and other healthcare staff can take steps to reduce the risk of an attack, some vulnerabilities are challenging to address completely, Ray explained. “The most frequent point of entry into a health system is by email, through a phishing attack, and it’s very difficult to get people who are task-saturated to take the time and think about whether an email is legitimate or not,” he said, noting that this was one of the entry points through which the May 2017 WannaCry ransomware attackers entered.

Nevertheless, it is important to train employees to avoid clicking on links and attachments from emails they are not expecting and to report suspected phishing emails, Ray noted. “Don’t ignore reports of phishing, as they can be useful in detecting active attacks and limiting the damage,” he added.

Reflecting on the potential for devices such as smart infusion pumps to be hacked, Ray noted that institutions considering a new device or vendor should rigorously evaluate the device’s security and make sure there is a mechanism to hold vendors accountable for correcting security vulnerabilities.

“As an increasing number of devices become connected and automated — and particularly if they’re administering a drug or are in some way regulating physical functioning — we could see additional effects on patients’ physical well-being,” Ray said. “The threat of an attack is something every health system should be thinking about.”

 

By David Wild

# # #

February 15, 2018

AJHP’s Top 25 Articles Address Critical Practice Issues

Paul W. Abramowitz, Pharm.D., Sc.D. (Hon.), FASHP

WITH A CIRCULATION OF 45,000, ASHP’s peer-reviewed scientific journal, AJHP, is the most widely recognized and respected pharmacy journal in the world. As part of our year-end review in late 2017, the editors of AJHP assembled a list of the Top 25 most frequently accessed articles on www.ajhp.org. What they found was compelling: The articles read most by you and your colleagues address some of the most critical issues facing the profession and healthcare at large. This connection is no accident. From its early days as The Bulletin to its current iteration, AJHP has sought to provide pharmacists with the latest, most relevant practice information available.

AJHP has undergone a comprehensive transformation in recent years in both design and content, including a new approach to cutting-edge clinical topics and an enhanced digital experience. These changes represent a continuation of the journal’s vital role in equipping pharmacists to guide medication-use and healthcare delivery at the patient, population, and policy levels.

A look at the most-accessed content clearly illustrates this principle. The Top 25 list includes articles that predict future directions for practice, offer guidance for strategic planning, and examine the challenges faced by women seeking greater leadership opportunities. Also featured are discussions about the training needs of pharmacy technicians, guidelines on preventing diversion of controlled substances, and approaches for caring for diverse patient populations. The Top 25 list also contains several articles that address important clinical practice issues related to the care of the critically ill as well as patients with cancer, diabetes, infectious diseases, pulmonary hypertension, and thrombotic disorders. This collection of most frequently accessed AJHP content addresses pressing issues for our patients, for our profession, and for our times.

AJHP’s mission to advance science, pharmacy practice, and health outcomes can be realized only when pharmacists take what they’ve learned and apply those findings in their practices. The Top 25 articles, and all of AJHP’s content, can be used to:

  1. Advance ASHP members’ approaches to patient care.
  2. Support pharmacists’ and pharmacy technicians’ professional development activities and approaches to delivering patient care.
  3. Inform proposals for educational offerings at ASHP’s meetings as well as state affiliate-based educational programs.
  4. Supplement educational initiatives with students and residents in the classroom, at the bedside, and through journal clubs and seminars.
  5. Prepare for policy discussions with legislators and other policymakers at the local, state, and federal levels.

I encourage you to take some time to read or revisit the findings in these valuable articles and consider how you can use AJHP to impact patient care at your organization. The full list of the Top 25 most-accessed articles is available as a collection on www.ajhp.org.

Thank you for all that you do on behalf of your patients, and for being a member of ASHP.

Paul

Powered by WordPress