Rating:

Loading...

Health-System Cyberattacks: The Pharmacist’s Role in Prevention, Mitigation

THE THREAT OF CYBERATTACKS used to be just that— a threat. However, recent ransomware attacks targeting health systems and hospitals, among other institutions, have elevated the threat to a widespread reality. According to cybersecurity experts, pharmacy systems specifically have not yet fallen victim to such attacks, but they are vulnerable, and pharmacists should take steps to help prevent cyberattacks and mitigate their impact.

Dr. Barbara Giacomelli, Pharm.D., M.B.A.

“Pharmacy operations are increasingly reliant on technology and automation, which both raises the risk of an attack and heightens the likelihood that attacks may have an impact on patients’ health,” said ASHP member Barbara Giacomelli, Pharm.D., M.B.A., FASHP, Area Vice President at McKesson Pharmacy Optimization in Vineland, N.J.

Growing Number of Cyberattacks
In some recent ransomware attacks, hackers have prevented healthcare providers and administrators from accessing medical records, said Dr. Giacomelli, who moderated a session on cybersecurity at ASHP’s 2017 Summer Meetings and Exhibition.

In March 2016, MedStar Health, a network of 10 hospitals and 250 outpatient centers located in the Greater Washington, D.C., area, had to turn patients away after ransomware attackers blocked hospital and clinic staff from accessing medical records.

More recently, the “WannaCry” ransomware attack in May 2017 crippled systems in many countries and, most notably, hit the United Kingdom’s National Health Service, leading to cancelled surgeries and unavailable patient records. In the same attack, two medical devices in the Unites States used to monitor the injection of contrast for medical imaging had their displays obscured with a WannaCry ransom message, leading to suspension of their operation for 24 hours.

Dr. Dennison Lim, Pharm.D.

“It doesn’t take a leap of the imagination to see how lack of access to critical patient care systems could be a serious patient safety issue,” said Dennison Lim, Pharm.D., a Medication Management Informaticist at Mayo Clinic in Rochester, Minn. The ransomware attacks have led to a shift in what healthcare cybersecurity has traditionally been concerned with, he explained. “For a long time, cybersecurity was thought of in terms of ensuring HIPAA compliance, but the new focus is on data integrity and intrusion prevention,” said Dr. Lim, who is an ASHP member.

HIPAA compliance remains the minimum standard of cybersecurity, but the ransomware attacks on healthcare organizations have highlighted the potential for patient safety impacts far greater than privacy violations alone.

“Ransomware attacks could play out across multiple systems throughout a healthcare organization and grind normal operations to a halt,” Dr. Lim emphasized.

Pharmacists and Cybersecurity
Since pharmacy has not traditionally been a stakeholder in information security, it can be particularly vulnerable to attacks, Dr. Lim explained. Additionally, pharmacy staff are often not experts in security risk evaluation and mitigation.

“Pharmacy is responsible for understanding the security risk within its systems and should cultivate pharmacy staff expertise in cybersecurity and engage with information technology and security departments, as well as vendors,” he urged. An effective proactive approach incorporates safety measures — including regular security assessments of systems and devices — to help prevent an attack and should also include mitigation strategies to reduce the impact of an attack on pharmacy operations and clinical practice, Dr. Lim added.

Mr. Walter Ray

Cybersecurity expert Walter Ray, Chief Information Security Officer at Augusta University Medical Center, Augusta, Ga., said a mix of reliable technology and effective processes should be used to maintain the security and integrity of the data used in the pharmacy. “You need to look at the entire process through to the administration of a medication to the patient,” said Ray. “Ask questions like ‘What controls are in place to make sure the correct dose is given?’ and ‘How do you make sure medications have been accurately reconciled?’ Every technology component throughout the process should be evaluated for security risks and locked down as much as possible.” He also suggested using a multifactor or two-step verification process for access to more sensitive systems or highly privileged accounts as well as using up-to-date secure encryption algorithms.

Although pharmacists and other healthcare staff can take steps to reduce the risk of an attack, some vulnerabilities are challenging to address completely, Ray explained. “The most frequent point of entry into a health system is by email, through a phishing attack, and it’s very difficult to get people who are task-saturated to take the time and think about whether an email is legitimate or not,” he said, noting that this was one of the entry points through which the May 2017 WannaCry ransomware attackers entered.

Nevertheless, it is important to train employees to avoid clicking on links and attachments from emails they are not expecting and to report suspected phishing emails, Ray noted. “Don’t ignore reports of phishing, as they can be useful in detecting active attacks and limiting the damage,” he added.

Reflecting on the potential for devices such as smart infusion pumps to be hacked, Ray noted that institutions considering a new device or vendor should rigorously evaluate the device’s security and make sure there is a mechanism to hold vendors accountable for correcting security vulnerabilities.

“As an increasing number of devices become connected and automated — and particularly if they’re administering a drug or are in some way regulating physical functioning — we could see additional effects on patients’ physical well-being,” Ray said. “The threat of an attack is something every health system should be thinking about.”

By David Wild

# # #