By Justin Sotomayor, pharmacy informatics director, CompleteRx
Golden Eye/Petya, the latest ransomware attack devastating businesses from shipping companies to banks and even drug manufacturers across the U.K., has brought to the fore the seriousness of cybersecurity and why it is an issue hospitals cannot afford to ignore. In May 2017, the WannaCry ransomware attack crippled nearly a quarter of the hospitals in the U.K. and infected 200,000 computers across 150 countries, providing another stark example of what could happen here in the U.S.
For those still learning about this new threat, ransomware is a type of malicious software that restricts access to a person’s or organization’s data through encryption. The hacker will demand a ransom be paid, usually via Bitcoin (a relatively untraceable digital currency), to regain access to the data. For a hospital, a ransomware attack could essentially shut down everything that the healthcare providers use to treat patients, including the pharmacy itself.
The most recent incident is by no means the first attack of its kind; this tactic has been spreading, which should serve as a reminder to hospitals across the country to take stock of their cybersecurity protocols. These attacks are no longer a distant threat and hospitals must be prepared and have a plan in place to protect themselves, their staff, and their patients.
At a minimum, these three cybersecurity best practices should be followed to protect hospital facilities and patients being treated there.
Technology advancements, the shift to EHRs, and the push by many organizations to go paperless has improved quality, safety, and efficiency at many hospitals. However, this move has left hospitals more prone to cyberattacks which is why organizations must perform regular backups, daily and preferably off-site, as well as store data in multiple locations, both online and in hard copy formats.
As hackers constantly evolve and update their techniques, organizations must also stay abreast of security trends, best practice industry protocols, and software updates. Regularly updating employees on potential risks, including awareness of phishing emails, is among one of the most important defenses an organization can implement to protect itself. Training staff to identify suspicious emails or spam and avoid clicking on links or attachments from unknown senders will help bolster an organization’s digital security and form part of the continuous quality control measures that all email users need to follow. Cybersecurity is not just the responsibility of the IT department or the CEO; every staff member has an obligation to be vigilant when it comes to preventing a ransomware attack.
Disaster protocols must be developed to ensure patient care can continue without impact in the event an attack occurs. As part of these protocols, it is critical staff can access data in hard copy, which is why the regular backup of information in multiple formats is vital. Another tactic is having blank order forms for physician ordering. Pharmacists may need to use a typewriter or handwrite medication labels. As with all protocols, a regular review process should be conducted to be sure it is relevant and that a workable plan is in place to ensure patient care isn’t interrupted.
As technology advances, so, too, will the opportunity for hackers to find various new ways of breaking into operating systems. Hospitals and staff must remain just as vigilant by prioritizing preventative solutions, rather than reactively responding after an attack has already occurred.
About The Author
Justin Sotomayor, PharmD, serves as pharmacy informatics director at CompleteRx. In his role, Justin works with hospital and health executives across the country to upgrade their information systems, while mitigating the rise in security threats.