Having strong pharmacy cybersecurity is critical for every pharmacy owner.
Cyberattacks and ransomware are on the rise, and you can’t afford to lose this battle. If you haven’t audited your IT security protocols lately, do it today! Cyber insurance coverage is essential these days, primarily because of the confidential patient data housed within your database.
What’s The Big Deal About Pharmacy Cybersecurity?
Did you know employees are your most significant cybersecurity risk? About 94% of cyber-attacks begin as a ransomware email sent to an employee, where one innocent click on a bad link could take your entire pharmacy down in a blink of an eye. Ransomware and malware are designed to damage computer networks leaving devastating impacts on day-to-day operations.
According to the FBI, in the first six months of this year, ransomware demands were up 20%, and about 62% since 2020. Cases that requested money saw a 225% increase since the beginning of 2020 and are estimated to cost about $20B in 2021 globally.
Pharmacy Cybersecurity and Insurance Information
During one of my recent Mastermind podcasts, I spoke with Ryan Kusev, a cyber expert who works with Insurica, a one-stop-shop for insurance and risk management needs. He shared some constructive tips and information that I wanted to pass along to you to help you and your pharmacy be prepared and know what to do if you fall victim to ransomware or cyberattack.
A cyberattack attempts to gain illegal access to data or computer systems to cause harm or damage. Cybercriminal motives are predominantly to extort money from the business and are very lucrative. The combination of high rewards and low risk means ransomware is here to stay, at least for the foreseeable future.
Cyberattacks can be extraordinarily costly and come in various forms, whether through malware, ransomware, or other ways.
- Businesses are attacked multiple times per hour.
- Costs can be in the millions and include notifications (HIPAA), investigations, fines, penalties, and business interruptions.
- Cybercriminals earn about $1,000 per medical record.
- HIPAA data is worth double (pharmacies are a target).
- Data breaches, funds transfer fraud, and malware attacks are the most popular types.
- It takes about 200 days to detect a data breach and about 90 days for containment.
Let’s jump into a couple of case study examples to clarify what happens and how cyberattacks occur.
Case Study 1
A medical service provider fell victim to a ransomware attack where files became encrypted along with 120 workstations and 15 servers were unusable. This attack stopped operations entirely and hijacked all network patient and electronic medical records.
The IT vendor wiped the ransomware from the system, rebuilt the network from backups but could not tell if personal health information was viewed or stolen. When the IT team removed the ransomware from the system, it was impossible to analyze the attack.
Legal counsel was hired, who requested the facility to notify all 100,000 patients, past and present, which triggered a civil rights investigation, not to mention the cost of about $200k and reputational harm.
Case Study 2
A hospital noticed they couldn’t access their servers or computers, and their monitoring devices or medication dispensers weren’t functioning correctly either. Because the hospital couldn’t view patient records, prescriptions, or doctors’ notes or monitor patients remotely, they needed to immediately hire an enormous amount of staff to monitor patients manually.
A major complication was the hosted centralized electronic health system, allowing access to all patient records and information exchanges with other health care facilities. The malware attack was on the hospital system, so the service provider was cut off and refused to reconnect until independent forensic consultants declared the network clean and malware-free.
That same afternoon they were forced to call a “red alert,” which is a notification to all health services in the area about their long wait times and reduced available services. This reduction continued for several months and was detrimental to many relationships, and costs were exorbitant.
Meanwhile, at $200,000 a day, the hospital connected to a separate cloud network to access their data. Months later, the red alert ceased. The damage was about $2.6 million and included hiring people to replace servers, laptops, computers, printers, scanners, and software licenses.
In this case study, the hospital did have a cyber policy but didn’t have the correct limits to cover all expenses. Luckily though, a good portion of the cost was paid for by the cyber insurance.
In these two examples, only one was able to back up relatively quickly. They had backups stored offsite and not wholly tied to the network because once a network goes down, hackers can still retrieve the backups from an offsite network.
Restoring the system is much easier because you have backups that aren’t tampered with. Clouds are acceptable and should have proper security controls in place, like a VPN.
When you get pharmacy cybersecurity insurance, they should have processes to audit your systems and train your employees. Training your employees is one of the most critical pieces. Every employee needs initial general and security training and then periodic refreshers.
Your typical business policy typically covers brick and mortar, not electronic data. When general policies do cover pharmacy cybersecurity, they usually have small limits. About 90% of the time, those who offer coverage will exclude HIPPA claims from their coverage liabilities. Most general business policies now completely exclude cybersecurity coverage. Having a specific cybersecurity policy helps fill in the gaps because it will pay for replacing equipment other policies don’t cover, like hardware, software, devices, and data, which are the essential parts.
Anytime you have a data breach that includes patient data, you can expect to pay significant fines. You hold patient health data, which carries the potential for more damage to the consumer and therefore carries more considerable penalties when a breach happens. Having a cybersecurity policy can help reduce fines because you’re minimizing your risk upfront. That’s why it’s crucial to allow the cyber team to take a deep dive and determine the weak areas of your pharmacy.
A cyber insurance policy allows for a coordinated response to the cyberattack and can help preserve critical evidence, and is a cost-effective way to prevent and respond to cyber events.
Most cyber policies come with proactive risk management tools like social engineering and employee training, helping reduce cyberattacks. These resources come with dark web monitoring, which scans the dark web for signs of compromised data. Once the cyber team finishes their deep dive into your system, they will help you set everything up and make additional improvements to help prevent attacks.
Limits and protection policies can include coverage for forensic specialists, PR firm, legal, ransomware extortion demands, personal funds, business interruptions, and access to funds transfer fraud. The outstanding cyber policies will give you access to most of these with no deductible to the insured. Make sure your policy covers the fees and penalties for lawyers, notifying, investigation costs, and any other costs, so you don’t pay them out of pocket.
Choose What’s Best For You
Cyber insurance helps you respond to a cyberattack and get your pharmacy back up and running, with minimal disruption and financial impact. Pharmacy owners should have as many IT tools as possible to help support and secure company data, like a cyber policy.
Take the action of looking into your current business policy and see if you are adequately covered. For some expert advice, I do recommend reaching out to the team at Insurica. They have a ton of experience with cybersecurity for healthcare professionals.