Cyber security is an increasingly vital consideration for any business but the impending implementation of GDPR should place it at the top of the agenda, says Matthew Chapman.
The EU is introducing the General Data Protection Regulation (GDPR) in May. This will place new obligations on every business that handles the data of individuals living in the EU and should make small businesses pause for thought as to how they approach their cyber security.
Independent pharmacies are no different and, if anything, the sensitive nature of the medical data they hold makes any potential security breach even more damaging.
Under the GDPR breaches in data security must be reported to the Information Commissioner’s Office (ICO) within 24 hours if possible or within at least 72 hours.
The likelihood of a pharmacy being a victim of cyber crime is currently extremely high. Research produced by the Federation of Small Businesses in 2016 found that two thirds (66%) of small businesses have been a victim of cyber crime.
Fortunately, there are many measures pharmacists can take to bolster cyber security, if they have not done so already. These range from simple measures such as ensuring passwords are strong to the more complex including the introduction of encryption technology.
The most common breach of cyber security within small firms are phishing scams. These are email scams, which are aimed at obtaining personal and financial information from the recipient.
The UK’s National Cyber Security Centre (NCSC) outlines some quick and easy steps for businesses to follow to significantly reduce the chance of falling victim to cyber crime. When it comes to phishing attacks the NCSC recommends businesses check their digital footprint. This is because phishing attacks are, in effect, confidence tricks.
Attackers use publicly available information about organisations and staff to make their phishing messages more convincing. This information is often taken from the company’s website and social media accounts. All staff should be made aware of how social engineering can be used in order for hackers to steal information.
The NCSC also recommends the principle of ‘least privilege’, which means staff are given the lowest level of user rights they need to perform their jobs. This way if they do fall victim to a phishing attack the potential damage is seriously reduced.
Update and upgrade
Another major threat to cyber security is malicious software, more commonly known as malware. One of the best known examples of malware is WannaCry, which was behind the biggest cyber-attack to have hit the NHS to date. WannaCry would have been prevented if the NHS trusts had updated their software, a process known as patching.
Patching is vital because software providers often provide updates when it is discovered that weaknesses in old software have been exploited by hackers. Therefore, pharmacists should immediately update their software when given the option.
Another obvious but effective way of guarding against malware is through the installation of antivirus software, which can often be found for free with some operating systems.
WannaCry was also an example of ransomware, which is malware that threatens to publish or block access to data unless a ransom is paid. A way to guard against such ransom demands is through encryption, which means data is scrambled and unreadable, and the backing up of data.
When backing up data to avoid potential blackmail by attackers it is important that the backup is kept separate from the original computer. This can be done using a USB stick, a separate drive or cloud computing, and prevents the hacker from also compromising the backed-up data. The NCSC recommends using an encryption product such as BitLocker for Windows and FileVault for MacOS for all office equipment.
Most modern devices already have encryption built in, but it may still need to be turned on and configured. However, encryption is pointless if the hacker is able to access the data through the use of a password.
It should perhaps go without saying, but it is important to make sure any passwords are hard to crack. For instance, any default passwords should be immediately changed, and when picking a password do not choose something that is easy to guess.
In order to bolster security further ‘two- factor’ authentication, which could involve a second security code being sent to a smartphone, should be turned on too.
These are just some, and by no means all, of the steps pharmacies should take to ensure their cyber security is up to scratch. Cyber security cannot be taken seriously enough.