Your pharmacy is a target for cybercriminals

The recent Optus data breach has thrust cyber security back into the national spotlight, with the impact devasting for both Optus and their customers. Even a few weeks on it is far from over, and the consequences are likely to see Australian laws surrounding a data breach strengthened and fines increased.
Yet whilst the scale of this breach was unprecedented, it was only one amongst many, with breaches since involving MyDeal (Woolworths), Medibank and Costa Group. Further the NAB have reported receiving over 50 million attacks each month!

It is a timely reminder of the serious impact a data breach can have and that all businesses must do better in protecting customer data. Home Affairs Minister Clare O’Neil recently stated the Medibank breach had the potential to result in more serious harm to customers than Optus due to the nature of the health information stolen. This positions pharmacies at the same elevated risk.

Looking at the impacted companies you would be forgiven for thinking it is a big business problem, the reality is that these are simply the ones that make the news. While many cyber incidents go unreported, various expert bodies estimate that up to 50% of all attacks are against small business. The technology to execute such an attack is freely available, making it quite easy for anyone to be a cybercriminal. In fact, there are well run businesses making money out of providing cybercrime services, going as far as to offer tools, support, and advice on how best to maximise financial return.

Everyone is at risk, anyone or any business connected to the internet is a target. There is simply too much money to make.

What does this all mean for your pharmacy?

Every day we see alerts of pharmacy networks being scanned for vulnerabilities. Thousands of scans are running all day, every day looking for that one little opening to get into your network. And unfortunately, over the last month we have seen successful attacks on pharmacies increase.

If you have not yet invested in cyber security measures to protect your business and patient data, you must do so now. You are being targeted even if you do not realise it!

How do cyber criminals gain access?

The main ways Fred sees a pharmacy fall victim include:

  • Staff clicking on a malicious link or navigating to a malicious website where malware is downloaded in the background, or they are tricked into handing over credentials to various systems
  • Remote access tools and open ports on their modem/router allowing direct access to their network. Often these tools and ports are opened for a specific reason but are not secured or closed. Hackers scan for these every second of the day
  • Outdated software or hardware (IoT devices) or with a code glitch that allows access to your network, known as zero-day exploits. Again, hackers are scanning for these constantly

What are the possible impacts?

When you fall victim to a cyber attack the impacts can be devasting financially, reputationally, and can be long lasting. Depending the on the type and scale they can include:

  • Disruption to dispense or sell at the POS and in some cases unable to trade at all including a recent pharmacy that was down for three business days.
  • Locked out of all PCs and Servers.
  • Data encrypted and a ransom demanded which we see regularly. In some cases, there is a working backup and other times not.
  • Data stolen with a threat to expose this data publicly, fortunately we have not yet come across this yet.
  • Potential costs for your business of over $100,000

Data Breach

Once data is breached and there is a risk of harm to those impacted, it is mandatory for Pharmacies to report the breach to the Office of the Australian Information Commissioner as part of the Notifiable Data Breach Scheme, and inform all customers whose data was compromised.

These laws (which all pharmacies are subject to) are also being strengthened. Penalties for serious or repeated privacy breaches are now increasing from $2.2 million to $50 million, 3-times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.

What cyber protection measures should your pharmacy take?

  • Train your staff to be aware of cyber security risks.
    - How to spot phishing emails, malicious websites, and phone scams
    - What to do if they suspect they have fallen victim
    - Resources such as Have you been hacked? | Cyber.gov.au contain clear actions for specific scenarios
  • Updating your software and IoT devices to the latest versions.
  • Ensure your modem/router ports have secured access, are only opened when necessary, and closed when no longer required – your IT provider can help with this.
  • All remote access software is secured with complex passwords and multi-factor authentication. Question whether you really need to allow unattended access.
  • Do not use the PC or Server that houses your most critical data for checking emails or surfing the internet
  • Regularly backup all your critical data – in three locations, one of which is a secure Australian data centre. Data must be encrypted and easily accessible
  • Invest in technology that monitors your network and can alert you to a cyber security incident in real time. Much like physical alarms and cameras, if you do not know what is happening on your network you cannot act and by the time you realise your network is compromised it is too late.

There is no more time to waste. The risk is real, and the consequences are significant. As we have seen with the Optus breach customers and the Government will not tolerate unprotected private and confidential data.

October 24th, 2022 | Fred news | comment