In January, England’s biggest NHS trust had a major problem. But the crisis facing bosses at Barts Health NHS Trust in London had nothing to do with winter pressures, overstretched A&E services or chronic underfunding.
Instead, staff arrived at work to find their entire IT system had been crippled by a cyber attack – an online assault by criminal hackers using a computer virus to try and copy, steal or block access to confidential data.
The trust was forced to shut down large sections of its system for four days, while support specialists tried to iron out the glitches. The offending virus was identified as 'Trojan malware' – a type of cyber weapon that tricks the user into installing the malicious software, which crooks can then use to copy or even alter sensitive data.
IT experts at the trust said they had never come across the virus in question. But they insisted no confidential medical records had been accessed.
NHS organisations under attack
Nevertheless, it was a chilling reminder that no one is safe in the battle against cyber crime, and that online criminals are just as likely to attack NHS organisations as corporate giants. Last October, Northern Lincolnshire and Goole NHS FoundationTrust had to cancel nearly 3,000 appointments and shut down its systems for several days after an attack involving 'ransomware' – where attackers ‘freeze’ data until the victim pays a ransom, usually via the digital currency Bitcoin.
But what do these stories have to do with community pharmacy? Many pharmacies are small, local businesses employing a handful of people and with relatively limited amounts of data to steal. Cyber criminals are unlikely to be interested in them as targets, right?
Wrong. A survey by professional services company Accenture UK, published on April 25, found that one in eight consumers in England have had their personal medical information stolen – with pharmacies most at risk (read C+D's full coverage here).
This isn't a new problem. A 2014 report by the Pharmacy Board of Australia found that at least 10 pharmacists across the country had been targeted by hackers in the space of just 18 months, in a mini-epidemic of what officials described as ‘financial terrorism’. Criminals had used ransomware to plant viruses on pharmacy IT systems, which then encrypted all the data so that it became completely inaccessible.
All victims were ordered to pay large ransoms in order to regain access to their systems. Some refused and restored data using old back-ups, but it’s not clear how many actually paid up. There was a similar spate of ransomware attacks on German pharmacies last year, as hackers attempted to cash in on the move towards digital records.
Jonathan Lee, healthcare sector manager for digital security provider Sophos UK, says it would be a huge mistake for any pharmacy to think they are safe. "Organisations of all sizes are suffering from cyber attacks, so community pharmacies are just as at risk as any other organisation," he warns.
“We receive and analyse 400,000 previously unseen [types of cyber menace] each day, so the threat is significant. And [pharmacists] should understand that confidential patient data is potentially at risk if best practice is not followed and adequate protection is not put in place.“
The risks of ransomware
Take ransomware, for example. "The producers of ransomware aren’t just idly waiting for their bit of malware to hit its target," says Mr Lee. "They work in professional teams, constantly updating and enhancing new variants of ransomware – and if you’re caught, the consequences can be severe."
Mr Lee says crooks have had great success with ransomware, as it hijacks files and ‘locks them up’ using unbreakable encryption. “So if you don’t have preventative measures in place and get hit with ransomware, one way or another you will end up paying the price.
“This will either be through loss of data, or loss of being able to function properly whilst you restore [data] from back-ups.”
General Pharmaceutical Council (GPhC) guidance from 2015 says pharmacists are responsible for ensuring their patient data is protected. Crucially, this includes keeping their staff skills up to date to reduce the risk of cyber crime.
“You should consider extra training in information security management – how patient data is protected and cyber security,” the regulator states in the guidance. “You must make sure your IT equipment meets the latest security specifications and the security of data is protected when it is in transit – by either wired or wireless networks – inside your business and outside it.”
Sibby Buckle, Royal Pharmaceutical Society English board member and chair of the Pharmacy Digital Forum UK, says: “Pharmacists do realise the importance of protecting patient data. We all sign the Data Protection Act and, whether it’s paper or digital, it’s a sackable offence to breach confidentiality.”
She urges pharmacists to be more guarded in their use of NHS smart cards. “My advice is never share them – not even with staff. They are personal and are not meant for everybody in the pharmacy to use.”
“It’s also crucial to frequently change passwords – at least monthly – and avoid reusing ones you’ve had before, at least within the last year or so.”
National Pharmacy Association chief pharmacist Leyla Hannbeck says small independents should prioritise cyber security as much as the larger chains. “They should assume they will be attacked, rather than they might be attacked,” she warns, "especially as community pharmacists become more attached to the whole NHS digital system.”
Plan for all eventualities
Asda superintendent pharmacist Faisal Tuddy says pharmacies are required to plan for “all eventualities” when it comes to their IT systems.
“The one on most people’s minds is problems with electronic prescribing systems (EPS) and what they would need to do if that goes down. But I would think most pharmacies do have a contingency plan in place to deal with it.”
Some help is at hand for pharmacists wondering where to start when it comes to tightening up online security. Last year, the government launched a new service – called CareCERT – to provide expert advice on cyber security to all NHS bodies, pharmacies included. Run by specialists at NHS Digital, its objective is to bolster "cyber resilience" across healthcare.
It offers NHS bodies three steps to security – an assessment of the risks, access to experts in the event of an attack, and an e-learning service on data security.
Mr Lee says the starting point for any pharmacy is to first identify the risks, understand where its IT system is most vulnerable, and then work out the full impact of a cyber attack.
Next, ensure any cyber defences already in place are fully deployed. "Too often organisations invest in cyber security solutions, but fail to deploy them fully – significantly reducing their effectiveness and increasing the likelihood of a successful, but preventable, breach."
Every pharmacy should also have an incident response plan, setting out how it will cope in the event of an attack. Crucially, you must test it regularly.
It’s also important, says Mr Lee, for pharmacies to identify the most sensitive information in their system – whatever would cause the business to suffer most if it were stolen or unlawfully accessed – and put in place “suitable data security procedures” to ensure it stays safe.
He adds: “Too many cyber breaches are caused by the inadvertent actions of users. It is vitally important users...understand their individual cyber security responsibilities, [are] aware of the consequences of negligent or malicious actions, and work with other stakeholders to identify ways to [operate] in a safe and secure manner.”