Cyber intrusions continue to plague health care organizations and the impact has been heightened during the COVID-19 pandemic as resources and personnel are stretched thin and cyber attackers take advantage of increased vulnerabilities. As we move through the pandemic, we expect the rate and severity of cyber intrusions to rise. Approximately one in seven ransomware attacks occur in the health care setting and the shift to remote work has afforded additional opportunities for attacks. Pharmacy systems rely heavily on networks, software and electronic processes and therefore have wide exposure to threats.
Here are five steps that pharmacy leaders can now to prepare and protect against cyber intrusions as well as to limit the impact when they occur.
Raise awareness—The simple act of being aware that your pharmacy system is vulnerable to cyber intrusions is a step in the right direction toward preparing your pharmacy response. Keep abreast of the latest information, trends and risks and educate leaders in your organization. Consider reviewing general and pharmacy-specific information from industry publications and websites and keep connected with your pharmacy peers and professional organizations. Connect with your health system’s chief information security officer to understand and address common vulnerabilities.
Build in redundancies—All systems have the risk of failure, either innately or due to external interference and pharmacy systems are no different. Set yourself up for success by building in redundancies for system failures. How would you respond if you lost access to your network? Do you have a backup system if you are unable to print labels? Anticipating failures and having strategies for a “plan B” can go a long way when preparing for an intrusion.
Understand current workflows—Related to redundancies is a clear understanding of all the workflows in your pharmacy and how a significant downtime could impact those processes. Consider the life of a medication order and all the systems and processes that are touched from the beginning to end of this process, including clinical monitoring. As pharmacy services have evolved to include a larger emphasis on ambulatory care, ensure your downtime and backup processes have kept pace.
Get a seat at the planning and recovery table—It is vital that pharmacy has a seat at the table when health system discussions of cyber preparedness and recovery occur. Pharmacy services are vital to patient care services. Exclusion from planning discussions relegates this business unit to post-event planning which is not ideal and likely to induce planning omissions. Pharmacy leaders can leverage established relationships and facilitate new partnerships to garner support for pharmacy involvement in planning. A solid knowledge base of the current situation and climate surrounding cyber preparedness and response will support and facilitate inclusion in these discussions.
Leverage workers with paper systems knowledge—With extended downtime related to cyber intrusion, a transition to a paper system (at least partial) is likely inevitable. The average electronic health record downtime as a result of cyber intrusion has consistently increased in recent years to more than 20 days in the last quarter of 2020. Many clinicians trained in the last decade are not familiar with traditional paper systems (e.g. paper orders, pharmacy compounding recipes, medication administration records, nursing flow sheets, etc.). Be prepared to leverage clinicians familiar with paper systems to lead others in the use of these platforms.
As the risk and threat of cyber attacks in the health care setting continues to escalate, organizations should consider taking steps to prevent intrusion and plan for mitigation if an event occurs.
Hospitals interested in strengthening their cyber preparedness may download Vizient’s Pharmacy Cyber Intrusion Preparedness Toolkit. Additional information from Vizient about pharmacy disaster planning is available online, and information about protecting your hospital from ransomware is available on the Vizient blog. Vizient’s pharmacy consultants are also available to assist you with an assessment and gap analysis, downtime preparedness planning, and remediation/recovery strategies. Reach out to us to learn more.
About the authors:
Gretchen Brummel, PharmD, BCPS is a pharmacy executive director at Vizient and provides support to the Center for Pharmacy Practice Excellence team bringing more than 25 years of experience in health care. Gretchen’s areas of expertise include clinical pharmacy services, pediatric pharmacotherapy, medication quality and safety, disaster preparedness and response, medication cost avoidance strategies, drug shortage and formulary management, medication use policy, clinical research and pharmacy informatics with a focus on pediatrics.
Randy Gerwitz, RPh, is a pharmacy executive director with the consulting division of Vizient’s pharmacy solutions. Randy brings more than 31 years of health care industry experience in the areas of regulatory compliance, formulary management, automation, 340B, investigational drug services, diversion detection, clinical services, disaster recovery and new service development.