Your pharmacy data is secure, right? Including all your patients' protected health information (PHI) and credit card information?
Did your stomach just tighten and your heart start to beat against your chest because you just realized you can’t remember the last time you updated your antivirus? Let’s face it. We can put up all the protection that we have available to us, but hackers are constantly working to break down the security that’s been put in place. This is why you, as health providers and keepers of sensitive information, must be vigilant in your security.
Check out all the ways you could (and should) improve your pharmacy's data security.
Is your password “firstnamelastname1?” This is not a secure password, even if your name is difficult to spell. Neither are “password1” or “01234.” With passwords like these you might as well not have passwords at all.
I’m sure you’ve seen the meter when setting an online password, letting you know the strength of your password. What about the requirements that you have at least one capital letter, number and special character? You should follow these password rules always, even if it’s not required for your program. After all, this could be the last line of defense between a potential hacker and all your pharmacy’s sensitive information.
Some other password rules to remember are:
- Passwords should expire every 90 days, forcing you and employees to change them.
- Staff should always logout of or lock their computer, to prevent other from accessing information while they’re not looking.
- Computers should automatically logout after a few minutes of inactivity in case a staff member forgot to lock their computer or logout.
- You should never write a password down to help your remember.
- Don’t ever share your password. You are liable for what happens while you’re logged into the computer.
A note card box, Post-it note, or even a note within your pharmacy software are not secure ways to store credit card information. As a matter of fact, storing credit card information this way directly violates PCI compliance.
Any credit card information kept in your pharmacy software or POS software must be encrypted. This may make it difficult at times for those pharmacies that deliver, but to keep their information safe you could invest in technology that allows your delivery patients to swipe their cards on an iPad at delivery where their information will automatically be encrypted.
Any PHI or credit card information that is printed must be shredded or put away in a locked file cabinet to maintain HIPAA and PCI compliance.
Even the layout of your pharmacy and the position of your stations can affect the security of your patients’ data. All work stations should be set up so that information on those computers cannot be viewed by other patients in the pharmacy.
This may need to be taken into extra consideration if you have a drive-thru window. It’s important that those at the window can’t see the patient information at the POS counter and vice versa. If you’re worried that there may be an issue you should use privacy screens to protect information.
Monitored Networks with Firewall
Every pharmacy should be set up on a network so that only those that need access to certain information have that access. This network must be monitored, so if a breach occurs the cause can be identified. You can hire a company or purchase certain software to monitor your network.
You should also have firewalls installed to protect your computers from viruses, hackers and Trojans that can break into your computer via the Internet. Restricting your staff’s access on the internet is another way to protect your network from viruses.
The go-to for companies to block is social media. However, social media is a big platform that your pharmacy should be utilizing. Therefore, if you choose to use social media in your pharmacy, make it available on one computer that is set up on a separate network and preferably does not have access to any PHI or other sensitive information. This way if it hacked or is infected by a virus, it will not affect your other systems and no sensitive information will have been compromised.
While a firewall works like a gatekeeper, protecting your computer from outside dangers, your antivirus protects your computers from the inside. It works as a detector for harmful files and software that you may be downloading to your computer.
This should be installed on all your pharmacy computers. And you should always keep your software and antivirus up-to-date for maximum protection.
You must conduct regular security training with your employees to ensure that they are aware of all rules and regulations to protect patient information. This training is PCI and HIPAA required.
Depending on the size of your pharmacy business, you may consider appointing a security officer. The security officer will be responsible for keeping up with new developments in PCI and HIPAA and training staff on these updates.
Scans and Tests
You must also have an outside company scan your system quarterly by an approved scanning vendor to ensure that your system is HIPAA and PCI compliant. As of July 2015 it is mandated that you also have your system penetration tested. Penetration testing is where an outside company actively tries to break through your pharmacy’s security.
Currently, they are taking your word that you have completed these mandatory tests. However, we don’t believe this will last. In the coming years we expect that you will have to prove that you’ve had your system fully tested.
I know it seems like a lot, but you're probably already doing most of this, whether you know it or not. Before you run off to call up your IT guy, know I’m not trying to scare you. I just want you to be aware of all the ways that you should be keeping your pharmacy data secure, so you can stay PCI and HIPAA compliant!