Ransomware Attacks – Is Your Data Protected?

Safeguarding electronic Protected Health Information (ePHI) is as important for a big Fortune 1000 company as it is for independent pharmacies. The HIPAA Security Rule was designed to be flexible to accommodate providers of different sizes and with varying scopes of practice; therefore, the size of your pharmacy does not matter…the Security Rule still applies. That means administrative, technical and physical safeguards are all required to protect patient information.

A recent breach at PharMerica Corporation should serve as a reminder to reassess your pharmacy’s own safeguards to help decrease the risk of a successful malicious cyberattack. According to the PharMerica breach notification posted online in the Maine Attorney General Data Breach Notifications database, the breach affected over 5.1 million people. The attack occurred between March 12 and March 13, 2023 and was discovered on March 21, 2023. A sample of PharMerica’s breach notification letter explained that hackers gained access to patient records including “name, address, date of birth, Social Security number, medications, and health insurance information”. A ransomware gang claimed to be behind the attack and when PharMerica did not pay the ransom to buy back their stolen data, the information was published online.

Administrative safeguards such as firewalls, anti-virus software, log-in monitoring and password management are just several examples of methods to protect ePHI. Here are several questions to consider about your own program:

What array of methods does your pharmacy use to safeguard your ePHI?
Have you evaluated your vulnerabilities lately?
Have new/different threats been identified that require consideration for additional safeguards to be implemented?

PAAS Tips:

At least once a year, the Security Officer should perform a thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI
Develop and implement policies and procedures to safeguard ePHI
PAAS National^® Fraud, Waste & Abuse and HIPAA Compliance Program members should review their Policy & Procedure Manual for additional guidance on safeguards; specifically, Section 11 – HIPAA Security and Other Administrative Simplifications and should perform a Risk Analysis at least annually

Author
Recent Posts

Sara Hathaway, PharmD

Analyst at PAAS National^®

After graduating from UW-Madison's School of Pharmacy with my PharmD, I spent my first eight years at an independent pharmacy dividing my time between both retail and long-term care. I fell in love with the independent pharmacy world and joined the PAAS team to help independents not only survive, but thrive.

I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.

Latest posts by Sara Hathaway, PharmD (see all)

Numerous Sumatriptan Formulations Cause Headaches for Pharmacies, & Potential Recoupments - April 14, 2024
Be on the Lookout for Eye Drops Requiring Extra Billing Consideration - March 16, 2024
Employer Pays $4.75 Million after Employee Stole, then Sold, Protected Health Information - March 5, 2024