Pharmacy Cybersecurity Standard Operating Procedure

---

Recently cybersecurity has become a hot topic within the pharmacy sector. As such, as we intend to be responsive to any new emerging threat to pharmacy technological or otherwise we have created a Standard Operating Procedure to manage Pharmacy Cybersecurity, this is free to access, however if you would like access to our suite of 150+ template SOPs for traditional bricks and mortar and internet pharmacies consider signing up to our GoPaperless solution.

---

Standard Operating Procedure for Pharmacy Cybersecurity

Purpose 

To allow for safe and secure transactions over the internet, applying the utmost care to patient safety and data security.

Scope

Our organisation is committed to and is responsible for ensuring the confidentiality, integrity, and availability of the data and information stored on its systems.The main scope of this SOP covers data security of pharmacy systems. 

---

General Cybersecurity Measures

1. Vulnerability testing.

Before training can be given to staff about data security, management must first understand the key risks to their organisation in respects to cybersecurity. A vulnerability assessment should be produced to evaluate information system vulnerabilities and the management of associated risk. A vulnerability assessment should include the following:

• servers used for internal hosting and supporting Infrastructure
• servers which will be accessed through a reverse proxy
• desktops and workstations
• perimeter network devices exposed to the internet
• all external-facing servers and services
• network appliances, streaming devices and essential IP assets that are internet facing.
• public facing applications and devices (wifi connected blood pressure machines, weight scales, BMI calculators etc)
• cloud based services 

2. Ensure that all staff understand the main cybersecurity threats, more specific detail can be seen below.

Either create your own course for your staff or use a reputable provider like Voyager Medical (courses can be found within the hubnet.io). Within a high-quality cybersecurity, course staff will learn about the importance of using two-factor authentication, enabling automatic updates and the use of anti-virus software / ad-blocking browser plugins.

Specific cybersecurity measures

3. Protection from Malware.

• Detection, prevention and recovery controls – supported by user awareness procedures – must be implemented to protect against malware. Key methods to avoid malware include:
  • installing, updating and using software designed to scan, detect, isolate and delete malicious code.
  • preventing unauthorised Users from disabling installed security controls.
  • prohibiting the use of unauthorised software.
  • checking files, email attachments and file downloads for malicious code before use.
  • maintaining business continuity plans to recover from malicious code incidents.
  • maintain a critical incident management plan to identify and respond to malicious code incidents.
  • maintaining a register of specific malicious code countermeasures (e.g. blocked websites, blocked file extensions, blocked network ports) including a description, rationale, approval authority and the date applied.
  • developing user awareness programs for malicious code countermeasures.

4. Limiting Operation Software.

The installation of software on production information systems must be controlled. To protect the general cybersecurity health of the organisation when installing new software responsible persons should ensure:

• updates of production systems are planned, approved, assessed for impacts, tested and logged.
• operations personnel and end-users must be notified of the changes, potential impacts and, if required, given additional training;
• production systems must not contain development code or compilers.
• old software versions must be archived with configuration details and system documentation; and updates to program libraries must be logged.

5. Limiting patient wifi access.

Some pharmacies offer patients free access to their wifi network. The pharmacy should ensure that this wifi network sits separate from the mechanism by which they communicate patient medical records to the central health authority. If the pharmacy offers a separate wifi access point, the password for guest access should be rotated at a minimum of once a month and staff should be trained to spot potential "man in the middle attacks".

6. Backup.

Backup copies of information, software and system images must be made, secured, and be available for recovery. More specifically:

• Information Owners and System Owners must define and document backup and recovery processes that consider the confidentiality, integrity and availability requirements of information and information systems. Key aspects all processes must address include:
  • use approved encryption;
  • physical security;
  • access controls;
  • methods of transit to and from off-site locations;
  • appropriate environmental conditions while in storage; and
  • off-site locations must be at a sufficient distance to escape damage from an event at the main site.

7. Event logging.

All staff should be appropriately trained to constantly monitor for cybersecurity threats. In the event that an event occurs this should be reported directly to the staff members line manager. This should be done using the hubnet.io error reporting system, an event should be logged and details recorded. This log for every location within an organisation should be monitored by an authorised management team. Once an event has been identified appropriate corrective action should be taken which includes a report which details:

• identification of the event;
• isolation of the event and affected assets;
• identification and isolation of the source;
• corrective action;
• forensic analysis;
• action to prevent recurrence; and
• securing of event logs as evidence

Review Procedure

This SOP will be reviewed in the event that there are any changes to best practice concerning pharmacy cybersecurity or in the event of staff changes. It will also be reviewed in the event of incidents or errors that have been logged. In the absence of any of these events, it will be reviewed yearly from the date of publication.  

Known Risks

• Security gaps.
• Malware.
• Man in the middle attacks.