One of the most precious assets in any pharmacy is the confidential data held on patients, medicines and business operations… and protecting that data from attack is therefore a priority in the efficient and ethical operation of any pharmacy business, says the Guild.
Unfortunately cyber security attacks are a growth industry, with Australia leading the world.
A survey by PricewaterhouseCoopers released in October last year found Australia had the highest number of cyber security incidents in the previous 12 months with 9434 incidents reported, more than double the previous year.
The growth in the rest of the world was about 38%. This of course only accounts for known security attacks or breaches.
The protection of data against cybercrime and breaches is a focus of the Office of the Australian Information Commissioner (OAIC) Privacy Awareness Week (16 – 20 May) whose theme this year is Privacy in Your Hands, which aims to reinforce the message that organisations, agencies and individuals must be vigilant in maintaining a good understanding of their rights and responsibilities for the handling of personal information.
Pharmacies have a particular responsibility to protect data because of the sensitive nature of much of the information stored including information concerning the use of scheduled medicines and patient health records.
Pharmacies are custodians of their patient’s personal information and this responsibility underpins community pharmacy’s highly trusted role in the community.
A spokesperson for the Pharmacy Board of Australia says that as pharmacists had responsibilities regarding maintenance of records, the Board may provide reminders from time to time.
“It’s important that individual pharmacists are aware of, and meet, their obligations, including their obligations about keeping their records secure,” the spokesperson says.
“Keeping sensitive and private information safe is important all year around. Privacy Week is a good opportunity for registered pharmacists to reflect on how they store and manage information, and make sure they are protecting patients’ information.”
The Pharmacy Guild of Australia encourages pharmacies to be aware of their obligations relating to the protection and privacy of information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988.
These include reasonable security safeguards and steps to protect the information from loss, unauthorised access, use, modification, disclosure or other misuse.
The Guild notes that data breaches are not limited to malicious actions, but may also arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure of information.
The integrity of electronic data security is of particular importance given community pharmacies’ fundamental role in supporting Digital Health (eHealth) initiatives in Australia, including the Electronic Transfer of Prescriptions (ETP) and My Health Record.
The Guild highlights that data breach notification obligations under the My Health Record system are new obligations, which may require mandatory notifications.
Registered healthcare provider organisations (such as community pharmacies) are required to report:
- an event that has, or may have occurred that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system, and
- circumstances that have, or may have, arisen that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system.
There are some broad measures to take to protect your pharmacy’s data and these include updating your operating system to ensure you have the latest protections against attack, restricting access to your network to authorised person’s only, and developing and enforcing security protocols. Specifically some of the measures could include:
|Firewall||Have the latest firewall available and ensure it is secure and fully managed by a security company.|
|Encrypted data||Protect sensitive data, such as credit card and patient information, and ensure it is encrypted.|
|Maintenance||Maintain your system and update it regularly to ensure antivirus software, and systems and applications are the latest available.|
|Access limitations||Restrict access to a need-to-know basis.|
|Internal and external testing||Track and monitor access to your system and test network security internally and externally.|
|Security policy||Develop and implement a security policy that includes PCI compliance. Your employees need to read it and acknowledge their awareness.|
|Passwords||Make sure they are strong and changed regularly.|
|Backups||Perform regular (daily) local backups of key systems such as the dispensary computer. Store backups securely in an offsite location.|
|Emails||Do not open emails from sources which look suspicious.|
|Software||Use software from reputable sources and keep it up to date.|
|Consulting area||Have a private area for situations that involve a consumer viewing data onscreen.|
|Hard copy||Ensure that paper copies of data held electronically are disposed of securely when no longer required.|
Regardless of protocols in place, Privacy Awareness Week is a good reminder of the need to constantly review data security.