Pharmacy departments must prepare for sophisticated cyberattacks that could strike at the heart of their operations, according to two speakers at a Dec. 5 session of the 2023 Midyear Clinical Meeting & Exhibition.
Doug DeJong, director of advisory services at Premier Inc., told the audience any downtime procedures they may already have in place are insufficient when it comes to debilitating cyberattacks on hospitals.
Downtime procedures are designed for single systems going down for a short period of time. “In contrast, a cyberattack can potentially take down everything on your server,” he said. “And the effect can be for weeks.”
Healthcare breaches have doubled in three years, and the average downtime has increased from 18 days in 2020 to 22 days in 2021, according to federal data presented at the session.
Naturally, pharmacy leaders must be involved in system-wide planning efforts. “But there are a lot of things you need to lead and prepare that are unique to the pharmacy,” DeJong said. “We’ve got regulatory issues that other people don’t necessarily need to worry about. And our frontline need to be uniquely prepped by us.”
DeJong and co-speaker Jennifer Halsey, a professor of pharmacy at University of Illinois Chicago, were involved in cyberattack planning for pharmacy services at a multi-state health system. The lessons, they said, were eye-opening.
Planners assumed all services were down — not just electronic health records and bedside bar coding, but also email and fax machines.
Halsey said planners quickly identified the need to set up a cell phone communication plan, though she pointed out some difficulties — complex questions about sharing patient information over personal devices as well as basic matters such as getting cell phone reception in basement pharmacies.
Another pharmacy-specific issue is medication storage. But what happens when digital temperature monitoring is down?
Halsey said the health system bought a bunch of “old-school thermometers,” which they stored in a refrigerator. Staff members were assigned to periodically verify that the thermometers were registering the correct temperature.
Pharmacies should also design new workflows for such activities as receiving medication orders, the speakers said. In a slide comparing the current process versus one in extended downtime, the presenters showed how a process that begins with receiving handwritten orders is nearly twice as long as one that starts with receiving the order in a verification queue.
“What if a nurse needs to get an order to you right away?” said DeJong. “How many runners are you going to need just to get orders?”
During the health system’s planning process, questions also surfaced over how to handle “bloat” of the automated dispensing cabinets.
The cabinets “have a certain amount of internal memory. Once it’s done a bunch of transactions it wants to dump [the data] onto the server,” Halsey explained. “If it’s not able to do that, it slows down until it just crashes.”
Pharmacy departments also need to consider how they would comply with mandatory reporting requirements, including prescription drug monitoring programs and children’s vaccine programs.
DeJong said another key consideration is how much time it would take to put their plan in place once the health system realizes it’s under attack. In their former health system’s plan, there was an assumption that employees would need 30 minutes.
The speakers recommended health systems consider doing small, “manageable” monthly exercises, such as creating manual profiles for existing patients one month, generating a manual labeling system the next month, and reviewing infusion center processes the following month.
They also recommended identifying frontline champions to take the lead on planning.
“I really recommend they not be that typical person who does everything. Sometimes we have that manager that’s just awesome and take everything on,” said DeJong. “That person, especially the formal leaders, are probably going to be stuck in incident-command rooms. You need some people who can go, ‘OK, I’m familiar with this.’”