Protecting Your Business. Questions YOU Should Ask Your System Vendors Today – Part III
- Harvey Brofman
I just read that it’s National Cybersecurity Awareness Month! So I thought it would be a good time to add a cyber-twist post to a previous series of posts.
Between the noise of non-stop political b/s, it seems like every day we hear of a new cyberattack on yet another business, hospital, municipality, etc. around the globe.
As cybercriminals look for their next target, it’s time for you to start looking within.
What are you doing, or more importantly, asking your vendor to do to keep YOUR infrastructure and systems secure? You probably have more than one vendor you are working with, and most likely another doing your hardware/network. Have they prepared you to handle a data breach or attack that could compromise you and your customers? Have they ever or recently performed a risk assessment? Probably not. Most can be reactive, rather than proactive in their approach; and it also depends on what services you have engaged them for — but that doesn’t mean it’s too late. Since October is National Cybersecurity Awareness Month, there’s no better time to face the monsters creeping around online.
It Starts At Home
Home? Well, sure. Are you connecting to your store via a remote desktop or a VPN? Both approaches come with different AND similar issues. If you do remote work, security matters there too. Are you smart about your password choices (see info on Strong Passwords here)? Do you change them every couple of months? Along with everything else you deal with day to day, you need to ensure you have proper internal security controls in place in your business. This can include training to keep staff up to date on the latest security policies and procedures. I should also include using advanced security tools and solutions to fight attacks. It’s all about stopping a cybercriminal from getting access to your or your customer’s information.
Your reputation as a trusted pharmacy is at stake. If attacked, when the dust settles, you could then face legal action for compromised customers’ information. You have too much to lose not to ask the questions.
With all the news about attacks and breaches, it’s easy to worry. Awareness of the threat and knowing that you need to protect yourself better is a great first step. Being proactive about security has another benefit, the worst time to write an incident response plan is during a security incident. How do you prepare yourself? By performing a security risk assessment. A risk assessment will help pinpoint vulnerabilities across your business and networks. Using this information is instrumental in building a security strategy. Putting this strategy in practice will reinforce your defenses and get you better prepared if an attack comes your way.
What About Your Pharmacy and POS Systems?
Vendors, especially those serving healthcare, have so much to consider today. Design, data integrity, security, and workflow are all important. But the underlying operating system and database security is often taken for granted. Many systems are running today with operating systems and database servers close to, if not past their End-of-Life. This means the vendor (many times, Microsoft) no longer supports or makes changes to the underlying software. So, a few key questions you should be asking are:
- How maintainable is the system?
- Was it developed using a modern language?
- Is it of a modern architecture, considering modern security requirements?
- Is it designed for modern operating systems and databases?
- Does it run fast enough to keep up?
- When was it last updated? When was the update before that?
- How reliable is it and what is the unexpected downtime when running into an issue?
The answers to these questions may highlight security risks that can be a dangerous side effect of the choices made, HIPAA security risks may be as well – putting your business at risk. Make sure your vendor is developing for the latest supported platforms. You can read The inherent dangers of End-Of-Life Software for more insight.
Security also needs to be a part of your company culture. It’s one thing to invest in security tools and processes, but you need to communicate a top-down approach encouraging a culture of security. If the people at the top don’t support the security efforts, it will put the brakes on any significant security progress. A company-wide understanding of security will keep your staff aware and alert of threats, keep your systems secure, and show the impact security has on your business.
Click here for more (Security, Future Readiness, and Other Thoughts) in part II.