Cyber Security
Sonya Collins
On February 21, 2024, Change Healthcare, a UnitedHealth Group subsidiary that processes health care data and one of the largest processers of prescription medications in the United States, was the target of a ransomware attack. The organization took its systems offline that day and by March 1, 2024, had launched a new version of its electronic prescribing service.
In the response to this attack, DEA issued a guidance document titled “Drug Enforcement Administration (DEA) Registered Pharmacies Dispensing Electronic Prescriptions During a Cyberattack.” While the guidance does not call for any changes to current pharmacy practice, it serves as a reminder of the means by which pharmacists can accept prescriptions for controlled substances, including paper, fax, and phone.
“I suspect DEA wanted to be clear that federal law allows prescribers and pharmacies to use signed paper prescriptions for Schedules II-V and paper, fax, or oral prescriptions for Schedules III-V,” said Lisa Schwartz, senior director of professional affairs at the National Community Pharmacists Association.
“Federal regulations do not require electronic prescribing for controlled substances, and paper is still king,” said Scott Nelson, PharmD, an associate professor in the department of biomedical informatics at Vanderbilt University in Nashville.
Understand the reality of cyberattacks
Cyberattacks are steadily on the rise and appear to be here to stay.
According to the HHS Office for Civil Rights, hacking-related data breaches increased by 239% between 2018 and 2023, and ransomware attacks by 278%.
“Pharmacists should assume their business is a target,” Schwartz said. “An attacker may or may not be interested in accessing patient data. They are interested in holding hostage data that will get them a ransom, and patient data certainly fits that description.”
The impact of a ransomware attack on a pharmacy depends on whether it was a direct attack on the pharmacy or on business associates that handle, for example, electronic prescriptions, claims submissions, or claims adjudication. The extent of the downtime depends on how quickly an attack is detected and the safeguards the pharmacy had in place to stop the attack and recover its IT systems.
“The business interruption from not having access to patient data builds quickly and a HIPAA breach can result in significant compliance penalties, not to mention reputation harm to the pharmacy company,” Schwartz said.
Pharmacy owners can access a risk assessment tool at HealthIT.gov.
“I recommend pharmacists have robust extended downtime processes,” Nelson said, “which should also address questions around electronic prescribing for controlled substances.”
State law rules
When state laws are more stringent than federal laws, state law supersedes DEA guidance. It’s pharmacists’ responsibility to be familiar with these laws.
“Pharmacists need to know the laws in their state or the payer requirements for [electronic prescribing for controlled substances] and the exceptions those laws or policies have during an emergency or technology disruption,” Schwartz said.
Some states, for example, might allow paper prescriptions during emergencies, provided they are on a certain type of paper that is more difficult to falsify. ■
Know the red flags of drug diversion
Threats to electronic prescribing systems are ongoing. Know the signs of drug diversion and fraudulent prescriptions. These online resources provide more information: