The Business of Pharmacy™
Feb. 17, 2025

Protecting Your Business from Cyber Threats | Brett Gallant, Founder & Director Adaptive Office Solutions

Protecting Your Business from Cyber Threats | Brett Gallant, Founder & Director Adaptive Office Solutions
The player is loading ...
The Business of Pharmacy™
Protecting Your Business from Cyber Threats | Brett Gallant, Founder & Director Adaptive Office Solutions
Apple Podcasts podcast player badge
Spotify podcast player badge
Youtube Music podcast player badge
Amazon Music podcast player badge
Audible podcast player badge
Apple Podcasts podcast player icon Spotify podcast player icon Youtube Music podcast player icon Amazon Music podcast player icon Audible podcast player icon

Cyber threats aren’t a question of "if"—they’re a question of "when." Brett Gallant, Founder & Director of Adaptive Office Solutions, joins the podcast to break down the real risks businesses face, the costly mistakes companies make, and the practical steps you can take today to protect your pharmacy. Plus, what should you do if ransomware strikes? Tune in to find out.

Thank you for tuning in to The Business of Pharmacy Podcast™. If you found this episode informative, don't forget to subscribe on your favorite podcast app for more in-depth conversations with pharmacy business leaders every Monday.

Transcript

This transcript was generated automatically. Its accuracy may vary.

Mike: Brett, introduce yourself to our listeners. 

Brett Gallant: I'm Brett Gallant, the owner of Adaptive Office Solutions. We help organizations like pharmacies manage their cyber risk. Organizations realize it's not a matter of if, it's a matter of when. And in my opinion, and a lot of other experts that I speak with, a multi-layered approach is the best and the only way to manage cyber risk. 

Mike: Brett, let's jump right in with this. One of the larger generic wholesalers for a lot of the pharmacies listening, had an attack on them and went on for a couple weeks with no word from them, really nothing.

So I'm thinking, well, did they get it? Slammed by the DEA. Is there something more going on? So one, I'm thinking they didn't communicate very well. And then secondly, this is a wholesale company. And I'm thinking, I don't know a ton of private information they have. And why wouldn't a company like that just have like a duplicate system where they shut the one down and start the next one up, you know, even I'm joking, but just a bunch of floppy disks and just throw them in there. 

So what do you think of that bread? was missing there, or is that just par for the course nowadays? 

Brett Gallant: that sounds, really sad and there was a lot missing there, questioned, one, that vendor have an incident response plan on how they're going to communicate to the supply chain, which is so critical, did they have the talking points and the instructions with within their team and their organization on what to say because, That's a considerable amount of reputation damage to that vendor some of your owners might be revisiting their relationship with that vendor because of that, think it's not acceptable to not have a communication to keep your, your customers, the pharmacy owners It's so critical. They need to know, even if it's something unfortunate, like this devastating attack to this organization, but there's still stakeholders that they've instilled trust in, they need to know that they're relying on that vendor, what they're doing. And when the ETA for, recovery is present again. Now, one of the things you touched on was, Mike, can they not just come up with a secondary system? Today's reality, that's, I think that would be really challenging, especially if they'd almost have to have secondary computers. Secondary, email system. There's so many things to dig in there that it would be very, very challenging for an organization to just pull things up, within seconds that way.

Mike: Well, and you had said earlier, it's not if it's when, and just par for the course. I expect most companies I'm with now, I'm going to get one of their letters, dear Mike, you know, we've got broken into and nothing got taken of yours and this and this and this happened, but rest assured, blah, blah, blah.

And it's like, I get one of those. It seems like. From every company I deal with. And so your point is kind of what I'm getting at too. It's like this place is down for two weeks and you know people with, let's say pharmacy wholesalers, a day or two or a few days, we get that anyways with snowstorms and issues and things like that. 

Once you're down for a week and people are like, well, I gotta get. This medicine, I gotta start looking at separate sources and then maybe they look, let's say this happens on Monday, then by Friday, they're kind of looking at another wholesaler. And then pretty soon it's like next Wednesday and 10 days have gone by.

They're like, I got to pull the lever another relationship with

Brett Gallant: and, hey, this

Oh, this other pharmacy is not bad.

Mike: Right. and maybe they don't stay with that one, but if you got a good thing going, you don't want your customers even looking anywhere else.

Brett Gallant: a wedge in that they start looking somewhere else because they had to. You don't want to give them that opportunity to open the door to go somewhere else. you have to start looking at a different supplier, then there's that wedge then, oh, I have another supplier, then maybe that supplier has lost 20 percent of revenue because you realize I can get some of these materials much faster from this vendor.

Mike: Right, right,

Brett Gallant: know it because of this event that has cost them not, just reputation, but long term damage. 

Mike: Brett, so a lot of our listeners, I think they're going to be. Similar to me. And they say, you know, we don't have many of our own systems. We've got our pharmacy system, but that goes through one of the bigger players. And they've got, you know, they've got 5000 pharmacies that they do and stuff like this.

And so I think a lot of us are saying, well what do we really do? And secondly, maybe who would want to attack us, but then on the other side, they say, how do we prevent that with this company that does 5, 000 pharmacies? How do we stick our nose into their business and make sure that they're correct? 

 I think most pharmacists are kind of like saying, what the hell do we do about this? And is it really going to affect us? But I'm sure you're going to tell us some stories about that.

Brett Gallant: Absolutely. Let's dig into this. So Canada, specifically, because I can speak directly about that, 

In a pharmacy, we have a variety of various different parts. We have our vendor that handles our point of sale. We have the vendor that handles the dispensary. And then we have all the other automations that are in a pharmacy. So there's three or four different vendors involved. Now, sometimes in some pharmacies, sometimes when you have your independent pharmacy owners and other chains, there, some of these components. It's up to the pharmacy business owner to really check with the vendor to make sure they're covering and battening down the hatches. I was one of the speakers for a pharmacy event in Western Canada in October of 2024. I was speaking to a variety of different business owners and some people that invest in pharmacies.

Brett Gallant: And I told them about some of the elements that I put into. in a pharmacy help manage risk. And they said, well, the vendor does a lot. I said, yes, they do. But we go a step further, and I explain one of the things we did, and he said, well, wouldn't that be inconvenient that every time the pharmacy operator needs to do an update, that they have to send in a ticket to you to allow the computers to update the major critical software component? I said, yes. Yes, it would be inconvenient, but It's a small price to pay that may have been the difference that could have prevented the devastating cyber attack that happened in western Canada London Drugs where 80 stores were down for more than a week. So really critical, having a cybersecurity risk assessment is the only way to really look at your pharmacy to make sure that all the hatches are covered and battened down. And that includes talking to the vendor and, and really coming to them and saying, okay. I've invested

for these employees, and more importantly, I'm also for the people that are relying on them for their health and their livelihood. asking them, what are you doing to manage your cyber risk, Mr. and Mrs. Vendor? I'm counting on you. I don't think that's happening a lot yet. I'm seeing signs of it now. In some of the other verticals we support. We're seeing it. I actually spoke with, few vendors at that event in October. And one of the vendors outlined what they do. And I'm thinking, okay, this vendor recognizes that what they're protecting is vital. Now, some of the vendors and some of our pharmacy business owners have some outdated software and outdated packaging machines for medication. And sometimes

we really looked to see if that

connection into the pharmacy, into that particular machine, what can happen if that's not locked down and secured the proper way, then all of a sudden, somebody can get in there and start to move laterally throughout the network and take advantage of all these security flaws. 

Mike: So Brett, you can set up something in a local pharmacy system that says, Hey, such and such company, when you update our system every week or or half a year, we've got to check it out before. It updates our system. Is that one of the ways that you mentioned?

Brett Gallant: Specifically what we know if they're going to do it, we'll put the system in what's called a learning mode and permit them to install the software update. So we know it's actually them, so we actually let them do it. But. If, if they attempt to do it, it won't allow it because the computer is ring fenced, it's, it's designed that it won't allow anything, even if they have the administrator password. They contact us and we put the systems into a mode where that software can be installed, which is a great thing, in my opinion, because if somebody does get in and moves laterally through another system in the network and, and we Add the system, the Wild, Wild West, if you will.

Mike: Yeah.

Brett Gallant: prevent from something installing and, getting a, a leech into the network installing ransomware.

Mike: we would say with some interceptor like yours, we would say, you've got new software coming out, we're going to bring it in

Brett Gallant: we're going to bring it in. My vendor's going to do a software update or we're applying updates. Can you relax the security on our systems from 9 p. m. to 12 a. m. we do that. 

Mike: You don't look at all their updates. You're saying, we're going to lock this down, but you tell us when you're going to update this and we'll open it up for a couple hours so that we know it's you because you've been knocking on the door.

Brett Gallant: Now,

will do that and we get a request to run this application and we do a onesie, twosie and they send an email. We respond within 15 minutes,

when there's a big update, you relax the security for

small portions. So the vendor can do the necessary work. 

Mike: Now, thinking about hacking.

I've watched too many damn movies where they've got some guy and they're tapping on the keyboard. I don't really think they're typing because 

they're doing it about. 20 times faster. And I also have to say this. My listeners know this, but I like to sight read at the piano.

And, when you're a piano player, you know, if somebody's playing a piano in the movies, if they're really playing, because you know, where the eyes go, you know, where the head twist to, you know, when to

do this or that. And some of these people, they show them in a movie and they're like looking up at not that you can't look up, but I mean, you know what it's happening.

Anyways, these movies, these guys are typing, typing, typing, click, click, click, click. 000 things are going through the screen and then they say, Oh, , here it is. And then right before the bomb goes off, that kind of thing. But the way I understand it is a lot of these, security flaws are personal that they might call and talk to Joe, 

and they might say, Hey, Joe, I. Forgot my email. Can you set this or do this? And a lot of times it's just a person to person, you know, someone that you trusted a little bit too much, or maybe someone gave their pass code to a friend and that friend does this or that is that right? Is it typically more, movie ish or is it more person to person failure like this?

Brett Gallant: Oh, there's all kinds of ways that this is happening. So one example, and this is where it's important for cyber security awareness training to train your staff. training them to recognize what some of these risks are. Now, sometimes it's a matter of training them how to recognize a phishing attempt, so they don't fall victim to giving away the tools of the kingdom.

Sometimes you'll get an email for a password reset.

And it wasn't even a legitimate password reset request. And that's why it's important if your listeners don't have this, to have some element of email spam filtering that can filter out that element to detect. If it was a newly recognized domain and actually quarantined the email and in our case and a lot of cyber firms' case what the team would get is Hey, this email was quarantined.

If you think it's legit, click on request for

and it comes to our team and we investigate and actually verify if it is indeed legit. Let me tell you an example of really legit. Stat

hackers are known to be in networks for up to 120 days without you even realizing,

Mike: Yes, 

Brett Gallant: this is why it's a non-negotiable for two factor authentication. 

Mike: So you're telling Brett that sometimes these, good for nothing, they come in and they sit around for a couple months before they even do anything on your computer.

They're just sitting in there. It's not like they come in in the morning and then do something in the afternoon.

Brett Gallant: no, they go for the long play. And what they're doing is they're downloading information,

Mike: Oh, I see.

Brett Gallant: they're downloading information, seeing how you communicate with your vendors. the tone of how you talk, and they're

your email, so they know how you talk, they know what vendor you have a 30, 000 payment due, they know what you're expecting for a payment from a supplier, they get all this information, and when they have enough, they start to do their damage.

Mike: interesting.

Brett Gallant: where they, they lock down the systems, but in other cases, that's where they start contacting your, your customers and saying, hey, we have wiring information. The actual invoice number and from your email because they're in your email and

send that so if people are not monitoring their email and don't have the two factor authentication, they would never even know this is happening. then all of a sudden they lose up to 200, 000 or 30, 000 that most businesses can't afford to lose. And to bring that home a bit, I was working out in a gym and I got a, an email from from a lady that I know what had happened the day before the person got received a phone call from the bank. said, Hey, I have the owner on the phone with me and we're talking about these four deals, and all the relevant information, the customer, the recent transaction, recent email. All I need is the key fob so I can get in to help him make the financial transactions. Unfortunately, that lady did provide that information and when she realized what she did, it was the next day.

I drove over to meet with the lady. I could see the look on her face. It was, she knew what had happened. When I was there, the bank said nothing had happened.

actually, right in the middle of the conversation, got word that over 150, 000 was stolen from wire transfers. So

If you don't have the two factor authentication and the monitoring on the email, do

importantly, don't ever give the key fob to anybody. And don't even give the key fob to your trusted person over the phone. Unless you're meeting eyeball to eyeball.

on top of that, because of the reality that we're in today with artificial intelligence and AI being able to do deep fakeness and sound just like you. In

possible look like you, you must have a code word between your trusted person and your organization you say, okay, before I give you this information, before we change it, what's our secret code word that only we know it could be bunnies or rabbits are

When you wire money, once you wire it, you don't get it back. 

Mike: The code words are a good idea, but I've been thinking of having a code word for the last like 30 years of when I don't remember somebody's name that just walked in the pharmacy I got to have a code word for my team to come over and say it instead of me coming up with some.

Huge excuses each time pretending like I know it, but I don't, but on the cybercriminals sitting and waiting, I've heard one time too, that if aliens come to the earth, that's what they're going to do. They just don't swoop down from another. Galaxy would come and they would, they would hover out there.

I mean, we don't even know if there's a ninth planet. So we're sure as hell ain't going to see a UFO sitting out there and they could sit there for decades, for hundreds of years, and then pounce on us. When they want to, 

 So Brett, the average person is listening and they're saying, all right, we got, we got gmail, you know, for a company, maybe we have a Squarespace website or something like that. We have some emails. We also have our wholesalers and, you know, our pharmacy system and so on.

What's one key for us to do?

Brett Gallant: Actually, the backups. Are the backups being done? Are they tested? And are they secure and are they off site? Some of your pharmacies are managing backups in the dispensary and they're relying on USB. revisit that and rethink that. And then the other thing to have is that conversation with your vendor, and say, okay, I called you tomorrow, and I said I had a cyber attack,

What are you going to do?

actually ask that question to yourself. If it happened to my organization tomorrow, and my dispensary was down, and it was just my pharmacy, what's my plan? Three words. What's your plan? You need a plan. Hopefully it never happens to you.

Mike: Brett. If you're a pharmacy and you've got a pharmacy system, I'm just going to say it has 5, 000 pharmacies that this company in California does for all the pharmacies that buy into it let me give you three scenarios, one would be an attack gets into the main pharmacy place with these 5, 000 places. The other one would be that it comes in that it gets just to the pharmacy. And so even though we're thinking that we're under this pharmacy system, there's someone in our system doing something nefarious. And I guess the third point would be, can that go the other direction? I'm picturing something coming into this 5, 000 company and coming down to a pharmacy. Can it go in reverse where it goes into an individual pharmacy and then shoots up into this main pharmacy system.  

Brett Gallant: a lot of times these attacks are coming through email. So if your email gets infected and, and you have in your email the address book for 70 other pharmacy business owners and they click on that email, even 10 of them, yes, it can. we have to, we can go and look at an example of what happened with CDK, it was actually the other way when the car automobile dealership network, then they got infected and 15, 000 car dealerships were down for the better part of a week.

They

one, one night and then the very next day they were, they had to shut down again.

Now, depending on the way the network is designed, and I'm not familiar with every pharmacy software they're

but in the case of many of the pharmacies they're in their own little silo.

if this small independent pharmacy,

may have 3 or 5 stores or 20 or whatever, if just the one pharmacy gets infected, Thinking of the example I have in Canada, then no, it would not spread back to mothership, 

Mike: Now, Brett, I ain't no genius, but I'm thinking you keep mentioning two factor authorization and I'm thinking, you know, if a hacker can get in one. They can get in two, I understand the two factors: it can call your own phone. It can be based on your own hardware. You have to say yes from there.

It can be uh, uh, authenticator code, you get a half dozen of these and it switches every 90 seconds or something like that, but it seems like if they can do one, they can get by two.

Brett Gallant: Right, well example, if they get in and your account had admin access, they can move throughout the whole environment and cause damage. So That's why, if you have your own domain, and I recommend having Microsoft Office 365, when you secure that environment properly. You can enable the two factor authentication, but you can do other things as well and do what's called conditional access, and I know we're getting in the weeds for a little bit.

Mike: No, that's perfect. I want to,

Brett Gallant: Conditional access is important because you need to talk to your supplier and say, okay, have you configured my system, my email so that only people that can get into my email are from the United States or Canada.

Mike: You had to include those Canadians. I know.

Brett Gallant: I do, I do, we're great, eh? For example, we have some of our clients that when they travel when they get to the United States and we, we didn't realize they were traveling and vice versa, we have to relax the, the, The conditional access to allow them to use their email when they're traveling. I think

a great thing.

Mike: We're kind of talking about computers here. It leads me to think about other stuff, know, phones. There's maybe not a lot on the. Phone that is not on the computer, but there's that. There's also I dunno, what else is there?

Security cameras, different inventory counts, all that kind of stuff. I guess any place where some scoundrel can make money, they're going to mess with something.

Brett Gallant: Yes. Imagine if they got access to your phone system and started calling out. And we'll get into the weeds here for a second. Think of your network like a small little city. And I'm going to explain VLANs relating to cities. So on the street. A street is your, let's say it's your dispensary, that's a street. Your phone system, voice over IP, is on second street. Your vendors that do the other machines are on 3rd. Your security system is on 4th street. And then maybe another critical system is on 5th street. keep all of those these are, that's what I'm trying to explain is VLAN. So 1st street is a network, 2nd street is a network. design your network so that if something happened on the security system network ransomware attack or whatever it would be, wouldn't travel over First Street to your dispensary. So you design your network way to keep things from moving around.

Mike: Reminds me of uh, I sound like I was in the war. I just read this in a book, but the old submarines, and basically, the doorways don't go down to the bottom, you know, they're, they're big holes. And then if there's a leak somewhere, they can seal one of them off before it just floods the whole thing.

So that same thing where they're just not all connected. 

All right, Brett. Let's get into ransomware. Do you pay? Do you not pay? How do they decide when they pay those off? Is it effective? Is it something I should go into when I leave the pharmacy? How big is ransomware? 

I know you can make a lot of money by getting into a computer and making a penny here, a penny there, and multiplying that by a billion. But the ransomwares are the ones that stick out in the headlines that this company wants 15 billion for something or other 

Brett Gallant: You're playing with the devil if you pay. 

One of the questions I ask among many when we're doing a discovery call is if you had a ransomware incident, how much would you be willing to pay? And it's surprising how many different answers I get. I had one pharmacy business owner say 80, 000 and some said more and some said less and, quite a few said nothing. I've told every single one, I would advise you never to pay.

Mike: Never pay.

Brett Gallant: You did have something, and you didn't have a backup plan, and you didn't have your incident response plan. Get a professional involved to negotiate, Sometimes you have to do but but how do you know

honest hacker No, that's why it's so critical when I said that earlier some recommendations Check and make sure your backups working And make sure it's off site somewhere

Secure. So oftentimes they'll, they'll hold you up for extortion.

If you don't pay for this ransomware, we're going to sell it on the dark web. Well, even if you pay, how do you know they're going to do it? If they're not going to do it anyways, and come back to you for more money,

They pay one time and they don't do it for three or six months. They come back to you again, we want you to pay again so we don't release, release it. It's a

Mike: right. Because they've got backups of your stuff. So it's not like they're going to give you like here's the papyrus that it's on. I mean, they can have it too. sort of hearkens back to what you were talking about, just lying in wait, because it seems like a lot of these companies, like we pharmacies, we've got backups and all that stuff. So it's almost like if these companies waved their hand and said, we're here, you'd shut it down and you'd, and you would just use your backup.

So it seems that part of the problem is when it's in there, but they don't know, because if they know they can shut it down and use their backup. It seems if they don't know, it seems that's where the problem comes in.

Brett Gallant: And that's why you need to do forensics and incidents to see when they actually got in. And the first thing they go for when they get in is they eliminate the backups. So if your backups aren't managed and in an offsite secure place.

Mike: They could be in there for a year and you're like, well, they just got in there. We're going to use our backups. And it's like, well, no, you don't have a backup from a year ago. So you're going to give away a whole year of whatever 

Brett Gallant: going in a different angle, sometimes people restore the computer to an image of two months ago. But the computer, you may have restored back to the point where they were in the system two months ago, and they can still get in, they still have a hold.

Let's say, for example, you said, okay, we're not going to pay, and we're going to restore from backup. But some people might specifically just restore the computer to the way it was working to two months ago. But if you have an incident like that, you actually need to the hard drive completely or even put a new hard drive in and install the Windows new and the dispensary software new and restore from the backup and if you didn't have the cyber security tools in place this event, well want to have it now because you realize that, hey, it can happen to me.

So put it on so that if they come back again, you can see it this time.

Mike: Brett, touch on AI. So AI, it's like, it's kind of like me being a cyber criminal. Every time you block me, two of me are going to be created in four. and a, I mean, 

Their learning seems exponential. 

Brett Gallant: It does in a lot of ways because it can move much faster than what they used to.

write new code, new tools. And it's getting harder to detect if you get an email from someone, if it's actually legit or not because

The language is so much harder to detect. Before you could actually see, it was easier to detect. It broke in English

Mike: Different font, that kind of stuff.

Brett Gallant: Now A. I. is making it more challenging.

Mike: Speaking of broken English, I heard, I don't know if this is true or not. Sometimes you read an article and they have something that sounds good. It's like, how the hell do they know? I don't know if that's true, but they said that in this Nigerian scheme, you know, the ones where the Prince needs the money to do this, all that kind of thing.

They said that. On purpose, they use some of the broken English and broken logic so that people like you and me are not going to spend much time with it. They don't want us looking into it. They want us to say, Oh, look, there's a bad spelling or look, they used a fake email address.

You can tell it's not. Gmail. It's Gmail and some other thing. And they want to get rid of us. They want the other percent of the people who fall for it to spend time. So on purpose, they're making it look quite right to get rid of the people that might look into it more. That's what this article said.

 I don't know

Brett Gallant: That's interesting.

Mike: if he made it up or not though.

Brett Gallant: There might be a certain element of truth, 

Mike: All right. So Brett, we've talked about pharmacies and we've talked about maybe larger wholesalers. I'm thinking in a pharmacy, it's like quite often during the week, you're getting stuff in , nominal.

Important stuff, but it might be a vile company or labels or, cleaning supplies or whatever, maybe from a local company, maybe someone else, those kinds of people I'm kind of thinking are in the middle, anything those. kind of boring stuff, anything that those companies should know

Brett Gallant: I think those companies, if they're not doing anything to manage their risks, they should do it now. Specifically, as a pharmacy business owner, I would be asking those companies what they're doing. Do you have a cybersecurity program in place? Because we're counting on you to have those vials in place and if they have a cyber security event And they can't process their inventory or or pay their employees they had a cyber security event they can't get their own stock then all of a sudden that leaves pharmacy vulnerable because I have to start finding another place to find those vials 

Mike: Talking about the wholesaler earlier, I mentioned that maybe it goes down on Monday and by Thursday, we're kind of looking to see if anybody else is out there. And by next Tuesday, we're making some phone calls, but that's a little rinky dink company like mine, you get some other company, they really shouldn't.

Wait for more than 24 hours to lock things down and find another wholesaler. You don't have the time to do that. That's a good reason the pharmacy should be checking with these places. And if they say, no, we don't have it, or it's not up to standard.

It's like, well, I'm going to look for another wholesaler now, in case this happens a year from now versus. six days or eight days when it does happen.

Brett Gallant: Exactly what I really would encourage to take out a sheet of paper and write down vendor lists and put the name and contact go through each one of those to see what the backup plan is or see if they do have a cyber security program but list everything that's critical to your pharmacy security. then also identify a possible secondary vendor so that in the event something happens, because something unfortunately will happen, you could have the best of cyber security and it still could happen. That's the,

The biggest takeaway from today. You could have everything. If someone said to you that I can prevent all cyber attacks, I would say no way. Because you could have the best, and it still could happen. So,

that list, and having that conversation with them to see what they're doing, because no plan is not a plan, and, and, and really, it's not acceptable. 

Mike: So Brett, regarding ransomware.

Never pay, never pay.

Brett Gallant: Never pay, unless you're dealing with somebody that's an expert. Don't do that on your own. But I

ever pay. Don't ever

please

Mike: It's not just like, don't ever negotiate with terrorists. You know, it's not even that much. It's just, if you pay, you don't know what you're paying for. Right. There still could be a virus in there from two months in the backup and stuff.

So, why pay? Cause they can come right back at you.

Brett Gallant: the only reason why some people would pay is if they were being extorted or if they didn't have a backup. That's why you want to darn well make sure that

tested a backup I can't tell you how many times I've gone to an organization that said, Oh, we have a backup. Okay. A backup is just a wish and a dream.

If it's not tested

Mike: Yeah. You're right. years ago. All right. I'm going to tell you, this was on our three 86 computers to tell you how advanced we were, but this is back in the mid this is in the very early nineties. And we had our system at our pharmacy. We thought we were pretty deluxe.

We had backup. They're about the size of eight track tapes, you know, as a tape, it wasn't small as a concept, but damn, our hard drive broke. It wasn't an attack. It broke and we were 10 days without our pharmacy system. We were trying to get a drive and then we couldn't get the tapes to work and all that stuff.

And mean, I haven't learned my lesson. I haven't done it with my current system, but that's because I think we have two hard drives to go in the basement and all that kind of stuff. But that was terrible back then. You'd wait the next day for the FedEx to come and bring this, and then that didn't work and so on.

So you're right. You're not anything unless you've tested these things and make sure you can get up and running on them.

Brett Gallant: That's why that incident response plan, disaster recovery plan is so vital. 

Mike: So Brett we've talked pharmacies and so on and even suppliers Stretching that out a little bit further, you know, a pharmacy is in a, in a neighborhood, in a city are the hackers getting into this kind of stuff too?

I'm always thinking about businesses, but are they getting into just areas or, or cities and causing havoc? 

Brett Gallant: They don't care. They're not targeting a geographic area at all. Having a backup is not just for cyber, but for a natural disaster or something Terrible 

uh, Under 10 years ago, they had a fire that destroyed their municipality, but they also had the fire department in their building. So, my point is If a

just as equally important for a natural disaster as it is for a cyber security event. I'm thinking of a pharmacy business owner I met in Western Canada. They had a devastating fire happen a few years ago, similar to what's unfortunately happening in California right now,

The pharmacy business owner shared the story of what he had to do every night.

This is where you get into the heart of why he was a pharmacy owner,

help people. He stayed in the community to still provide medication to everybody around, but every night he actually packed up the server and drove to another community. With the server because he didn't know if his building was still going to be around

to evacuate for a few weeks and they worked out of a temporary location that they could still fill the prescriptions for not only for their community, but they went heart and soul into it because so many people evacuated in surrounding areas. They would work from eight to five to serve the regular clients, but then they work from five to midnight on the prescriptions to cover for all those other 20, 30, 000 people that they had to support their livelihoods because people need their medication.

we're dealing with life and death when we're talking

Mike: Well, you bring up the fires who would think that there'd be . I mean, I guess it can always happen in California, but in general, who would think that a natural disaster that big in an area can happen? Because I know there's people like, let's say I might have something at the pharmacy.

Well, let's say like a backup. Tape, you know, I know a lot of owners that maybe bring up, bring a backup tape home once a week, or at least in the old days they did, because there's no way in hell that the pharmacy is going to burn down and then five miles away, your home's going to burn down.

And so you think about stuff like that in LA those kinds of, and like I say, maybe they don't do that out there so much because they know it's a possibility, but you just think of all of the duplicates that could have burned down, you know, all the schools in that area, things like that.

And so if you had records at one school and you'd switch records to keep them backed up all that kind of stuff, it's like, when you've got something of that size,

Those things are kind of out the window. 

All right. So Brett, someone is listening to this right now. And they've got a couple of minutes before they're going into the store. What could they do in those two minutes, even to move something forward?

Brett Gallant: Number one, I have a document 15 ways to prevent a cyber attack, actual items. DM me 15 ways and I'll, I'll forward that talk to your IT vendor and speak to them and say, Okay, what are we doing enough to manage cyber risk? And then third, have a cybersecurity risk assessment done of your organization. Test your backups. Make sure you have multi factor authentication. Those are the core things you need to do. 

Mike: Well, golly, Brett, thanks for joining us today. This is stuff that people don't really want to think about, the people that think they're going to get attacked the least are probably the ones that Need to be thinking about Brett, I know you're busy. Thanks for your time. Pleasure talking to you. I know our listeners appreciate it too.

So really good information and great having you on.

Brett Gallant: It was such a privilege to speak with you. I'm so thankful here today. 

You've been listening to the Business of Pharmacy podcast with me, your host, Mike Kelser. Please subscribe for all future episodes.

Brett Gallant Profile Photo

Brett Gallant