In many businesses, staff have full admin rights to their computers. Pharmacy is no different, with staff logging on to their computers as local administrators. Often this is a default set-up implemented by the local IT provider or their pharmacy software provider.  

Unfortunately, from a security perspective, it is a risky practice. For the best security and strong protections from malware, ransomware and persistent threat actors, all pharmacy staff should only be logged onto workstations with standard user rights. If malware is executed when a user is logged on with user rights, the ability for that malware to persist is limited.  

Why administrative privileges should be restricted 

Administrator accounts are the ‘keys to the kingdom’, as they give a user complete control of the computer. Threat actors will target admin accounts to take complete control of a computer. Not using an administrator account for everyday use will help limit what a virus can access if your computer becomes infected. 

Users with administrative privileges for operating systems and applications can also make significant computer configurations, bypass critical security settings, or access sensitive information.  

Restricting administrative privileges makes it more difficult for a threat actor’s malicious code to elevate its privileges, spread to other hosts, hide its existence, persist after a reboot, obtain sensitive information, or resist removal efforts.  

An environment where restricted administrative privileges are more stable, predictable, and easier to administer and support. 

How to restrict administrative privileges 

The correct approach to restricting administrative privileges is to: 

1. 1. Identify tasks that require administrative privileges to be performed within the pharmacy, such as installing new software, updating the pharmacy dispense or point of sale, or installing hardware such as printers.  
   2. Nominate staff members with the skill and trust to be authorised to perform those tasks as part of their duties. This could be a pharmacy manager, outsourced IT providers or the pharmacist in charge.  
   3. Create separate administration accounts for staff members with administrative privileges. When they need to perform admin tasks, they can log on with the account and perform the task or use the built-in Windows “Run As” functions, which allow a secondary log on to run an installer program. Windows can be set to prompt for these additional credentials.   
   4. Review and revalidate the privileged accounts on a frequent and regular basis, for example, when staff leave, when they change duties or are involved in a cyber security incident. 

Note from the CISO: In an established pharmacy, implementing restricted administrative accounts may be difficult and potentially disruptive. If you are fitting out a new pharmacy or implementing new IT systems, then that is the perfect opportunity to implement improved security in your business and you should speak to your IT provider about implementing restricted administrative access.  

Restricting privileges will significantly improve security and reduce the risk of a cyber incident. Still, I recommend focusing on fundamentals like system and application patching, application whitelisting, and strong anti-malware first.  

If you are worried about the security of your pharmacy systems and want to know how you improve the security in your pharmacy and protect yourself from ransomware, speak to your Customer Success Manager or contact us on 1300 669 865.