4 Things to Know About Cannabis Industry Cybersecurity

The cannabis industry is growing fast, but too many businesses within it don’t understand the risks that come with a fast-growing, healthcare-related industry. “Cannabusinesses” are ripe for all kinds of attacks because they have valuable customer information, but not the security features to protect it.

To protect yourself, read on and explore the four key things you need to know to protect yourself and your customers.

Download DOT Security’s checklist, How Covered is Your Business?, to see everything that goes into building a strong security foundation for your cannabis company to fight modern threats.

1. Medical Marijuana Companies Must be HIPAA-Compliant

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that applies to healthcare providers, health plans, and healthcare clearinghouses that deal with the protected health information (PHI) of patients. Though they may not be casually classified as plans, providers, or clearinghouses, medical marijuana businesses that handle PHI are also required to comply with HIPAA regulations.

This is because medical marijuana dispensaries and related businesses that handle PHI are still considered covered entities (businesses that collect patient data and which are required to meet HIPAA violations) and must comply with its privacy and security requirements.

Do Recreational Marijuana Dispensaries Need to be HIPAA Compliant?

If your cannabusiness is purely for recreational purposes and does not handle any protected health information (PHI) related to patients, then it would not be considered a covered entity and would not fall under the Health Insurance Portability and Accountability Act (HIPAA) regulations.

But it’s important to remember that even if recreational marijuana is not subject to HIPAA compliance, it’s still subject to other data privacy laws at both the state and federal levels. For example, in California, the California Consumer Privacy Act (CCPA) establishes security standards businesses must meet to be compliant and protect the data of customers.

No matter if your dispensary is for recreational or medical purposes (or both), you should take data protection seriously and ensure you have the security controls in place to protect the information you collect from consumers.

2. It’s Becoming a Bigger Liability for Cyber Insurance

Cybersecurity insurance is becoming more and more important for businesses of all sizes to help mitigate the financial costs of a cyber attack. But businesses must know that maintaining cybersecurity insurance doesn’t mean you don’t need to build a cybersecurity infrastructure, especially when your business operates in a high-target industry like cannabis which has roots in the medical field.

Premiums for cyber liability insurance are high, especially since 2020 and the rapid increase in cyberattacks. Rising attacks, a vulnerable industry, and valuable data is the perfect storm for even higher premiums and downright refusals for coverage.

To ensure you’re able to get the insurance you need, your business must be able to show that it has the cybersecurity tools and best practices in place to protect itself.

Insurance providers are looking for things like:

• Frequent cybersecurity training for employees

• Advanced antivirus programs in place that are consistently updated

• Modern firewalls

• Automated patch management

• Identity and access management controls

• Endpoint protection to keep devices from becoming vulnerabilities for your network

• Regular data backups

3. Cannabis Companies Have Become Big Targets for Cybercriminals

The cannabis market is growing rapidly and each year more states are making recreational use legal, which accelerates that growth even more. Cybercriminals know this. They know that these businesses are growing fast and that most are collecting data from their customers, but they also know that too many cannabusinesses are forgetting to secure that data.

This has made cannabis industry businesses a high-value target for cybercriminals and three main factors are leading this trend:

1. The cannabis industry is relatively new and many businesses within the space are in a startup phase where security is not their main concern. New businesses are prime targets for cybercriminals for this very reason; they expect to experience significantly fewer defensive measures.

2. Cannabis businesses collect valuable consumer information like names, addresses, financial information, credit cards, and more that cybercriminals can steal to sell or hold for ransom.

3. Most cannabis businesses are still small which means they’ll oftentimes lack the IT or security teams needed to implement strong cybersecurity measures and best practices.

4. Cannabusinesses Need a Strong Security Partner

A lot goes into protecting your business’ and customers’ data from advanced attacks. You need the technology infrastructure in place to support your security tools, consistent employee training, frequent updates, and all the security controls needed to qualify for cybersecurity insurance and HIPAA compliance (plus all the other data security regulations out there).

How can a small or mid-sized business do it all?

The answer is: you probably can’t. Unless you have a large IT or dedicated security team, you probably don’t have the time, money, or expertise to acquire everything you need to stay protected and meet compliance requirements.

This then becomes about who you can team up with that can give you everything you need. Partnering with a managed cybersecurity services provider (MSSP) can give businesses of all sizes access to the team, technology, tools, and training they need to stay secure now and in the future.

To get started, try becoming more educated on what you need to begin building your security foundation. Download DOT Security’s checklist, How Covered is Your Business?, to see exactly what goes into a strong security posture and what your business needs to stay secure.