Allscripts Ransomware Attack a Reminder of Cloud RisksPoints to Need for Clients to Have Business Continuity Plan
A ransomware attack on electronic health records vendor Allscripts late last week is a reminder of the potential disruption to patient care delivery healthcare entities can face if a cloud-services provider suffers a cyberattack. It also points to the need for business continuity planning.
In a Friday statement, Allscripts said a ransomware incident impacted "a limited number" of applications and that the company was working to restore these systems, "and most importantly, to ensure our clients' data is protected. Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems. We regret any inconvenience caused by this temporary outage."
As of Monday, some services appeared to be back in operation, but not all.
Allscripts in a conference call for customers on Saturday said its Professional EHR and Electronic Prescriptions for Controlled Substances cloud-based services were the hardest hit by the ransomware attack, according to news site CSO Online. Other services, such as direct messaging, had availability issues as well, but those had been restored more quickly, according to that report.
In a Monday statement provided to Information Security Media Group, Allscripts says that on early morning Thursday, the company discovered a ransomware attack had affected two of its data centers, which house a small subset of its products.
"The ransomware has since been identified as a new variant of the SamSam malware. Of the roughly 1,500 clients impacted, none were hospitals or large independent physician practices, and services to many already have been restored," the company says. "In addition, we immediately notified the FBI and have been providing information to assist with their investigation. Importantly, there is no evidence that any data was removed from our systems. We continue to work unceasingly to restore all services to our clients who are still experiencing outages."
A Friday statement by NY American College of Emergency Physicians says that New York's Department of Health was aware that a cyber incident involving AllScripts that disrupted the company's e-prescribing application for controlled substances.
"This may have an impact on the ability for hospitals, clinics, nursing homes, individual prescribers and pharmacies to transmit and receive prescriptions electronically. It is permissible for those impacted to use paper official prescriptions in accordance with New York State regulations," the DOH statement says.
Only Some Services Restored
Some healthcare entities that had their access to certain Allscripts services disrupted said those services had been restored.
For example, in a statement provided Monday to ISMG, New York-based Northwell Health says the healthcare system "disconnected from Allscripts data centers strictly as a precautionary measure" after Allscripts notified the organization on Thursday that the vendor was impacted by a ransomware attack.
"Northwell moved quickly to avoid the potential for complications and Allscripts does not believe any data from its system was removed," Northwell says in the statement. "The electronic prescribing of controlled substances was the only electronic medical record that was unavailable to providers at Northwell Health's facilities - we have 23 hospitals and about 660 ambulatory locations. Northwell systems are secure and were never at risk. Northwell resumed normal operations over the weekend" using Allscripts' services, Northwell says.
Meanwhile, a spokeswoman at Clark Memorial Hospital in Jeffersonville, Ind., says the Allscripts outage had minimal impact late last week, and the disruption has been resolved.
That disruption included some patient education material not being accessible and the hospital being unable to send out test result feeds to primary care doctors. "The outage was at the end of last week, so thankfully, there wasn't a lot of disruption" since many doctor's offices are closed during the weekend anyway, she says.
But other organizations complained on twitter late last week, and were quoted in other news reports, that they had lost access to their cloud-based electronic health records systems and had to revert to paper records. And it remained unclear Monday how many of the affected entities had service completely restored.
#allscripts is providing doctors with insufficient, conflicting information regarding the massive #Ransomeware attack they suffered. 3 days into this. No information regarding #breach notification or #HIPAA. #unacceptable Please get your act together @Allscripts— Mitchell Rubinstein (@rubinsteindds) January 21, 2018
Allscripts has not yet revealed how many of its cloud-based EHR customers had been affected. According to the company's website, Allscripts' services are used by 45,000 physician practices, 180,000 physicians, 2,500 hospitals and 40,000 in-home clinicians.
Plan for Worst
Healthcare organizations relying on cloud-based services need to be ready for potential ransomware and other cyber-related outages that impact patient care and other business operations, says Tom Walsh, president of consulting firm tw-Security.
"Healthcare entities need to take a closer look at their disaster recovery and business continuity plans to make sure the plans address what to do if the cloud services are unavailable," he says. "The lack of well-written disaster recovery and business continuity plans have been and still are a common finding in healthcare. These plans are supposed to be designed around the worst-case scenario, but seldom are."
Some cloud-based services providers also have worst-case scenario planning in mind for customers that could be impacted by ransomware attacks on the vendors, Walsh notes.
"Some EHR vendors offer a downtime or disaster recovery service offering in the form of a copy of the database of current inpatient population to a local workstation or server," he says. "While a full-functioning EHR may not be available, there is at least enough information available at a local level to provide patient care. But plans are only effective if they are periodically tested using a different scenario each time they are tested and revised as a result of the test. "
Healthcare providers that rely on cloud-based services providers are often at the mercy of these vendors, because their "eggs are all in one basket," Walsh adds.
"Don't forget the basic concepts of business continuity and disaster recovery," he stresses. "Plan for the worst case. Develop strategies. Test plans. Revise plans and recovery strategies as needed. Disaster recovery and business continuity plans need to be reviewed frequently and not something that is written in order to check a compliance box. "
Mac McMillan, CEO of security consulting firm CynergisTek, says healthcare organizations must "treat cloud vendors, or for that matter any third party you are relying on for critical services, the same way you treat those services/systems in your own environment, meaning have a practical strategy for incident response, continuity of operations and recovery. Make sure you are comfortable with your vendors' plans for events."
Despite the threat of their cloud services providers suffering attacks, healthcare entities can often improve security by using such services, McMillan contends.
"One of the positives of using a cloud vendor is that often they can recover much quicker than the average healthcare entity so using them can still be a net positive," he says. "For instance, a lot of cloud vendors are running VM environments and multiple SANs for storage/back up. This makes recovery much easier as they can quickly blow away the infected machines, stand up new ones and pull the data needed, test it and everyone is back up and running. Ransomware can happen to anyone."
In another recent security incident involving a cloud-based service in healthcare, medical transcription services provider Nuance was seriously impacted by the NotPetya malware attack last summer. As a result of the attack impacting services to clients, the Waltham, Massachusetts-based company issued a financial statement warning Wall Street analysts that its fiscal 2017 third and fourth quarter revenue and earnings results would be negatively impacted by the June 27 ransomware attack.