Billion-dollar electronic health record (EHR) company Allscripts has fallen victim to a ransomware attack, which began on Thursday, January 18 around 2:00 a.m. EST. By 6:00 a.m. EST, the ransomware attack was full-blown requiring Microsoft and Cisco’s incident response teams to be called upon for assistance. An article on CSO explores the attack which is still undergoing recovery efforts.
A new variant of SamSam ransomware, responsible for several other attacks against medical providers is to blame for the ransomware attack on Allscripts. Microsoft and Cisco teams as well as the FBI confirmed the variant affecting Allscripts was in fact new and unrelated to the previous version of SamSam.
Allscripts headquarters in Chicago, IL announced that they are still working to recover from the ransomware incident that infected their data centers in Raleigh and Charlotte, NC on Thursday, leaving several applications offline.
Jeremy Maxwell, director of information security at Allscripts explained on a customer conference call on Saturday that while multiple services had availability issues, their PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) services were hit the hardest by the ransomware.
As of Saturday, EPCS services had been restored to customers, however PRO EHR remained offline.
Robyn Eckerling, Chief Privacy and Security Counsel at Allscripts advised providers on Sunday to prepare for outages through Monday as they continue working towards restoring data via backups and other access methods.
Allscripts does not believe they were a direct target, indicating on Saturday that it appears to have been commodity malware. The company also said on Sunday that Mandiant was involved in the investigation of how the infection started.
Fortunately, backup systems were not infected by the ransomware, allowing Allscripts to restore systems from backup one-by-one. Full backups of Allscripts data are made weekly on Fridays, with incremental backups made nightly at 10:00 p.m. EST, therefore the expected data loss from the incident is minimal, if any at all.
Allscripts states that their client base includes, 180,000 physicians across nearly 45,000 ambulatory facilities, 2,500 hospitals and 17,000 post-acute organizations.
Potential HIPAA Breach
It is not clear at this time if this will be a HIPAA reportable breach, and who (clients or Allscripts) would have to report it to HHS/OCR. Clients should be in contact with Allscripts regarding this issue.
This attack again highlights the fact that no one is immune from cybersecurity issues and HIPAA breaches, and the importance of an active HIPAA compliance program. Aspects of a HIPAA compliance program affected by this incident would at least include Employee Security Training, ransomware recognition, security incident reporting and disaster recovery plans. All HIPAA covered organizations are encouraged to ask the question: what would I have done if this happened to me?