Allscripts ransomware attack still not completely resolved
Ambulatory electronic health records vendor Allscripts is still attempting to recover from the ransomware attack it suffered on January 18 that affected two of its data centers housing a subset of its products, the company said Monday evening.
“The ransomware has since been identified as a new variant of the SamSam malware,” a statement from the company indicated. “Of the roughly 1,500 clients impacted, none were hospitals or large independent physician practices, and services to many already have been restored.”
“Importantly, there is no evidence that any data was removed from our systems,” the company said. “We continue to work unceasingly to restore all services to our clients who are still experiencing outages.”
In communications with its customers on Friday, Allscripts said it was attempting to “restore both the directly affected services—hosted Pro EHR and hosted EPCS—and the other unaffected services that we proactively shut down to protect clients and client data.”
Conference calls over the weekend by the company indicated that service outages were continuing, and that the outage was expected to continue into Monday. The vendor’s marketing materials suggest it provides services to 45,000 physician practices with 180,000 doctors, 2,500 hospitals and 19,000 post-acute care providers.
The attack has prompted concerns from providers using cloud-based IT services from vendors about the potential vulnerability of such systems to cyberattack and service outages. Vendor preparedness is typically difficult for customers to determine, and “security safeguards are kept confidential, so there’s little transparency on the issue,” says Steve Phillips, a health law attorney and partner in the Hooper, Lundy & Bookman law firm in San Francisco.
Phillips contends that providers need to be vigilant about including contractual provisions about security protections and service interruptions when they’re buying EHRs.
“Most vendors try to sharply limit their liability through qualitative limitations on liability, limited representations and warranties, limited indemnity terms and other contractual provisions,” he contends. “Providers should not accept limits on liability stemming from violations of HIPAA or from privacy breaches; they should demand a broad indemnity from third-party claims stemming from HIPAA violations and breaches, and vendors should be required to carry adequate cyber-liability insurance.”
Asked what recourse providers have to re-write security clauses in their EHR contracts, Phillips was blunt. “None. That’s why it is imperative that security provisions be negotiated and written into the purchase agreement.”