Allscripts still working to resolve ransomware attack
Electronic health records vendor Allscripts was hit by a ransomware attack last week, affecting its cloud-hosted EHR among other systems, with hospitals and physician group practices across the country reporting interruptions in service.
A variety of providers are expressing anger and concern on social media, noting that interruptions in service continued through the weekend and that they have not been able to access patient information in the Allscripts cloud.
When reached for comment, the company did not disclose the number of healthcare organizations affected by the systems outage or specifically which of its cloud-based applications or systems were hit the hardest. The vendor’s marketing materials suggest it provides services to 45,000 physician practices with 180,000 doctors, 2,500 hospitals and 19,000 post-acute care providers.
Allscripts operates data centers in Raleigh and Charlotte, N.C.
In a message emailed to customers on Friday, the company acknowledged that it had been hit by a variant of the SamSam malware. “We are in the process of cleaning impacted systems and services to ensure they will be operational once we are able to bring the services back online,” said the message. “Work continues to restore both the directly affected services—hosted Pro EHR and hosted EPCS—and the other unaffected services that we proactively shut down to protect clients and client data…There is still no evidence that any client data has been removed from our systems.”
Northwell Health, a 22-hospital delivery system in New York, is one organization that was affected by the Allscripts breach, although a company spokesperson contends the impact on the organization was minimal.
“When we learned of the attack, we disconnected from data centers as a precautionary measure,” the spokesperson says. “We lost e-prescribing for controlled substances, but other systems were secure and never at risk. This really didn’t impact us—we just unplugged from Allscripts to ensure no transfer of data. Our systems remained operational.”
In messages to its 2,300 members via social media, the New York American College of Emergency Physicians noted that it received an update from the state’s Department of Health that “a cyber incident regarding AllScripts has occurred” affecting “the ability for hospitals, clinics, nursing homes, individual prescribers and pharmacies to transmit and receive prescription electronically.” Prescribers in the states using Allscripts services for placing drug orders were allowed to use “paper official prescriptions” until services are restored, the group reported.
In a published statement, Allscripts acknowledged the attack has affected clients’ services, but offered few specifics.
“We are investigating a ransomware incident that has impacted a limited number of our applications,” the Allscripts statement noted. “We are working diligently to restore these systems, and most importantly, to ensure our clients’ data is protected.”
Further, Allscripts believes that no data had been accessed or deleted in the ransomware attack.
“Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems,” the company noted. “We regret any inconvenience caused by this temporary outage.”
Conference calls over the weekend by the company indicated that service outages were continuing, and that the outage was expected to continue into Monday.
Posts from providers on Twitter on Sunday noted that they were not able to access patient information from Allscripts.
Yvette Crabtree, MD, an internal medicine physician with Sunflower Medical Group in Mission, Kan., reported in a Twitter post Friday that “the attack on Allscripts has taken down our e-prescribing, EPCS and some other services.”
Industry reports of outages notwithstanding, Allscripts clients should be aware the company is being more upfront about the attack than many other vendors are, says Allen Briskin, a senior counsel at the Pillsbury, Winthrop Shaw Pittman law firm in Los Angeles.
Oftentimes, an organization has a ransomware attack that is never reported, Briskin explains. For example, a hacker will access an information system and find a flaw, contact the organization and explain the flaw and ask for a payment. The payment is made, no one talks, clients never know, and the incident isn’t reported to the HHS Office for Civil Rights.
“The line between an ethical hacker and a non-ethical hacker is very blurry,” Briskin says. “Either by choice or not, Allscripts is managing this incident publicly and many others don’t do that. This is the world we are living in now—it is inevitable, it will happen.”