Fallout from Allscripts attack shows necessity of provider vigilance
The ransomware attack against Allscripts sent new shock waves through a healthcare ecosystem that is experiencing a steady increase in cyber attacks, with one of the nation’s largest electronic health records system vendors still struggling to bring providers back online nearly a week after the initial incident.
As of Tuesday evening, the company was still working to clear its systems of malware. Its problems began on January 18 when a variant of the SamSam malware affected two of its data centers housing a subset of its products.
Of the roughly 1,500 clients impacted, none were hospitals or large independent physician practices, and services to many already have been restored, Allscripts said in a notice to customers issued Monday evening. On Friday, Allscripts said it was attempting to “restore both the directly affected services—hosted Pro EHR and hosted EPCS—and the other unaffected services that we proactively shut down to protect clients and client data.”
The incident “highlights that we are all in a constant battle—vendors, providers and payers,” says Adam Greene, a senior health IT and privacy specialist at the Davis Wright Tremaine law firm in Washington, D.C.
The industry, Greene believes, should not judge Allscripts because of what went wrong. Any organization can work on defense in depth, and train users and staff in identifying cyber attack gambits, and it all can be negated if only one person falls victim to a phishing attack.
That’s why Green preaches use of two-factor authentication, which requires IT users to provide at least one more proof of identity beyond a username and password to access a system. The technology is expensive but is another barrier in place that is generally effective in blunting threats.
“Look at risks and reasonable ways to have redundancy,” he advises. “Have a good backup policy, test it and don’t just keep it on the shelf. A massive ransomware attack is not the way to test your disaster recovery plan.”
Now also is the time for providers to set a plan for improved vendor management, according to Green. They should get an independent assessment of a vendor and the scope of its systems. “You also need cybersecurity insurance and have a contingency plan for any type of vendor being unavailable,” he advises.
Cloud-based hosting of information system have become common and so far, cloud hosting has instilled confidence that an application, system or data will be readily available as long as a user can obtain an Internet connection, as cloud vendors often promise availability of 99.99 percent, says Tom Walsh, founder and managing partner at the consulting firm tw-Security.
Allscripts’ attack occurred in a cloud environment, and it happens more often than realized. Walsh gives three examples of big and reliable cloud providers who had unplanned downtime in 2017. Google Docs had a widespread outage in North America in November; Nuance Communication’s dictation systems went down in the Petya cyberattack in June; and Amazon Web Services had an outage in the eastern United States last February.
“Organizations relying on cloud service providers, especially for their electronic health record, need to conduct a closer examination of their business continuity and disaster recovery plans,” Walsh asserts. “The plans need to address what to do if the cloud services are unavailable.”
For example, there may be a snapshot or a copy of the EHR database on a local workstation or server. “The copy or snapshot is not the same as a fully functional EHR, but it’s better than trying to treat patients with no information at all.”
Walsh warns that the examples of three reliable cloud providers having downtime last year should be a wake-up call that more hosting vendors will become targets for cyberattacks and ransomware.
Attacks seem to have shifted from end user to a business or company, and now to large cloud service providers, Walsh believes.
Leigh-Anne Galloway, cybersecurity resilience lead at security firm Positive Technologies, noted that Allscripts was hit by the SamSam malware and likely wasn’t a specific target of the ransomware, but victim of an opportunistic attack.
“The attack may have been prevented by having proper patch management, automatic updates and limiting user privileges,” Galloway says. “Unfortunately, many healthcare organizations have very limited security budgets, which can lead to lax security measures, making them easier targets for cyberattack.”
Every healthcare organization needs to vet third-party vendors, according to Galloway. “This includes carrying out audits of their security controls. Patient information is extremely sensitive and should never be exposed to risks like this. But the reality is that in a lot of companies security is driven by compliance first, which is not a best practice and will almost always result in subpar security.”