In January, Allscripts clients were locked out of their cloud-based EHRs for days when the security operations center was crippled by a ransomware variant known as SamSam — a favorite among hackers targeting healthcare organizations.
To gain a better understanding of the cyberattack's impact on the EHR vendor, CSO Online spoke with Allscripts about its incident response plan and the lessons it learned throughout the ordeal.
Here are 12 takeaways.
1. Hackers launched SamSam ransomware on Allscripts Jan. 18, 2018, and most customers reported they were offline or dealt with access problems for an entire week. Nearly 1,500 medical practices were affected by the incident.
2. Allscripts' Professional EHR and Electronic Prescriptions for Controlled Substances services were the hardest hit. Many customers could access the cloud but not the database.
3. In public comments Allscripts explained services in some regions were restored, although many clients in those areas said they didn't have access. When asked about the conflicting public statements and its clients' reports, the company said: "Allscripts serves a wide range of clients in a variety of individual circumstances. Accordingly, they experienced different effects as a result of this incident. There were a range of circumstances involved with getting particular systems back online and we addressed each of them as quickly as possible."
4. Allscripts began its response by first detecting and identifying the issue. The EHR vendor then started severing connections with their affected data centers — those in Raleigh, N.C., and Charlotte, N.C. — to contain the attack. The company had to call in help from Cisco, Mandiant and Microsoft.
5. In a statement provided to CSO Online, Allscripts said hundreds of personnel worked to resolve the attack. It added that the first 24 hours were an "intense swirl of many technical, business and other practical challenges."
6. Allscripts said it prepared employees for various incidents, but its not clear whether ransomware attacks were a part of their trainings.
7. When CSO Online asked Allscripts how it prepared for a ransomware attack, the company said: "Keep in mind that there were no antivirus signatures available for this SamSam variant at the time it struck Allscripts. This was an entirely new, zero-day variant of SamSam ransomware that had never been identified previously by Cisco, Microsoft or the FBI. We were able to contain it within minutes, and then begin the intense work of restoring those client services that were affected."
8. Threat intelligence experts told CSO Online the best way to defend against SamSam is to understand signatures because endpoint defenses are not enough. Instead, a combination of endpoint defenses, patch management, limiting system functionality and limiting user permissions should be applied.
9. After the vendor identified and contained the threat, Allscripts had to clean and restore its systems before testing them and bringing them back online. Before Allscripts did this, the company had to ensure it knew how the attack happened and needed to implement extra security layers to prevent similar incidents.
10. While the EHR vendor updated its customers daily — sometimes more — Allscripts CEO Paul Black, in a Jan. 26 letter to customers, explained plans to replicate its Pro EHR across multiple data centers, as well as refreshing the technology "to shorten our recovery time in the event of any future disruption." However, Allscripts told CSO Online it didn't use its replication services to aid in the restoration process.
11. The No. 1 issue with Allscripts' response was communication, according to CSO Online. Updates from support representatives didn't always line up with reports from customers, who grew frustrated with Allscripts. However, the company was being truthful: its services were live, but clients' access was still thwarted.
12. Overall, Allscripts was able to restore its services within 24 hours, even if customers were down or experienced issues for at least six days.
Click here to read the complete CSO Online article.