Update

Allscripts recovering from ransomware attack that has kept key tools offline

New variant of SamSam - a ransomware family linked to several attacks against medical providers - is behind the Allscripts outage

medical records laptop doctor
Thinkstock

Allscripts, the billion-dollar electronic health record (EHR) company headquartered in Chicago, IL said they were still working to recover from a ransomware attack that left several applications offline after data centers in Raleigh and Charlotte, NC were infected on Thursday.

In a conference call for customers on Saturday, which Salted Hash listened-in on, Allscripts’ Jeremy Maxwell, director of information security, said their PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) services were the hardest hit by the ransomware attack.

Other services had availability issues as well, but those have since been restored, such as direct messaging and some CCDA functionality.

EPCS has been also restored (as of Saturday) and they are working on getting PRO EHR back online.

However, in a call on Sunday Allscripts told providers to prepare for outages to continue through Monday as the company recovers. The recovery is focused on getting data restored via backups and alternative access methods.

“We are working around the clock to get everybody up and running by [Monday morning]. However, in terms of planning – in an abundance of caution – it would be advisable to plan for a continued outage though Monday,” said Robyn Eckerling, Chief Privacy and Security Counsel at Allscripts.

The ransomware attack started on Thursday, January 18 at around 02:00 a.m. EST, and by 06:00 a.m. EST it was a full-blown ransomware incident, which required that incident response teams from Microsoft and Cisco be called in to assist.

On Sunday, Allscripts said that Mandiant was also involved in the investigation as they work through how the infection started.

Backup systems were not impacted by the ransomware, thus enabling Allscripts to restore systems one-by-one from backup. Full backups are made on Friday, and incremental backups are done nightly at 10:00 p.m. EST. So as the systems are restored, the expectation is that there will be minimal – if any – data loss.

The variant of SamSam that infected Allscripts was a new variant unrelated to the version of SamSam that infected systems at Hancock Health Hospital in Greenfield, Indiana and Adams Memorial Hospital in Decatur, Indiana. This data was confirmed by the Microsoft and Cisco teams, as well as the FBI.

In a call on Saturday, Allscripts said that all appearance this was commodity malware and that the company wasn’t directly targeted.

Earlier this month, Hancock Health paid 4 BTC ($55,000 USD) to recover their systems after critical files were encrypted by SamSam. The decision to pay was weighed against manual restoration from backup.

While the hospital could have used backups to recover, the process could have taken days, maybe weeks, and the cost of recovery was more than the ransom demand. In this light, it was a business decision to pay.

“These folks have an interesting business model,” Hancock Health CEO Steve Long told the Greenfield Daily Reporter.  “They make it just easy enough (to pay), they price it right.”

According to Allscripts, their client base includes 180,000 physicians across nearly 45,000 ambulatory facilities, 2,500 hospitals and 17,000 post-acute organizations.

Update 23-JAN-2018:

An Allscripts customer shared the following notice from the company:

"Allscripts PM and Professional EHR systems in the East, Central, Mountain, and Pacific regions have been brought back online. We are currently working to restore permissions for all users. Once permissions are restored, users will have access to their core applications. We are continuing to work on restoration of interfaces."

In a conference call on Tuesday, Allscripts confirmed the notice and added some additional details.

"Our base functionality is online, but some active users are still unable to complete login," said Robyn Eckerling, Chief Privacy and Security Counsel at Allscripts.

"As part of our security procedures we locked down the systems and removed login access. We are in the process of systematically re-establishing logins. This access is being re-established as we are on this very call, so it is happening right now."

Many users are able to access data though the Pro Mobile service. Access to Pro Mobile has been opened up to everyone, but it requires an Apple device to function.

For those who would like to hear the recordings of the Allscripts update calls, they are available below by date:

NEW! Download the Fall 2018 issue of Security Smart