Allscripts, the largest physician practice Electronic Health Record (EHR) vendor, was attacked by the SamSam ransomware. As of Friday, January 26, 2018, physicians using Allscripts flagship EHR service, PRO EHR, from their Charlotte, NC and Raleigh, NC data centers have been unable to access the system for a full week. Allscripts claims that the ransomware was removed, however many customers are still unable to access the system.
Ransomware is a type of malware (malicious software) that encrypts affected computer files hostage until a ransom is paid.
This new SamSam ransomware attack is a historic moment because it is one of the first attacks to successfully cripple a major cloud vendor. According to Allscripts, Allscripts’ clients consist of “180,000 physicians across approximately 45,000 ambulatory facilities, 2,500 hospitals and 17,000 post-acute organizations.” The assumption that an attack against a major cloud vendor would never succeed can finally be put to bed.
One Eagle Consulting Partners client who used both PRO EHR and Prosuite PM, stated that they “have been ‘dead in the water’ and able to do nothing (i.e. scheduling, looking at test results, medical record requests, etc.)”. The practice is using paper forms and writing everything that they can. The practice doctors must perform medical assessments and treatment plans from January 18 forward from memory.
While many practices can treat patients who remember to show up, billing and scheduling are completely disabled. Practices don’t know their schedule (which is kept online) and are unable to schedule appointments. Each day of downtime is progressively more costly since the doctors’ schedules aren’t full since scheduling is down. Billing is completely disabled which affects cash flow.
Here is what you can do to protect yourself against downtime of a cloud EHR vendor:
- Have a backup internet connection. This protects against downtime caused by internet service provided outages.
- Shift the risk. In contract negotiations with cloud vendors, ensure that the vendor accepts liability for any required breach notification and provides a service-level agreement.
- If the cloud vendor offers a backup site, ensure that staff know how to access it.
- Have a well-thought-out emergency procedure for downtime. Keep a hard copy of the outpatient schedule so that appointments can be made during downtime and maintain paper templates to document encounters.
- Conduct periodic downtime drills so staff stay sharp and know what to do when an incident happens.
- Review and update insurance policies to ensure that cyber-liability and business interruption costs are covered.