Allscripts recovering from ransomware attack that has kept key tools offline
Allscripts, the electronic health record (EHR) company headquartered in Chicago, IL said they were still working to recover from a ransomware attack that left several applications offline after data centers in Raleigh and Charlotte, NC were infected on Jan. 18.
In a conference call for customers on Jan. 21, Allscripts’ Jeremy Maxwell, director of information security, said their PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) services were the hardest hit by the ransomware attack.
Other services had availability issues as well, but those have since been restored, such as direct messaging and some CCDA functionality.
EPCS has been also restored (as of Jan. 20) and they are working on getting PRO EHR back online.
Allscripts also told providers to prepare for outages to continue through Jan. 22 as the company recovers. The recovery is focused on getting data restored via backups and alternative access methods.
“We are working around the clock to get everybody up and running by [Monday morning]. However, in terms of planning—in an abundance of caution—it would be advisable to plan for a continued outage though Monday,” said Robyn Eckerling, Chief Privacy and Security Counsel at Allscripts.
The ransomware attack started on Thursday, Jan. 18 at around 02:00 a.m. EST, and by 06:00 a.m. EST it was a full-blown ransomware incident, which required that incident response teams from Microsoft and Cisco be called in to assist.
Backup systems were not impacted by the ransomware, thus enabling Allscripts to restore systems one-by-one from backup. Full backups are made on Friday, and incremental backups are done nightly at 10:00 p.m. EST. So as the systems are restored, the expectation is that there will be minimal—if any—data loss.
The variant of SamSam that infected Allscripts was a new variant unrelated to the version of SamSam that infected systems at Hancock Health Hospital in Greenfield, Indiana and Adams Memorial Hospital in Decatur, Indiana. This data was confirmed by the Microsoft and Cisco teams, as well as the FBI.
Allscripts said that all appearance this was commodity malware and that the company wasn’t directly targeted.
