Updating a report from Friday, Jan. 19, the Chicago-based Allscripts, one of the most prevalent EHR (electronic health record) vendors in the world, is still working to restore some of its IT systems following a ransomware attack last week.
As conveyed on Friday, Allscripts acknowledged that it has been investigating a ransomware incident that impacted a “limited number of its applications” hosted at the company’s data centers in Raleigh and Charlotte, North Carolina.
According to a report this weekend from security news site CSO Online, Allscripts’ director of information security said in a conference call that the company’s Professional EHR platform and its e-prescribing systems were hit the hardest by the attack, but they weren’t the only services that were impacted. The report stated that the vendor’s “direct messaging and some CCDA [Consolidated Clinical Document Architecture] functionality” had availability issues as well, but have since been restored. The conference call, which took place on Saturday, also revealed that Allscripts’ e-prescribing services had been restored while IT folks were working to get the Pro EHR platform back up.
Nonetheless, outages are expected to continue throughout the day on Monday, while the company’s recovery strategy “is focused on getting data restored via backups and alternative access methods,” according to the report.
The ransomware attack, which struck in the very early morning on Jan. 18, required that incident response teams from Microsoft and Cisco be called in to help. Backup systems were not affected by the incident, according to Allscripts, which said that minimal, if any, data loss is to be expected as the systems get back online.
Interestingly, the type of ransomware used in the attack—SamSam ransomware—was the same one used in an attack on Hancock Health, a health system based in Greenfield, Indiana, earlier this month. As Healthcare Informatics reported at the time of that incident, health system officials shut down the entire Hancock Health network and eventually paid the hacker a bitcoin ransom in the amount of $55,000.
The SamSam ransomware was also used in the infamous attack on the 10-hospital, Columbia, Md.-based MedStar Health integrated health system in March 2016. In fact, a report in Bleeping Computer noted that other reported attacks that involved the use of the SamSam virus include: Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; and an unnamed ICS (Industrial Control Systems) company in the U.S.
According to an April 2016 blog from Mountain View, Calif.-based security vendor Symantec, “Samsam, unlike more conventional ransomware, is not delivered through drive-by-downloads or emails. Instead, the attackers behind Samsam use tools such as Jexboss to identify unpatched servers running Red Hat’s JBoss enterprise products. Once the attackers have successfully gained entry into one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers. Then they deploy their ransomware to encrypt files on these systems before demanding a ransom.”
However, CSO Online’s report stated that Allscripts said that the ransomware appeared to be a “commodity malware and that the company wasn’t directly targeted.”
Allscripts’ systems are said to serve some 180,000 physicians and 2,500 hospitals. It is unclear if the company paid any ransom.
