Issue link: https://beckershealthcare.uberflip.com/i/949902
72 CIO / HEALTH IT Allscripts Faces Class-Action Lawsuit After SamSam Attack By Julie Spitzer A llscripts clients had a tough time op- erating for nearly a week aer the EHR vendor was hit with ransomware mid-January, and now one of those users is seeking damages for itself and others, accord- ing to court documents. Surfside Non-Surgical Orthopedics in Boynton Beach, Fla., filed a class-action lawsuit against the Chicago-based EHR company Jan. 25. ey claim Allscripts failed "to secure its sys- tems and data from cyberattacks, including ransomware attacks," the complaint reads. e lawsuit further alleges Allscripts' EHR and elec- tronic prescription system outages resulted in canceled appointments, "significant business interruption and disruption, and lost revenues." Becker's Hospital Review reached out to Allscripts, but company spokesperson Concet- ta Rasiarmos declined to comment because the company does not discuss pending litigation. A variant of SamSam ransomware infiltrat- ed Allscripts' data centers in Raleigh and Char- lotte, N.C., in the early morning hours of Jan. 18. e company said only a limited number of applications had been affected, but later ex- plained nearly 1,500 clients were without the EHR for hours or even days. One week aer the attack, some were still unable to access electronic patient data. Ms. Rasiarmos also did not address questions seeking additional details on the company's ransomware recovery efforts. e suit seeks class-action status for all Allscripts customers who were affected by downtime following the attack. e plaintiffs are pursuing damages related to lost revenue and disruption of business. ey are also re- questing injunctive relief to ensure Allscripts prevents these types of attacks from happen- ing again. Becker's Hospital Review reached out to Mor- gan & Morgan Complex Litigation Group, which helped file the suit on behalf of Surfside, for comment. Becker's did not recieve addtion- al information. n HIMSS: All Your SamSam Questions Answered – 7 Things to Know By Julie Spitzer S amSam, a ransomware variant used extensively in attacks on healthcare providers, recently resurfaced in a slightly different form, taking down systems at hospitals and businesses, including EHR vendor Allscripts. In a Jan. 25 blog post, Healthcare Information and Management Systems Society's Director of Privacy and Security Lee Kim addressed key facts of the ransomware variant. Here are seven things to know. 1. SamSam is not new. In fact, it's been around for about two years. When it first appeared on the scene, it was described as "self-contained," mean- ing it didn't need to "call home" via a command and control server, Ms. Kim writes. However, the widespread attacks involve a new variant of the strain that spread in the past, though some SamSam victims said they were affect- ed by the old version. 2. Hackers raised over $300,000 in just four weeks. The first bitcoin wal- let transaction associated with the attackers reportedly occurred Dec. 25. It is not yet clear where the attack originated, but some have attributed it to actors in Eastern Europe. 3. Recent attacks commonly involve compromised vendor creden- tials. Using stolen vendor credentials to get into a victim's network creates a "'window of opportunity' for the attacker who wants to compromise 'equip- ment vendors' and other types of vendors who have 'trusted access' to a healthcare provider," Ms. Kim writes. Another way it gets in is by exploiting vulnerability vendor products and services, then using automated exploita- tion tools or scripts to launch the attack. 4. A sign your organization is facing a SamSam attack may be the word "sorry." The new variant of SamSam is reportedly more obstructed and hard- er to detect, Ms. Kim writes. Adams Health Network in Decatur, Ind., said the attack led networks to operate slowly before screens went blank and files on the system read "sorry." Hackers demand a ransom — in the case of Greenfield, Ind.-based Hancock Health, it was 4 bitcoin, or about $55,000 — in exchange for the private encryption keys. In a screenshot of the hack- er's ransom note posted by Talos, SamSam attackers state "we don't want to damage our reliability" and "we are honest" as it explains victims can test the decryption process before paying the ransom. 5. The initial attack vector hasn't yet been determined. Traditionally, Sam- Sam is manual, meaning the malware must first be uploaded to a victim's ma- chine. However, some analyses note remote desktop or virtual network com- puting servers have recently been playing a role in similar types of attacks. 6. If you believe your organization is under attack, carefully consider your options. While some organizations decided to pay the ransom, others did not. Ms. Kim warns organizations might not necessarily get their data back even if they do pay the ransom. Paying the ransom could also infect your system with more malware. 7. Here are some tips on how your organizations can protect itself from SamSam. Organizations should update or patch their security solutions whenever a new version is released. They should also know what is "normal" for their systems and networks, Ms. Kim advises. She adds that plans, tests and training should be reviewed frequently and reminds organizations to not forget to test their backups, too. n