Issue link: https://beckershealthcare.uberflip.com/i/977748
42 CIO / HEALTH IT Here's how Allscripts recovered from its January ransomware attack: 12 takeaways By Julie Spitzer I n January, Allscripts clients were locked out of their cloud-based EHRs for days when the security operations center was crippled by a ransomware variant known as SamSam — a favorite among hackers target- ing healthcare organizations. To gain a better understanding of the cyberat- tack's impact on the EHR vendor, CSO Online spoke with Allscripts about its incident re- sponse plan and the lessons it learned through- out the ordeal. Here are 12 takeaways. 1. Hackers launched SamSam ransomware on Allscripts Jan. 18, 2018, and most customers reported they were offline or dealt with access problems for an entire week. Nearly 1,500 med- ical practices were affected by the incident. 2. Allscripts' Professional EHR and Electronic Prescriptions for Controlled Substances ser- vices were the hardest hit. Many customers could access the cloud but not the database. 3. In public comments Allscripts explained ser- vices in some regions were restored, although many clients in those areas said they didn't have access. When asked about the conflicting public statements and its clients' reports, the company said: "Allscripts serves a wide range of clients in a variety of individual circumstances. Ac- cordingly, they experienced different effects as a result of this incident. ere were a range of circumstances involved with getting particular systems back online and we addressed each of them as quickly as possible." 4. Allscripts began its response by first detect- ing and identifying the issue. e EHR vendor then started severing connections with their affected data centers — those in Raleigh, N.C., and Charlotte, N.C. — to contain the attack. e company had to call in help from Cisco, Mandiant and Microso. 5. In a statement provided to CSO Online, Allscripts said hundreds of personnel worked to resolve the attack. It added that the first 24 hours were an "intense swirl of many technical, business and other practical challenges." 6. Allscripts said it prepared employees for various incidents, but its not clear whether ran- somware attacks were a part of their trainings. 7. When CSO Online asked Allscripts how it prepared for a ransomware attack, the com- pany said: "Keep in mind that there were no antivirus signatures available for this SamSam variant at the time it struck Allscripts. is was an entirely new, zero-day variant of SamSam ransomware that had never been identified previously by Cisco, Microso or the FBI. We were able to contain it within minutes, and then begin the intense work of restoring those client services that were affected." 8. reat intelligence experts told CSO On- line the best way to defend against SamSam is to understand signatures because endpoint defenses are not enough. Instead, a combina- tion of endpoint defenses, patch management, limiting system functionality and limiting user permissions should be applied. 9. Aer the vendor identified and contained the threat, Allscripts had to clean and restore its systems before testing them and bringing them back online. Before Allscripts did this, the company had to ensure it knew how the at- tack happened and needed to implement extra security layers to prevent similar incidents. 10. While the EHR vendor updated its cus- tomers daily — sometimes more — Allscripts CEO Paul Black, in a Jan. 26 letter to cus- tomers, explained plans to replicate its Pro EHR across multiple data centers, as well as refreshing the technology "to shorten our re- covery time in the event of any future disrup- tion." However, Allscripts told CSO Online it didn't use its replication services to aid in the restoration process. 11. e No. 1 issue with Allscripts' response was communication, according to CSO Online. Up- dates from support representatives didn't always line up with reports from customers, who grew frustrated with Allscripts. However, the compa- ny was being truthful: its services were live, but clients' access was still thwarted. 12. Overall, Allscripts was able to restore its services within 24 hours, even if customers were down or experienced issues for at least six days. n Will the Apple EHR fulfill its promises? Eventually, but it's starting small By Julie Spitzer I nformatics experts gathered for a briefing on Capitol Hill April 10 to discuss the Apple Health records feature, noting the tool may not be as all-encompassing as some reports have suggested, according to Politico Morning eHealth newsletter. The American Medical Informatics Association hosted the briefing to discuss the Apple initiative, and it invited Dan- ville, Pa.-based Geisinger's Chief Informatics Officer Alistair Erskine, MD, to speak. Geisinger is one of the 39 health systems using the feature, and Apple worked directly with EHR-giants Epic, Cerner and athenahealth to integrate pa- tients' data with the app if they opt in to the system. Dr. Erskine explained the initial launch only applies to cer- tain information, like allergies, medications and lab results. Patients using the app will not have access, at this time, to their full clinical notes, and the feature is only available to patients who own an Apple device — those with Android phones are left out. It will take some time before "the things we're talking about doing at scale are really feasible," he said, according to Politico. At the briefing, Cerner's Senior Director of Government Af- fairs and Public Policy Meg Marshall added one of those features may be giving patients access to their longitudi- nal progress, though that record is not yet available on the app, Politico reported. n