Allscripts recovering from ransomware attack that has kept key tools offline

Allscripts, the billion-dollar electronic health record (EHR) company headquartered in Chicago, IL said they were still working to recover from a ransomware attack that left several applications offline after data centers in Raleigh and Charlotte, NC were infected on Thursday.

In a conference call for customers on Saturday, which Salted Hash listened-in on, Allscripts’ Jeremy Maxwell, director of information security, said their PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) services were the hardest hit by the ransomware attack.

Other services had availability issues as well, but those have since been restored, such as direct messaging and some CCDA functionality.

EPCS has been also restored (as of Saturday) and they are working on getting PRO EHR back online.

However, in a call on Sunday Allscripts told providers to prepare for outages to continue through Monday as the company recovers. The recovery is focused on getting data restored via backups and alternative access methods.

“We are working around the clock to get everybody up and running by [Monday morning]. However, in terms of planning – in an abundance of caution – it would be advisable to plan for a continued outage though Monday,” said Robyn Eckerling, Chief Privacy and Security Counsel at Allscripts.

The ransomware attack started on Thursday, January 18 at around 02:00 a.m. EST, and by 06:00 a.m. EST it was a full-blown ransomware incident, which required that incident response teams from Microsoft and Cisco be called in to assist.

On Sunday, Allscripts said that Mandiant was also involved in the investigation as they work through how the infection started.

Backup systems were not impacted by the ransomware, thus enabling Allscripts to restore systems one-by-one from backup. Full backups are made on Friday, and incremental backups are done nightly at 10:00 p.m. EST. So as the systems are restored, the expectation is that there will be minimal – if any – data loss.

The variant of SamSam that infected Allscripts was a new variant unrelated to the version of SamSam that infected systems at Hancock Health Hospital in Greenfield, Indiana and Adams Memorial Hospital in Decatur, Indiana. This data was confirmed by the Microsoft and Cisco teams, as well as the FBI.

In a call on Saturday, Allscripts said that all appearance this was commodity malware and that the company wasn’t directly targeted.

Earlier this month, Hancock Health paid 4 BTC ($55,000 USD) to recover their systems after critical files were encrypted by SamSam. The decision to pay was weighed against manual restoration from backup.

While the hospital could have used backups to recover, the process could have taken days, maybe weeks, and the cost of recovery was more than the ransom demand. In this light, it was a business decision to pay.

“These folks have an interesting business model,” Hancock Health CEO Steve Long told the Greenfield Daily Reporter.  “They make it just easy enough (to pay), they price it right.”

According to Allscripts, their client base includes 180,000 physicians across nearly 45,000 ambulatory facilities, 2,500 hospitals and 17,000 post-acute organizations.