New ransomware attack forces hospitals to turn away patients

Allscripts, a provider of electronic health record (EHR) technology to hospitals, was hit by ransomware this week, provoking an outage that affected thousands of physicians” practices and healthcare providers across the United States.

Allscripts reportedly handles data for 180,000 physicians, 100,000 electronic prescribing physicians, 40,000 in-home clinicians, 2,700 hospitals, 13,000 extended care organizations and 7 million patients across the country. Besides EHR tools, it develops and sells solutions for patient engagement and care coordination, as well as financial and analytics technology.

Early this week, the company confirmed to partnering hospitals that it fell victim to a ransomware attack that crippled its systems.

Ransomware is malware that encrypts data on the endpoints it infects. If successful, the malware displays a note demanding payment – in the form of untraceable digital currency – in exchange for decrypting the data.

As reported by Healthcare IT News, facilities relying on their own server were less severely affected than those relying on cloud-hosted services and applications supplied by Allscripts.

Cleveland”s News 5 confirmed this with doctors at Pulmonary Physicians in Canton. Because of the Allscripts outage, the office has not been able to access vital patient information, and is forced to turn away its patients.

Like Hancock Health and Adams Memorial, Allscripts was apparently hit by the same type of ransomware – albeit a slightly different strain – dubbed SamSam. It emerged in 2016 and specifically targeted the healthcare industry.

SamSam spreads through the web and Java apps, and specifically targets external-facing RDP servers. It relies on unsophisticated techniques (i.e. brute force tools) to guess weak passwords and make its way into the network. Thanks to a wormable component, once it makes its way inside, it spreads laterally to infect other vulnerable systems.

David Finn, an executive at consulting firm CynergisTek, points out that organizations use endpoint protection tools but forget to lock up servers with antimalware solutions.

“It needs to be on all of your endpoints. We sometimes forget about those servers being endpoints,” said Finn.

Allscripts has not yet issued a public statement on the attack.