May 2018

A Ransomware Wakeup Call
By Sarah Elkins
For The Record
Vol. 30 No. 5 P. 20

Was the Allscripts SamSam attack enough to get the industry thinking differently?

On January 18, the SamSam ransomware struck Allscripts' cloud-based EHR servers. Thousands of the company's clients suffered a seven-day service outage, instigating a class action lawsuit.

Surfside Non-Surgical Orthopedics in Boynton Beach, Florida, filed the lawsuit on January 25, one day after services were fully restored. The suit claims "the company's failure to audit or monitor data systems crippled its EHR and ePrescribing systems and disrupted patient care."

Many were surprised by how quickly the lawsuit was initiated, but for Surfside Medical Director Glenn Chapman, MD, the weeklong outage was the final straw. According to Chapman, the EHR frequently went down, albeit only for an hour or so at a time. He assumed the outage would be brief, deciding, "Well, we'll keep working. It'll be up soon. We kept rolling, but it didn't get better."

In the throes of the outage, Chapman received a $4,000 bill from Allscripts, further rousing his ire. Soon after, a law firm approached Chapman about filing a class action lawsuit. He agreed to initiate the suit with the hope the firm could "hold Allscripts accountable and make them responsible for their failure to provide service."

According to Chapman, there were few options left for receiving reliable EHR service, a point of contention for him prior to the ransomware attack. "All I can do is try to contact another EHR company and try to jump ship. I'm under contract with [Allscripts], and it's a five-year contract. Once they get you, they got you. If I break the contract, I have years' worth of tens of thousands [of dollars] I owe unless I sue them."

Taking the route of a class action lawsuit seemed like the best path to a favorable resolution because, as Chapman describes it, "You know how well it works when an individual sues a $1.3 billion corporation."

An Industry Problem
Chapman's frustration extends beyond the specifics of the SamSam attack—even beyond Allscripts. He asserts that the industry has created an impossible environment for physicians, necessitating complete reliance on a technology that is far from fail-safe.

Chapman says, "The context [of the lawsuit] is really important. As a physician, we are not obligated, but we are coerced and beholden to have an electronic health record. Yes, you can technically go by paper, but it's impractical and it costs you a ton of money. No doctor realistically can practice without an EHR."

At the same time, most small practices can't afford a large, server-based EHR, the sort a hospital or a health system might purchase—and they certainly don't have the in-house IT resources to support such robust software. Cloud-based technology better suits the unique needs of small practices, offering affordability, flexibility, and ease of management. Unfortunately, the cloud environment falls short of the server environment when it comes to reliability. Small practices that rely on cloud-based EHRs are forced to add poor internet connection to their list of worries. Even if the software works seamlessly and avoids ransomware attacks, the practice's internet provider may go down. For Chapman and thousands of others like him, it's a catch-22.

What's more, Chapman believes EHR vendors are taking advantage of the impossible situation small practices like his are faced with. "It's a massive undertaking [to get onboard with an EHR]. It is not taken lightly and that's why most people, once they get one, they never switch. And, the [EHR] companies know that," he says.

The class action lawsuit is an opportunity to lob a stone at Goliath, but that's not to say Chapman is overly confident about the outcome. He is afraid of what availing himself of the legal system might mean for his practice. He worries the suit might draw negative attention, but he is confident he is doing the right thing.

"This is why these big corporations can walk all over us," Chapman says. "Nobody stands up and says, 'No, that's wrong.' That's honestly the reason I filed the suit. I'm going to at least try to hold them accountable for their actions. I don't know that anything is going to come of it."

Will It Work?
It is too soon to predict the outcome of the lawsuit, and there has been no news in the months since its original filing. What happens next will depend on the discoveries of the initial investigation.

According to Dean Sittig, PhD, a professor at UTHealth School of Biomedical Ethics, "The lawsuit could proceed based on some findings. For example, if it's found out [Allscripts] hadn't updated their servers in the last six months and they were running old versions of software, that they hadn't patched their systems, that would be bad for them."

Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission, says, "While I cannot predict the outcome [of the lawsuit], organizations that are impacted by any breach or attack can experience loss of customer revenue as well as customer and or stakeholder credibility, which is why in the event of attack or breach, entities want to assure their constituency that the appropriate remediation actions have been taken and the risk/vulnerability has been mitigated."

A Failure to Communicate
Barrett's recommendation that organizations communicate with their constituents points to the rub in this and similar cases: the lack of clear communication during and following the event. When a ransomware attack occurs, organizations have had a tendency to go underground. They no doubt work diligently to remediate the attack, but rarely are the details communicated to their clients. As a result, stakeholders are unaware of the severity of the situation and lack a timeline for the fix.

Chapman was not pleased with the communication his practice received at the onset of the attack. "We heard nothing from [Allscripts] for days, and when you tried to call in, as you can imagine, you couldn't get through the lines after the first day," he says.

There was some communication. "We did get an e-mail from the [Allscripts] CEO that said '98% of our services are functioning,'" a claim that only heightened Chapman's frustration because while the majority of the services may have been functioning, they were wholly inaccessible, he says.

During the downtime, numerous tweets were launched at Allscripts, most of which expressed displeasure about the vendor's poor communication. Frustrated users also sought answers to how long the outage would continue and voiced annoyance at Allscript's attempt to downplay the attack's impact. (Allscripts did not respond to requests for comments.)

Sittig says there is room for improvement in the way the industry as a whole communicates about malware attacks. "We should be sharing more information about how they happen and what happened," he says. "Some people would argue that if we did this the bad guys would know exactly what we're doing and they would know how easy this is. I think they know that, so I don't know what we're hiding."

Sittig recalls MedStar's public response to the SamSam attack of 2016. "MedStar didn't even admit that they had a ransomware until a few days after the attack had been over. Their strategy was not even admitting they had it even though people were talking about it and showing screenshots. We should have learned something from that," he says.

Restoring Service
Allscripts' poor communication wasn't the only complaint it received from clients. The amount of time it took the vendor to get its services back online was the issue that did the most financial damage to thousands of practices. During the seven days of the outage, practices such as Surfside were rendered inoperable.

For example, Chapman could not access his appointment schedule to let patients know the system was down. Additionally, his appointment reminder service was down. Many patients didn't come in for their appointments, resulting in lost income. On the converse, when patients did show up, the care provided was hindered by an inability to access patient records. As a result, Chapman could not safely perform many procedures, causing additional loss of income.

In short, Chapman says, "Our entire medical existence, my entire career is through the EHR, so when the EHR goes down, I don't have a career. It's a fairly big deal."

Allscripts faced the daunting task of reassigning thousands of logins, a necessary effort because evidence suggested user logins had been compromised. This was not as simple as accessing backup data, which may explain why getting services back online took as long as it did.

Moving Forward
With the ransomware attack remedied and no resolution to the class action suit in sight, the most pertinent question at this time may be: What should vendors and practices be doing differently?

For Barrett, the answer is simple. "[The] industry needs to focus on core foundational risk assessment strategies and tactics. This includes the development of an asset inventory, ongoing risk and vulnerability assessments, a review of password protocols, software patching and updates, and third-party vendor management," he says.

Despite these recommendations being widely agreed upon and publicized within the industry, ransomware attacks persist.

According to Sittig, the disconnect is in human behavior. "Preventing ransomware is a safety issue. The point about safety is it inconveniences your regular life," he says. "I grew up before seatbelts and I remember not wanting to wear [them]. It took a long time to come around to thinking that if I don't have my seatbelt on, I'm not safe. Somehow we have to get used to being safe with our computer systems, and that will make them more difficult to use."

Barrett says the frameworks already exist. The important next step is to leverage the National Institute of Standards and Technology cybersecurity regulations with existing regulations through the Health Information Trust Alliance Common Security Framework and Electronic Healthcare Network Accreditation Commission accreditation, he says.

Meanwhile, Chapman has an idea of how to avoid the devastating effects of another attack. "What Allscripts could do is allow us to port our own data into a separate file that I could keep on my own secure computer so I could at least pull up my patient data … even if it was just their names and phone numbers, so that I could contact my patients and let them know," he says.

According to Sittig, the learning curve is steep, and the bad guys are winning. "This should be a wake-up call. It's unfortunate, but it's going to happen again."

— Sarah Elkins is a freelance writer based in West Virginia.