Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:56 PM
Connect Directly

Ransomware Actors Cut Loose on Health Care Organizations

An attack on Allscripts last week that knocked out EHR services to 1,500 clients is the third reported incident just this month.

A string of recent attacks suggests that ransomware operators are sharply ramping up their focus on healthcare organizations.

Last week, electronic health record (EHR) provider Allscripts became at least the third organization in the health sector to get hit by ransomware since the start of this year.  

The other two were Indiana-based Hancock Health which ended up paying some $50,000 to get back access to critical information systems, and Adams Health Network also of Indiana, that managed to recover without any disruption. In all three incidents, attackers used different variants of SamSam, a well-known ransomware family to encrypt critical data.

Of the three victims, the $1.5 billion Allscripts is the largest, providing service to 45,000 physician practices, 180,000 physicians and 2,500 hospitals. The January 18th attack on Allscripts affected systems hosted in the company's datacenters in North Carolina, resulting in its EHR and Electronic Prescription for Controlled Substances (EPCS) services becoming unavailable to some 1,500 clients.

Most of those impacted by the outage were small healthcare entities and individual physicians, some of who vented their anger on Twitter and other channels as Allscripts worked over a period of multiple days to restore its systems.

The EHR provider did not respond to a Dark Reading request Wednesday for an update on recovery efforts, nor has the company provided any information on the incident on its website. So it is not clear if all systems have been completely recovered as of Wednesday afternoon.

However, in update calls with providers and in statements to healthcare outlets, Allscripts has described in a fair amount of detail, the attack, and its response. One of them, the Texas Medical Liability Trust has provided a relatively detailed timeline of events and recommendations for those impacted by the incident.

Mac McMillan, CEO of CynergisTek, a company that provides security consulting services to healthcare organizations says the attack left those using Allscripts' PRO EHR without access to client medical records. Those working in states that have mandated the use of EPCS had to resort to some very difficult workarounds for prescribing controlled substances to those in need of it, he says.

"The ones most impacted were the small practices that traditionally outsource (electronic medical records) and don't plan for or have a viable backup when their vendor goes down," McMillan says. "They simply have to wait until the vendor recovers."

The attack highlights the need for those using such services to re-evaluate critical systems and vendor support and put response plans in place in the event of outages. "We’ll see more of these cloud-based attacks in the future. Their impact is so much greater for those launching them," McMillan noted.

Ransomware attacks on hospitals and other healthcare organizations are not new. But the flurry of recent incidents suggests a heightened threat actor focus on the sector.

Security vendor Cryptonite in December 2017 released a report on cyberattacker activity in the healthcare sector and noted an explosion in incidents involving ransomware last year. The report, based on data gathered from breaches reported to the Health and Human Services Office of Civil Rights, showed there were 36 publicly reported ransomware incidents among health care institutions in 2017.

The number represented an 89% increase in ransomware attacks from the 19 reported in 2016. Among the top 10 healthcare data breach and hacking incidents last year, the top six were caused by ransomware. The biggest of them—an incident at Airway Oxygen—impacted some 500,000 records.

Mike Simon, CEO and President of Cryptonite says the reasons for the attacker interest in health care institutions are basic. "Healthcare networks are highly interconnected and this provides a substantial opportunity for cyberattackers to penetrate multiple high-value targets," he says. EMR and EHR systems used by hospitals and large physicans' practices are connected to mobile phones and tablets used by ambulatory clinicians, who in turn communicate with labs, nursing facilities, scan and surgical centers, and numerous other facilities.

"Healthcare networks' architectures typically have a relative high number of known vulnerabilities [with] missing patches and updates, embedded and exposed processors in medical devices, a large number of internet of things (IoT) devices and more," he says. "These make them particularly susceptible to a variety of known attacks for which most of these networks have no defense in place."

Another factor driving heightened interest in the health care sector is the apparent success that ransomware attackers have had extracting money from victims. "When an attacker has success within a particular vertical it’s obviously tempting for them to do more of the same," says Richard Ford, Chief Scientist, Forcepoint. "The concept of 'if it ain’t broke, don’t fix it, works just as well for attackers" as it does for defenders, he says.

The use of SamSam variants in many of the recent attacks suggests attackers are going after healthcare organizations in a methodical manner, adds Joseph Silva, a member of Cyxtera's cybersecurity analytics operations.

"Unlike the majority of ransomware families, SamSam isn’t delivered into a victim environment through phishing or malvertising methods," he says. Rather it is being used to target specific healthcare organizations, gaining access to the environment and looking for high-value systems to infect.

"The threat actors utilizing SamSam are actively probing the victim environment for vulnerable servers, and then using those servers to enumerate the environment and identify systems that contain high-value data," Silva says.

Related content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Americans Fed Up with Lack of Data Privacy
Robert Lemos, Contributing Writer,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-22
In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.
PUBLISHED: 2019-11-22
PowerDNS Authoritative daemon , all versions pdns 4.1.x before pdns 4.1.10, exiting when encountering a serial between 2^31 and 2^32-1 while trying to notify a slave leads to DoS.
PUBLISHED: 2019-11-22
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
PUBLISHED: 2019-11-22
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.