Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:56 PM
Connect Directly

Ransomware Actors Cut Loose on Health Care Organizations

An attack on Allscripts last week that knocked out EHR services to 1,500 clients is the third reported incident just this month.

A string of recent attacks suggests that ransomware operators are sharply ramping up their focus on healthcare organizations.

Last week, electronic health record (EHR) provider Allscripts became at least the third organization in the health sector to get hit by ransomware since the start of this year.  

The other two were Indiana-based Hancock Health which ended up paying some $50,000 to get back access to critical information systems, and Adams Health Network also of Indiana, that managed to recover without any disruption. In all three incidents, attackers used different variants of SamSam, a well-known ransomware family to encrypt critical data.

Of the three victims, the $1.5 billion Allscripts is the largest, providing service to 45,000 physician practices, 180,000 physicians and 2,500 hospitals. The January 18th attack on Allscripts affected systems hosted in the company's datacenters in North Carolina, resulting in its EHR and Electronic Prescription for Controlled Substances (EPCS) services becoming unavailable to some 1,500 clients.

Most of those impacted by the outage were small healthcare entities and individual physicians, some of who vented their anger on Twitter and other channels as Allscripts worked over a period of multiple days to restore its systems.

The EHR provider did not respond to a Dark Reading request Wednesday for an update on recovery efforts, nor has the company provided any information on the incident on its website. So it is not clear if all systems have been completely recovered as of Wednesday afternoon.

However, in update calls with providers and in statements to healthcare outlets, Allscripts has described in a fair amount of detail, the attack, and its response. One of them, the Texas Medical Liability Trust has provided a relatively detailed timeline of events and recommendations for those impacted by the incident.

Mac McMillan, CEO of CynergisTek, a company that provides security consulting services to healthcare organizations says the attack left those using Allscripts' PRO EHR without access to client medical records. Those working in states that have mandated the use of EPCS had to resort to some very difficult workarounds for prescribing controlled substances to those in need of it, he says.

"The ones most impacted were the small practices that traditionally outsource (electronic medical records) and don't plan for or have a viable backup when their vendor goes down," McMillan says. "They simply have to wait until the vendor recovers."

The attack highlights the need for those using such services to re-evaluate critical systems and vendor support and put response plans in place in the event of outages. "We’ll see more of these cloud-based attacks in the future. Their impact is so much greater for those launching them," McMillan noted.

Ransomware attacks on hospitals and other healthcare organizations are not new. But the flurry of recent incidents suggests a heightened threat actor focus on the sector.

Security vendor Cryptonite in December 2017 released a report on cyberattacker activity in the healthcare sector and noted an explosion in incidents involving ransomware last year. The report, based on data gathered from breaches reported to the Health and Human Services Office of Civil Rights, showed there were 36 publicly reported ransomware incidents among health care institutions in 2017.

The number represented an 89% increase in ransomware attacks from the 19 reported in 2016. Among the top 10 healthcare data breach and hacking incidents last year, the top six were caused by ransomware. The biggest of them—an incident at Airway Oxygen—impacted some 500,000 records.

Mike Simon, CEO and President of Cryptonite says the reasons for the attacker interest in health care institutions are basic. "Healthcare networks are highly interconnected and this provides a substantial opportunity for cyberattackers to penetrate multiple high-value targets," he says. EMR and EHR systems used by hospitals and large physicans' practices are connected to mobile phones and tablets used by ambulatory clinicians, who in turn communicate with labs, nursing facilities, scan and surgical centers, and numerous other facilities.

"Healthcare networks' architectures typically have a relative high number of known vulnerabilities [with] missing patches and updates, embedded and exposed processors in medical devices, a large number of internet of things (IoT) devices and more," he says. "These make them particularly susceptible to a variety of known attacks for which most of these networks have no defense in place."

Another factor driving heightened interest in the health care sector is the apparent success that ransomware attackers have had extracting money from victims. "When an attacker has success within a particular vertical it’s obviously tempting for them to do more of the same," says Richard Ford, Chief Scientist, Forcepoint. "The concept of 'if it ain’t broke, don’t fix it, works just as well for attackers" as it does for defenders, he says.

The use of SamSam variants in many of the recent attacks suggests attackers are going after healthcare organizations in a methodical manner, adds Joseph Silva, a member of Cyxtera's cybersecurity analytics operations.

"Unlike the majority of ransomware families, SamSam isn’t delivered into a victim environment through phishing or malvertising methods," he says. Rather it is being used to target specific healthcare organizations, gaining access to the environment and looking for high-value systems to infect.

"The threat actors utilizing SamSam are actively probing the victim environment for vulnerable servers, and then using those servers to enumerate the environment and identify systems that contain high-value data," Silva says.

Related content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-04
An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running proce...
PUBLISHED: 2021-03-04
An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality.
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.