"You're probably not going to be 100% successful at preventing a ransomware attack," said Jeff Krull, a partner with advisory firm Baker Tilly. "You need to have that 'what are we going to do once it happens?' mentality."
When the ransomware hit Allscripts that Thursday morning, it took down the vendor's Professional EHR, Electronic Prescriptions for Controlled Substances, and other services. About 45,000 physician practices, 19,000 post-acute agencies, and 2,500 hospitals use Allscripts software, though the attack affected just 1,500 clients, according to company spokesperson Concetta Rasiarmos. None of those were hospitals or large independent physician practices, she said.
By the following Monday, the company had brought the controlled-substance prescribing program back online. By Tuesday, EHR software was up, although the company was still working on giving clients access to certain applications. By Jan. 26, all of its services had been restored. Users resorted to paper during the downtime.
Surfside alleged that it and other Allscripts clients didn't have access to critical services through Jan. 24.
The rapid pace of cyberattacks that hit the industry last year shows no sign of abating. Already this year, nine breaches have been reported to HHS' Office for Civil Rights. So far, no Allscripts users have reported the breach, and it's not yet clear if they'll need to.
"The interests of covered entities and business associates may not align, so it is important for the covered entity to take the lead in determining whether a breach has occurred," said Pamela Hepp, a healthcare lawyer with Buchanan Ingersoll & Rooney.
Covered entities—not vendors—must report breaches affecting 500 or more patients to HHS. "There is no evidence that any data was removed from our systems," Rasiarmos said.
Even if no protected health information got out, the disruption to users was significant. It's important for everyone touching health IT to prepare for downtime, Krull said. "Outages are going to happen whether or not you're running something in your own data center or in some data center run by a service provider," he said.
The easiest step users can take is patching their software, he said. Users should also have backups—both online and offline—and they should have established downtime procedures, he added. Those who have been in the field for some time seem, anecdotally, better able to adapt to non-automated workflows during outages, Krull said. Newer users have a rougher go of it.
"There may be a training element to it, especially for some of the younger generation," he said. "A lot of them may have never delivered care in an environment where they're not using a computer."
Some users are taking another preventive step: writing penalties into their contracts with vendors.
"That's not going to fix the problem," said Mac McMillan, co-founder and CEO of privacy and cybersecurity consulting firm CynergisTek. "You can't fine away a threat. All you're really doing is creating animosity with your vendor. " That doesn't mean users shouldn't be critical of their vendors, though. "It's important to make sure that you're working with cloud vendors that have good redundancy."
After ransomware has hit, there are other considerations—namely, what to do about the missing data. "Do you pay the ransom or not?" asked Chris Hart, a lawyer with Foley Hoag. The FBI and others recommend not paying, but, he said, "if you haven't created backups or separated your information into different areas, it might be lost unless you pay the ransom." Which raises yet another question: How do you pay?
"You have to get your hands on cryptocurrency," Krull said, "and then what happens if they don't give you your data? There's no guarantee that you're going to get it back."