Medical Providers boiling mad from Allscripts extended outage- update

The outage was caused by a ransomware infection at NC data centers for the Electronic Health Record (EHR) cloud-based service. Without access to patient records, practices were shut down for days and kept in the dark.

Brian Allison, Sales and Marketing Manager, INCS  Charlotte, NC.   June 1, 2018

This exchange was reported from the comments on the health info site HIStalk:

”Totally unacceptable that 48 hours later my practice is still down…”    Jorit Wijnmaalen, @SunCoastSeminar, Jan 19

“Agreed. Can’t access patient records AT ALL since (Jan 18).”

Adrian Lloyd @TheUDoc, 8:09 PM – Jan 21, 2018

Providers seemed especially peeved that Allscripts was not only down for way too long, but the company kept their customers in the dark about what was going on and when they’d be back up and running. Allscripts makes absolutely no mention of this incident on their website now, including their investor relations section.

The public company has an earnings call coming up in two weeks, and it will be interesting to see what they’ll say about it to Wall Street. This outage and the poor way it was handled (crisis management training, anyone?) should be considered significant enough to be material to the company and demands a clear explanation.

A class-action lawsuit on behalf of all their impacted clients has been filed against the company in U.S. District Court in their home state of Illinois. From that lawsuit:

“Allscripts wanton, willful, and reckless disregard caused a complete and total interruption of service,” the suit reads. “Allscripts failed to implement appropriate processes that could have prevented or minimized the effects of the SamSam ransomware attack.”

The infection is being attributed to the SamSam worm that was found in 2016. Cybersecurity experts believe that the company had not been properly patched for that attack. Surfside, the clinic leading the class-action suit, claimed it acted in “reasonable reliance” on Allscripts’ “misrepresentation and omissions” about its security products. The clinic said that had they known about the company’s lack of cybersecurity, they would never have become an Allscripts’ HER client.

Related info and updates:

Allscripts reports that a ransomware attack has taken down some of the applications that are hosted in its Raleigh and Charlotte, NC data centers.

http://histalk2.com/2018/01/18/ransomware-attack-takes-down-some-allscripts-systems/

The company says Allscripts Professional EHR is unavailable to customers hosted in those data centers, as are instances of its electronic prescribing of controlled substances system.

Allscripts says it expects to restore its systems quickly from backups.

An Allscripts user and HIStalk reader reports that other functions have been down since this morning, including InfoButton, regulatory reporting, clinical decision support, direct messaging, and Payerpath.

The company has not acknowledged the downtime on its website or social media accounts.

I emailed a media contact but haven’t heard back. UPDATE: the Allscripts media contact provided this statement:

We are investigating a ransomware incident that has impacted a limited number of our applications. We are working diligently to restore these systems, and most importantly, to ensure our clients’ data is protected. Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems. We regret any inconvenience caused by this temporary outage.

=———————======————=====——-==

Allscripts hit with a ransomware attack affecting a ‘limited number’ of applications – FierceHealthcare

by Evan Sweeney | Jan 18, 2018 4:12pm https://www.fiercehealthcare.com/privacy-security/allscripts-ransomware-cybersecurity-ehr-applications

Allscripts is investigating a ransomware attack that took a limited number of applications offline. This story has been updated to include comments from Northwell Health.

Allscripts is investigating a ransomware attack impacting a “limited number” of applications, according to a company spokesperson.

“We are working diligently to restore these systems, and most importantly, to ensure our clients’ data is protected,” Allscripts spokesperson Concetta Rasiarmos said in an email to FierceHealthcare. “Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems. We regret any inconvenience caused by this temporary outage.”

Rasiarmos did not respond to questions about what specific applications were impacted.

RELATED: Physician practices forced to use paper records lash out at Allscripts over ransomware response

The attack was first reported by HIStalk which received a tip from an Allscripts user that the attack shut down applications hosted on two data centers in North Carolina, including Allscripts Professional EHR platform and some e-prescribing systems.

FierceHealthcare will update this story as it develops.

Update 1/19: A spokesperson for Northwell Health says the health system disconnected from Allscripts data centers impacted by the attack to avoid any complications. Northwell has not lost connectivity to its EHR platform since it is hosted on its own data center, but providers are unable to access e-prescribing applications.

“We have lost access to certain functionalities, the major one being electronic prescribing of narcotics, which just means physicians need to write narcotics prescriptions on paper prescription pads temporarily,” says Northwell Health spokesperson Terence Lynam.

A physician with Kansas-based Sunflower Medical Group also posted on Twitter that e-prescribing functionality was down.

“#ransomware attack on Allscripts has taken down our e-prescribing, EPCS and some other services! Yikes!! At least we don’t use their hosted application I hear many hosted practices couldn’t access their EMR yesterday. Talk about a shutdown!”

Yvette Crabtree, MD, @YCrabtreeMD 9:26 AM – Jan 19, 2018

In a message posted to Allscripts’ e-prescribe portal, the company said it was working to restore Electronic Prescribing of Controlled Substances (EPCS) functionality.

“Please note that EPCS users in New York or other EPCS mandated states, pursuant to the state EPCS statute, write paper scripts due to a temporary technical difficulty with the EPCS service,” according to the notice posted to the site. “It is recommended you note the pharmacist special instructions and in the EHR that a paper or oral prescription was provided due to technical issues.”

=———————======————=====——-==

Allscripts still working to rebound after ransomware attack (Updated)

ERIN DIETSCHE – MedCityNews, https://medcitynews.com/2018/01/allscripts-ransomware/?rf=1  Jan 22, 2018 at 12:27 PM

This article has been updated with additional information and a statement from Allscripts.

The healthcare cybersecurity woes of 2017 seem to be just as prevalent in 2018. On January 18, Allscripts was hit with a ransomware attack.

The news was first reported by HIStalk, which noted that the attack took down applications hosted in the vendor’s Raleigh and Charlotte, North Carolina data centers. The Allscripts Professional EHR and some e-prescribing system capabilities were affected.

The attack is said to have involved a strain of SamSam malware. In a conference call on Sunday, the Chicago-based vendor said providers should prepare for outages to continue through Monday, according to CSO.

Over the past few days and into Monday morning, healthcare professionals across the country have voiced their frustration with the situation on social media.

=———————======————=====——-==

Allscripts still fighting to restore all services 4 days after ransomware attack

Customers are saying that e-prescribing and hosted services are still down.  By Jessica Davis, January 22, 2018  4:42 PM

http://www.healthcareitnews.com/news/allscripts-still-fighting-restore-all-services-4-days-after-ransomware-attack

Allscripts is still attempting to get all services back to normal after its Raleigh and Charlotte data centers fell victim to a ransomware attack late Thursday night. While waiting for the electronic health record vendor to straighten the situation out, customers are experiencing outages.

“Ransomware attack on Allscripts has taken down our e-prescribing, EPCS and some other services,” Yvette Crabtree, MD, a Kansas CIty-based physicians affiliated with Sunflower Medical Group said. “At least we don’t use their hosted application. I hear many hosted practices couldn’t access their EMR yesterday.”

[Update: Most Allscripts clients back online, but issues plague some cloud-based providers]

After learning about the attack from Allscripts on Thursday, Northwell Health in New York took the precautionary measure of disconnecting from Allscripts data centers, according to a Northwell spokesperson.

“Northwell moved quickly to avoid the potential for complications and Allscripts does not believe any data from its system was removed,” the spokesperson said. “The electronic prescribing of controlled substances was the only electronic medical record that was unavailable to providers at Northwell Health’s facilities – we have 23 hospitals and about 660 ambulatory locations. Northwell resumed normal operations over the weekend.”

[Update: Allscripts sued over ransomware attack, accused of ‘wanton’ disregard]

So far, there’s no update on the Allscripts’ website or social media accounts about the outage — or how long it’s expected to get all sites back online.

The company hasn’t commented on how many providers were impacted by the outage either, but Allscripts supports over 180,000 physicians, 100,000 electronic prescribing physicians and about 40,000 in-home clinicians.

[Also: What to know about the SamSam ransomware hitting Allscripts, hospitals]

In the meantime, Crabtree said the in addition to the EPCS being down for three days, making eprescribing iffy, services that relied on Allscripts data center were also down.

“We still had our EMR because we have our own server,” she added. “From what I can tell we were lucky. It’s the clients that have cloud-hosted services who were really screwed.”

Twitter: @JessieFDavis Email the writer: [email protected]

=———————======————=====——-==

Why Communications Must Be Part of Incident Response: Look What’s Happening to Allscripts Now

By SecureWorld News Team  THU | JAN 25, 2018 | 8:30 AM PST

Electronic health records giant Allscripts was hit by a ransomware attack one week ago, cutting many doctors and clinics off from patient records stored on Allscript’s cloud and forcing some doctors offices to shut down.

https://www.secureworldexpo.com/industry-news/communications-part-of-incident-response?utm_campaign=Industry%20News&utm_source=hs_email&utm_medium=email&utm_content=60363892&_hsenc=p2ANqtz-9svAnfSHmmExJWtSk2H0zhb0Fgqoc48VGkn464mwHNuZtDk6EGcEuGUJQ5RyXifXGqt1UOGn-83GuLx3xzcsXF9yfIfA&_hsmi=60364879

Allscripts customers have taken to social media, asking for mainstream media to cover the attack, the CEO to resign, and even requesting compensation, largely because of a lack of information on the attack.

What’s at stake here: patient care

Cleveland News 5 caught one example of the real world impact: “For the fifth day, Dr. George Kefalas and his staff have been unable to access medical records for their 8,500 patients. Thousands of patients in Northeast Ohio are being turned away. Doctors we caught up with at Pulmonary Physicians in Canton tell News 5 they have no choice. They cannot access vital information to properly care for their patients, so for now, they are canceling appointments.”

What if your diagnosis was taken down? That paints the picture of how serious this is.

Allscripts customers: we don’t know what is happening

Allscripts customers have taken to social media to berate the company. Not because of the ransomware attack itself—at least not yet—but because of a lack of information on what’s happening. You can see the anger building on social media the longer patient health records are offline with very little information:

Is this cyber incident reportable?

Although ransomware attacks don’t typically involve theft of data, are the patient records involved in this attack secure? Should doctors offices and medical clinics be notifying their patients of a breach?

Allscripts customers are asking that same thing on Twitter because they claim to have so little information from the company at this point. If you are in this situation, SecureWorld cyber attorney Shawn Tuma of Scheef and Stone, LLP, put together a list of what you should and should not do at this point.

SecureWorld also reached out to Allscripts for more information on the ransomware attack, since there has been so little about it.

Bad actors have figured this much out: no one likes medical records held hostage and some will pay ransom because “from a business standpoint, it makes sense.”

The provider argued that as SamSam ransomware has been a known threat since 2016, the company should have audited or monitored its systems to prevent the attack. And its failure to do so caused the crippling system outage.

“Allscripts wanton, willful, and reckless disregard caused a complete and total interruption of service,” the suit reads. “Allscripts failed to implement appropriate processes that could have prevented or minimized the effects of the SamSam ransomware attack.”

UPDATE: Physicians Nationwide Again Reporting Allscripts Service Outages

Ryan Black @Ryan_M_Black

http://www.hcanews.com/news/physicians-nationwide-again-reporting-allscripts-service-outages

Allscripts just can’t catch a break. On the day that the electronic health records (EHR) vendor is celebrating the announcement of a major new partnership, physician staff across the country are again reporting service outages. In mid-January, the company was struck with a ransomware attack the knocked out web-based services to hundreds of practices, causing outrage.

Many of the same practices that were impacted by the first wave of outages are reporting them again. One New England-based provider who had spoken to Healthcare Analytics News™ at the time of the ransomware incident confirmed that his practice is again locked out of its EHR system. Colleagues in Kentucky, Texas, and Connecticut were suffering similar problems. He added that a backup system failure has locked up his practice.

The original January incident resulted from a SamSam ransomware attack that hit 2 of its datacenters. The company said “roughly 1,500” clients were impacted, with some practices incapable of accessing important workflow technology—including their EHR systems—for up to 7 days.

Allscripts is currently enjoying widespread coverage for their Lyft partnership on Twitter. Allscripts will integrate Lyft into its EHR systems, potentially making it easier for its 7 million covered patients to get rides to medical appointments. The announcement echoes a similar plan unveiled by Lyft’s rival, Uber, last week.

While the Lyft partnership is drawing praise, for medical providers to not be able to access patient records shuts down their practice, so patients can’t get the care they need and the business can’t generate any income.

“Yet another cloud outrage (sic-probably). No EHR. Seriously. #Allscripts,” one user who also experienced the January outage wrote. “Outage…outrage same thing in relation to Allscripts!” another immediately replied.

The outage in January drew a class-action lawsuit, filed on behalf of a Florida-based orthopedic group on January 25th in United States District Court for the Northern District of Illinois.

When SamSam hit, the company issued a rather tone-deaf statement saying that none of the impacted practices “were hospitals or large independent physician practices.” Many of the practices impacted expressed concern that that language was meant to downplay the problems they were facing, as though they were too small to worry about.

Allscripts did not immediately respond to comment for this story. It is unclear if the current issue is related to the one that occurred roughly 6 weeks ago, or if it is again related to ransomware.

Allscripts Lawsuit Serves As Warning To Physicians

Source: Health IT Outcomes https://www.healthitoutcomes.com/doc/allscripts-lawsuit-serves-as-warning-to-physicians-0001

By John Oncea, Digital Editorial Director, Follow Me On Twitter @buck25

The lawsuit filed by four physician practices against Allscripts should serve as a warning to be diligent when making electronic health record (EHR) decisions.

In what is believed to be a first-of-its-kind case, two Miami class law firms have filed a class action lawsuit against Allscripts Healthcare Solutions. This lawsuit alleges Allscripts “misled its physician customers about the quality and functionality of MyWay” electronic health record (EHR) software which was sold to approximately 5,000 physicians across the nation from 2009 until Allscripts withdrew it from the market at the end of 2012. The cost of the software, according to the law firm’s website was “approximately $40,000 per physician to implement.”

The lawsuit asserts, “The product never worked well and, after four years, in the face of mounting complaints and market pressures to resolve the issues and provide refunds, Allscripts “sunsetted” the product.  Rather than ensure that MyWay met its customers’ needs, Allscripts made the decision to unilaterally “upgrade” its customers to another – and more expensive – software named Professional Suite Electronic Health Record System (“EHR Pro”). The “free upgrade” was anything but free. Unlike MyWay, EHR Pro was not developed for small physician groups, is more complicated and more expensive to maintain, and requires more complex integration and staff training. Simply put, it is not the product that Allscripts’ physician customers bargained for or wanted for their electronic health record technology.”

Sam Narisi, writing for Healthcare Business and Technology, singles out three more complaints leveled against Allscripts:

  1. The system failed to meet the federal requirements for EHR incentives, despite the company claiming that it would
  2. Even after thousands of dollars and dozens of hours spent on the implementation and training, the system still didn’t work properly
  3. Installing the system led to a significant drop in revenue for the practices

The specific case of lawsuit participant Robert Joseph, MD, is detailed by Alicia Gallegos of American Medical News, who writes, “But $40,000 and dozens of training hours later, the program has created headaches for Dr. Joseph’s practice, he said. He claims that the system never worked effectively and failed to meet the federal regulatory requirements promised by Allscripts.”

Gallegos also quotes Ronald Sterling, president of Sterling Solutions Ltd., a medical practice consulting company based in Silver Spring, MD, as saying, “The cases against Allscripts could encourage more litigation against EHR vendors as physicians become increasingly dissatisfied with the systems they are sold.”

Ironically, while physicians are initiating the lawsuit against Allscripts, the University of Illinois at Chicago reports physicians themselves could be defendants in an increasing number of EHR-related lawsuits in the future. The University’s story, citing a report conducted by healthcare IT research firm AC Group, notes, “The speed and widespread adoption of clinical informatics systems and electronic health records (EHRs) could result in increasing numbers of lawsuits against physicians.”

The AC Group’s report indicates, “A review of 65 EHRs showed that more than 90% of them did not provide adequate medico-legal training and 95% of them had specific medico-legal issues. Either could increase the potential risk of a liability claim and would hamper its defense. The EHR vendor community should strongly consider external reviews of their software for potential medico-legal issues that may have been missed by internal reviews due to employee familiarity with the process and the product.”

According to Marisa Torrieri of Physicians Practice, the Allscripts lawsuit – as well as reports of EHR dissatisfaction – should teach physicians a powerful lesson. The apparent safety of going with a ‘big name’ vendor that has grown by buying up other EHRs may not actually provide real-world reliability for this critical resource. Marisa also passes on these four guidelines from Health IT consultant Bruce Kleaveland that he feels physicians should practice when choosing an EHR:

  1. Carefully vet vendors through a formal organized process
  2. Reference check with trusted colleagues or local sources whenever possible (although with all reference systems, someone has to go first).
  3. Organize the practice leadership and staff to manage the implementation of the HER
  4. Select low-risk vendors, or those with a strong local installed base, extended track record of success and sustainability, and a focused product strategy