Cloud or Not-to-Cloud; The Allscripts Breach
Allscripts’ Electronic Health Records service was the first major cloud-based EHR to be significantly disrupted by a ransomware attack. Close to 1,500 practices were affected by the EHR outage for about a week; essentially shutting down those practices. Allscripts was hit by the SamSam virus which was launched in December 2016, crippling two of their North Carolina data centers. Angry customers voiced their displeasure on social media and a class-action lawsuit has been filed.
Hackers have been relatively successful using the SamSam virus by taking advantage of RDP connections; remote desktop protocol. An independent source who works with companies who suffered breaches told me that over 65% of the breaches he has recently dealt with are the result of RDP hacks.
So, what is an RDP hack? If you have ever let your IT person or technical support person remotely take control of your computer to fix something, that is done via an RDP connection. It is the same as you logging on to your computer and then letting the technician sit at your desk and work on your PC. Hackers use sophisticated search engines to detect open RDP connections. When one is located, they use password programs to hammer the PC in an attempt to gain access. If a weak password is breached, the hackers just got the keys to the kingdom, and your data!
So, should you use a cloud-based EHR system, or not? For small to medium sized practices, I would recommend a cloud EHR system with the requirement that you must do your homework first! A worthy cloud EHR provider should deliver greater security than an on-site server and typical security measures implemented by internal IT support or an MSP. It should also provide improved contingency capabilities and disaster recovery ability, although in this case, Allscripts is the disaster.
Here are the steps I would recommend in selecting a cloud-based EHR system.
- Confirm that the candidate EHR system meets the requirements of the providers and staff. A simple statement but it requires a significant investment to make the right choice. I have seen a lot of practices that are on their second or third EHR system.
- Written confirmation that the ePHI is fully encrypted during transmission and storage. Transmission not only includes between your practice and the cloud, but within the cloud between physical facilities.
- Regularly (daily) data backup services are provided that are to at least one other physical facility. Thus, if there is a disruptive event at one location, you can quickly recover and deliver healthcare. In fact, they should be providing redundant data centers, so you would not know if one data center or server farm failed. This greatly improves your HIPAA “Availability” requirement and simplifies your disaster recovery planning, which is another HIPAA requirement.
- Written performance guarantees that include minimum uptime and recovery times.
- Data integrity assurances confirming that the EHR system will not corrupt your data. There is a substantial lawsuit against a cloud EHR vendor for data corruption.
- Documented ability to export your data in a standard useful format should you elect to terminate your relationship.
- Proof that they successfully passed an SSAE 16/18 audit, FISMA and have other appropriate third-party certifications. These will address cybersecurity and physical security requirements.
- Proof they performed a HIPAA Security Risk Assessment in the past year.
- Execute a current Business Associate Agreement with the vendor. They may require you to sign their BAA, and if they do, it is worth the investment to have your legal counsel review the BAA and the contract with the vendor.
These steps will help ensure that your practice is properly protected and your patient data is safe.
If you have questions about the information provided, or need HIPAA or cybersecurity guidance, don’t hesitate to contact us at: firstname.lastname@example.org