The Grey’s Anatomy / Allscripts Ransomware Crossover Event: When Scripted TV Becomes Reality, the Script Goes Out the Window

by Dickinson Wright
Contact

Dickinson Wright

For those familiar with the Shonda Rhimes juggernaut, Grey’s Anatomy, it is the story of surgical residents, fellows, and attending physicians as they work in the surgical wing of the fictional Grey Sloan Memorial Hospital. In most episodes, the situations in which the doctors find themselves in are entertaining, but not necessarily how they might play out in a real hospital setting.

In the show’s latest season 14, however, Episodes 8 "Out of Nowhere" and 9 "1-800-799-7233" play out a far too-real situation for those in the healthcare space and demonstrate just what type of damages and disruption cyber hacking can do to a healthcare provider.

In those episodes, the hospital’s computer system is infected with ransomware that encrypts and holds hostage all of the hospital’s patients’ records until a ransom is paid in Bitcoin in an amount equivalent to $20 million USD. The fictional ransomware attack took out not only the hospital’s access to electronic patient records, essentially sending the doctors back to the Stone Age in terms of working with paper records and taking notes regarding patient activity, but also rendered inaccessible the hospital’s physical systems that were controlled by the now-encrypted computer system, such as the hospital’s blood and pharmaceutical supplies. While the eventual solution for Grey Sloan is one of Shondaland fiction (no spoilers here), the attack itself and the initial ramifications and responses to the ransomware attack are entirely realistic.

Exactly how realistic? Well, Episode 8 originally aired on November 16, 2017, and on the exact same day that the second part episode aired on January 18, 2018, Allscripts, an electronic health record (EHR) company that provides healthcare systems cloud-based electronic health record services, suffered an eerily similar attack. The attack resulted in some of the company’s applications being taken offline, including its cloud PRO EHR and Electronic Prescriptions for Controlled Substances (EPCS) platforms, which were hit the hardest by the attack.

While the effects on Allscripts were not similar to those at Grey Sloan, the similarities came into effect for the clients to which Allscripts provides its PRO EHR and EPCS cloud-based services. To weigh the scope of the interruptions and impact, Allscripts’ client base includes 180,000 physicians across nearly 45,000 ambulatory facilities, 2,500 hospitals and 17,000 post-acute organizations. The attack had many of Allscripts’ clients unable to access patient records, electronically prescribe medication, and ultimately, many customers faced severe and crippling operational deficiencies due to the inaccessibility to necessary patient data, forcing some to essentially shut down and wait for Allscripts to provide a solution to the access prohibitions caused by the attack.

Some of the public Tweets using the #AllScripts hashtag provide insight as to the difficulties Allscripts clients were facing as a result of the cyberattack:

The Allscripts ransomware attack came just days after two Indiana hospitals were hit with SamSam ransomware attacks. There, one of the Indiana hospitals paid 4 Bitcoin (approximately $55,000 USD) to recover its systems. The ransomware that infected Allscripts was a new variant unrelated to the version of SamSam that infected the Indiana systems, which has been confirmed by the FBI and the investigating computer forensic companies that were called in by Microsoft and Cisco.

Allscripts has already been sued by Surfside Non-Surgical Orthopedics on behalf of all of its clients impacted over the ransomware attack and has been accused of failing to secure and audit its systems, which caused the system outage for about a week and allegedly caused "significant business interruption" and "lost revenues" for its clients.

The question, then, becomes: What can an organization do when the information attacked is not within the organization’s immediate control but is instead controlled by a third-party cloud service provider who suffers an attack?

For many businesses, cloud computing has been the most efficient and least expensive option for storing and accessing electronic data, including those in the healthcare space. As the security incidents discussed above detail, however, those cloud computing hosts are not 100% secure themselves leaving their clients vulnerable to their own cybersecurity issues and those of their cloud-services vendor. Businesses therefore need to build a cybersecurity and data accessibility disaster response component into their overarching business continuity plans.

Here are some steps businesses can take to help alleviate some of the stress of a ransomware attack:

  • Back-Up Data: The key to ransomware attacks is the hackers betting on the target needing the information being held hostage and being willing to pay a pretty penny, or in this case Bitcoin, to recover access. For data that is important for a businesses’ operations, like patient data for healthcare providers, that operational-crippling information should be backed up to a physical storage device, such as a USB or a server somewhere, to ensure that there is another source of access for that information. This helps ensure that valuable information is not lost or rendered unobtainable and allows the organization to continue operations, especially in the case of those providing patient services.
  • Incident Response Plan/Team: Every organization should have an incident response plan and team in place in the event a cyberattack occurs. This written and team-centered plan should include all key players of the organization including, those in the C-Suite with decision-making authority, legal, IT, forensics, and public relations to handle the communications. In the case of ransomware specifically, relationships with Bitcoin-focused entities is also helpful. Some include: "No More Ransom", which helps ransomware victims retrieve encrypted data that could be helpful; reputable Bitcoin exchanges, such asCoinbase, which is the largest Bitcoin company and received its license by the New York Department of Financial Services in meeting the state’s consumer protection and cybersecurity standards, Bitpay and Coinage; and Bitcoin brokers to help transfer Bitcoin quickly.
  • Policies and Procedures: For many organizations, cybersecurity policies and procedures are required. For those in the healthcare space, HIPAA/HITECH requires that covered healthcare organizations comply with the Security Rule and Privacy Rule. Here is U.S. Health Human Services’ Ransomware Fact Sheet titled "FACT SHEET: Ransomware and HIPAA". When ransomware first became an issue, it was thought as not to be a breach since the information was merely held hostage and not accessed. That is not necessarily the case anymore, and now a further forensic review of the attack is required to ensure information is not taken during a ransomware attack. If it is, state notification laws could be triggered. For financial institutions, the Gramm-Leach-Bliley Act requires covered entities to comply with its relevant provisions, which include having a written incident response plan. (For more about GLBA compliance, click here.)
  • Vendor Contract: If the attack is on a third-party vendor, it is important to review the services agreement with the vendor to determine what the contract provides in an attack situation. Better yet, have the vendor contract reviewed in advance of contracting to know exactly what is contractually required to happen in terms of coverage, damages, etc., in the event of an attack. If handled correctly, the review of vendor contracts will be done in conjunction with the formation and work of the Incident Response Team.
  • Insurance: General liability and cybersecurity insurance go hand in hand. While cybersecurity insurance will likely cover the insured entity if it gets hit with a ransomware attack, it may not cover an attach on a third-party vendor and the resulting damage. This is likely where a general liability insurance policy will fill the gaps. Either way, it is important in this day and age to have both and to have both reviewed by counsel to ensure the company is properly insured regardless of the type of intrusion.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson Wright | Attorney Advertising

Written by:

Dickinson Wright
Contact
more
less

Dickinson Wright on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.