There have been dozens of reported Cyberattacks in Healthcare over the past two months based on a variant of SamSam ransomware. A brief look at two, one localized and one nationwide, illustrates the power and the pain of extortion by hackers, and serves as a reminder of the risk of complacency.

First, the Hancock Health system in Indiana was attacked on January 11, 2018. Eastern European based hackers infected its system with SamSam ransomware, locking key medical files from access and renaming them all "I'm sorry". The hackers offered to reopen the system for $55,000 in bitcoin and threatened to permanently encrypt 1,400 files if not paid within seven days. The hospital paid the ransom; while backups were in place, it would have taken substantially longer, and would have been significantly more costly, to have reintegrated the backup than unlocking the system with the hackers' own keys. The attackers apparently gained entry to the system from the use of a vendor's name and password.

Next, Allscripts, which provides EHR services to tens of thousands physician groups, and over 180,000 physician users, faced a SamSam attack on January 18 which brought down its cloud hosting services for about 1,500 of its customers. One, Surfside Non-Surgical Orthopedics, is the lead plaintiff in a class-action lawsuit filed in Allscripts' home jurisdiction of Illinois shortly after the incident.

Surfside's Complaint provides an example of SamSam in action:

Plaintiff noted in its Complaint that Allscripts reported the risk in its own SEC 10K filing. Its 10K noted that "companies in our industry have been targeted by such events with increasing frequency, primarily due to the increasing value of health care related data. We have devoted and continue to devote significant resources to protecting and maintaining the confidentiality of this information including designing and implementing security and privacy programs and controls, training our workforce and implementing new technology. We have no guarantee that these programs and controls will be adequate to prevent all possible security threats. Any compromise of our electronic systems, including the unauthorized access, use or disclosure of sensitive information or a significant disruption of our computing assets and networks, could adversely affect our reputation or our ability to fulfill contractual obligations." The filing also reported that [Allscripts] cannot provide assurance" that its insurance coverage (including its SIR) would "prove to be adequate or will continue to be available on acceptable terms."

The suit, in federal court in the Northern District of Illinois, claims negligence, gross negligence, fraud, and violations of the Illinois Consumer Protection Statute.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.