Allscripts Ransomware Attack a Reminder of Cloud Risks
Points to Need for Clients to Have Business Continuity Plan
A ransomware attack on electronic health records vendor Allscripts late last week is a reminder of the potential disruption to patient care delivery healthcare entities can face if a cloud-services provider suffers a cyberattack. It also points to the need for business continuity planning.
Healthcare organizations relying on cloud-based services need to be ready for potential ransomware and other cyber-related outages that impact patient care and other business operations, says Tom Walsh, managing partner and founder of consulting firm tw-Security. “Healthcare entities need to take a closer look at their disaster recovery and business continuity plans to make sure the plans address what to do if the cloud services are unavailable,” he says. “The lack of well-written disaster recovery and business continuity plans have been and still are a common finding in healthcare. These plans are supposed to be designed around the worst-case scenario, but seldom are.”
Some cloud-based services providers also have worst-case scenario planning in mind for customers that could be impacted by ransomware attacks on the vendors, Walsh notes.
“Some EHR vendors offer a downtime or disaster recovery service offering in the form of a copy of the database of current inpatient population to a local workstation or server,” he says. “While a full-functioning EHR may not be available, there is at least enough information available at a local level to provide patient care. But plans are only effective if they are periodically tested using a different scenario each time they are tested and revised as a result of the test. ”
Healthcare providers that rely on cloud-based services providers are often at the mercy of these vendors because their “eggs are all in one basket,” Walsh adds. “Don’t forget the basic concepts of business continuity and disaster recovery,” he stresses. “Plan for the worst case. Develop strategies. Test plans. Revise plans and recovery strategies as needed. Disaster recovery and business continuity plans need to be reviewed frequently and not something that is written in order to check a compliance box. ”