Six days after a ransomware attack took some Allscripts applications offline, physician practices across the country are struggling to maintain basic patient care functions, prompting some to cancel procedures and open up lines of credit to make up for lost revenue.
The ransomware attack, which hit two Allscripts data centers in North Carolina early Thursday morning, impacted roughly 1,500 clients across the country, according to a company spokesperson. That’s a small portion of the 45,000 physician practices and 180,000 physicians the company counts as clients.
But those small physician practices disrupted by the attack tell FierceHealthcare they have been paralyzed since Thursday. As of Tuesday morning, many of those practices were still unable to connect to their EHR, forcing providers to treat patients without access to their medical history. Disruptions to Allscripts patient scheduling system led some practices to cancel surgeries and tests and set up an “open clinic” to manage incoming patients without an appointment calendar.
“This one really brought us to our knees,” says Robert Dallas, the executive director of Specialty Physician Associates, a specialty clinic in Bethlehem, Pennsylvania, made up of about 20 physicians. “We have no idea when patients are showing up. We can’t access anything.”
On a customer call Monday morning, Robyn Eckerling, chief privacy and security counsel for Allscripts, said base functionality for scheduling and EHRs—including Allscripts PM and Professional EHR—were back online and the company was working to restore user permissions.
She said clients can access patient data through the company's mobile application, but other Allscripts interfaces, including clinical decision support, analytics, data extraction and regulatory reporting, is scheduled to be back online by the end of the week.
In the meantime, the outage took down Allscripts' billing and claims management applications, leaving practices wondering how they’ll manage the financial repercussions.
On Monday, Dallas was getting line of credit from his bank in order to pay staff. He says the practice, which takes in about $25,000 a day in revenue, was financially crippled without the ability to file insurance claims.
Dawn Ingram, the office manager for Starkville Urology, a single-physician clinic in Mississippi, says her practice faces similar financial constraints and worries about the downstream consequences.
“It takes two weeks for a claim to be processed,” she said. “Two weeks from now, we’re going to be screwed.”
#AllScripts has poor business continuity plans. Their lack of proper updates to their servers has cost us a fortune in lost revenue, staff salary, and patient satisfaction just to name a few. We are still not operational with no firm ETA provided.— Dawn Marie Ingram (@thrdmathis) January 23, 2018
Several physician practices said they planned to filed complaints with the Office of the National Coordinator for Health IT. Allscripts maintains it is working “unceasingly to restore all services,” adding that there is no evidence any data was removed from their servers.
“Of the roughly 1,500 clients impacted, none were hospitals or large independent physician practices, and services to many already have been restored,” Allscripts spokesperson Concetta Rasiarmos said in an email to FierceHealthcare.
Beyond the disruptions to patient care, many physician practices feel jilted by Allscripts—both in the way the company has managed provider communications following the attack and because they feel they were forced to migrate to a cloud-hosted service once Allscripts replaced it’s MyWay EHR with Pro.
Several office managers said the security features of cloud-hosting was part of Allscripts’ sales pitch.
“They never gave us the option,” Dallas says. “They told us Allscripts-hosted [applications] were the better solution.”
Large practices and hospital systems that use Allscripts host applications on their own data center, which in this case minimized the impact of this particular attack on those providers. But for smaller practices, data centers are not always practical, said Mac McMillan, CEO of Cynergistek, a cybersecurity consulting firm. And providers still need to pay the extra costs of detection, response and recovery.
“What they need to do is make sure that their vendor has planned responsibly, and they understand what that means for them,” he wrote in an email to FierceHealthcare.
Despite the backlash from physician practices, McMillan says it appears Allscripts responded “very quickly and responsibly.” But that won’t shield the company from criticism. Although any company can fall victim to a cyberattack, clients often feel that since they've turned over their data, they shouldn’t have to worry about the impact of an attack.
“The lesson here is no matter what you do there is going to be a huge reputational hit absorbed when these events happen, primarily because many do not understand what it takes to recover rapidly,” he said.
But that’s not likely to soothe practices struggling to pay their bills, including overtime for employees tasked with managing the operational workaround following the outage.
“Allscripts charges us $10,000 in maintenance fees each year for their host environment,” Ingram says. "Surely there is no way they will expect that much this year.”