Ransomware Attack on Allscripts’ Cloud-Based EHR and E-Prescribing Platforms: What Providers Need to Know

pexels-photo-263370.jpegBy Kathie McDonald-McClure

What Happened. According to several healthcare news sources, on Thursday, January 18, 2018, Allscripts experienced a ransomware attack on the computer servers that host the Allscripts cloud-based EHR and the Allscripts cloud-based Electronic Prescriptions for Controlled Substances (“EPCS”) platform. Allscripts did not pay the ransom because it had recent data backups that were unaffected by the attack.¹

Initial Impact on Allscripts’ Clients. The EPCS reportedly was restored on Saturday, January 20, 2018. The EHR system reportedly continued to be adversely affected through at least Monday, January 22, 2018, with some providers still reporting log-in issues through Wednesday, January 24, 2018. Allscripts held a conference call with providers in which it advised providers that they may continue to experience usage interruptions with the cloud-based products until Allscripts completed a roll-out of security updates. During down times, Allscripts urged providers to use the Allscripts mobile solution (only available on the iPhone) to view medical histories and schedules but acknowledged that providers would be unable to Continue reading

Can blockchain technology solve healthcare IT security and interoperability challenges?

On March 20-21, 2017, multiple healthcare technology companies came together in Washington, D.C. to host The Healthcare Blockchain Summit.  Blockchain, the technology that underpins bitcoin technology, keeps data secure in a “distributed, encrypted ledger” while allowing control over who can access that ledger.  This is the hottest technology being discussed today as a way to secure confidential or sensitive data.

The on-line technology publication, Wired, describes blockchain’s security method in a February 1, 2017 article as follows: “Rather than having one central administrator that acts as a gatekeeper to data—a list of digital transactions—there’s one shared ledger, but it’s spread across a Continue reading

Tennessee’s Data Breach Law Drawing National Attention

flash driveBy Kathie McDonald-McClure

We recently posted an article about Tennessee’s amendment to its data breach notification law.  This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country.  As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine, cyber security was a plenary session topic at the 2016 Association of Corporate Counsel (ACC) Mid-Year Meeting in New York City this week.  See “At ACC Event, Experts Say Data Breaches Are Inevitable. So Now What?”, Corporate Counsel (April 14, 2016)(Read more: here).  In fact, an ACC Foundation report on the “State of Cybersecurity”, released in December 2015, said one-third of in-house counsel reported that their companies experienced a data breach and more than one-half reported increased spending in cybersecurity.

Matt San Roman and I spoke with Ms. Williams-Alvarez this morning.  She is working on a follow-up article regarding the amendments (HB2005 and SA0618) to the Tennessee data breach law.  When the article is published, we will provide a link here for those of you who are not currently Corporate Counsel subscribers.  Stay tuned . . .

Tennessee Amends Data Breach Notification Law – Removes Encryption Exemption (or does it?)

By Kathie McDonald-McClure and Matt San Roman

data-breaches-notification

On March 24, 2016, Tennessee Governor Bill Haslam signed into law SB2005 as amended by SA0618, revising the Tennessee Identity Theft Deterrence Act of 1999, currently codified at T. C. A. § 47-18-2101, et seq.  Under the revised law, organizations subject to the law that experience a data breach will be required to notify affected individuals in Tennessee “immediately” and no later than 45 days from the discovery or notification of a security breach of computerized personal information, unless a law enforcement investigation related to the breach requires a delay in notification. While most similar state laws refrain from mandating a definite period within which to provide notification to affected individuals or state agencies, Tennessee, effective July 1, 2016, will join seven other states in requiring notification within a specific time.

Perhaps more notably with this amendment, Tennessee “may” be the first state in the United States to remove the encryption safe harbor.* The 46 other state data breach notification laws require notification to affected individuals if Continue reading

Federal Agency to Develop Model Privacy Notice for Healthcare Apps

Healthcare_Apps_for_Android_TabletsOn Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time.  ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties.  ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”

Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking Continue reading