Allscripts
Healthcare Applications
Allscripts - Health IT solutions for clinical and financial management in healthcare.
Detection Rules for Allscripts
These detection rules will focus on various aspects of Allscripts such as health IT solution for clinical & financial in healthcare.
Provider: Allscripts
App : Allscripts | MITRE Tactic | MITRE Technique | Criticality | ||||||
---|---|---|---|---|---|---|---|---|---|
Unauthorized Access to Patient Records | Credential Access | T1078: Valid Accounts | High | ||||||
|
|||||||||
Suspicious Login Attempts | Initial Access | T1078.001: Valid Accounts | High | ||||||
|
|||||||||
Access to EHR Records by Non-Assigned Clinicians | Credential Access | T1081: Credentials in Files | Medium | ||||||
|
|||||||||
Data Exfiltration via File Exports | Exfiltration | T1020: Automated Exfiltration | High | ||||||
|
|||||||||
Modifications to EHR Records | Impact | T1490: Inhibit System Recovery | Medium | ||||||
|
|||||||||
High Frequency of Privilege Escalations | Privilege Escalation | T1134: Access Token Manipulation | High | ||||||
|
|||||||||
Unusual Access from External IP Addresses | Initial Access | T1102: Web Service | Medium | ||||||
|
|||||||||
Unusual API Call Patterns | Defense Evasion | T1071: Application Layer Protocol | Medium | ||||||
|
|||||||||
Attempted Access Outside of Standard Hours | Persistence | T1037: Boot or Logon Initialization Scripts | Medium | ||||||
|
|||||||||
Use of Compromised Credentials | Credential Access | T1078: Valid Accounts | High | ||||||
|
APIs and Their Scopes
App : Allscripts | Required API | Scopes Required | Usage |
---|---|---|---|
Unauthorized Access to Patient Records | EHR Audit API | read:audit:patient | Retrieve audit logs on patient record access to identify unauthorized access patterns. |
Suspicious Login Attempts | Identity Management API | read:login:events | Track login attempts, including IP addresses and timestamps, to detect unusual patterns. |
Access to EHR Records by Non-Assigned Clinicians | Role Assignment API | read:role:assignment | Check role-based access controls and validate access permissions against clinician roles. |
Data Exfiltration via File Exports | Data Export API | read:export:activity | Monitor export actions for patterns indicative of data exfiltration. |
Modifications to EHR Records | Record Management API | read:record:modification | Track modifications in patient EHR records for unauthorized changes to high-risk fields. |
High Frequency of Privilege Escalations | Access Management API | write:privilege:escalation | Monitor privilege changes, track frequency of escalations, and correlate with user identity information. |
Unusual Access from External IP Addresses | Security Events API | read:access:external | Query access records to detect logins from suspicious or high-risk external IP addresses. |
Unusual API Call Patterns | API Gateway Monitoring API | read:api:usage | Analyze API call frequencies and target endpoints to detect anomalous usage patterns. |
Attempted Access Outside of Standard Hours | Access Control API | read:access:hours | Retrieve access attempts outside of normal work hours to identify potential persistence techniques. |
Use of Compromised Credentials | Credential Monitoring API | read:compromised:credentials | Check for known compromised credentials and monitor access attempts for potential unauthorized usage. |
Reports and Widgets for CISO
Report Name | Widgets | Description |
---|---|---|
Access Activity Report | Login Attempts by Location | Maps login attempts by geographic location to detect suspicious locations. |
Login Success/Failure Rates User Access Patterns External IP Access Summary |
Shows successful and failed login attempts, providing insight into potential brute force attempts. Tracks individual user access over time to detect unusual patterns. Lists recent access from external IPs, highlighting any suspicious locations. |
|
Data Access Compliance Report | High-Risk Patient Record Access | Lists access to sensitive patient records by high-risk users. |
Role-Based Access Violations Exported Records Log |
Identifies users accessing records outside of their assigned role permissions. Shows details on patient record export activities for audit and compliance. |
|
Privilege Escalation Monitoring | Privileged User Access Timeline | Displays access by privileged users over time to identify unusual activity spikes. |
Recent Privilege Escalations |
Lists recent instances of privilege escalation, including details on the user and reason. |
|
EHR Modification Tracking | Record Modification Overview | Summarizes modifications to high-risk fields in patient records for accountability. |
Most Modified Records |
Highlights records with frequent modifications, indicating possible unauthorized changes. |
|
Anomalous Activity Dashboard | After-Hours Access Summary | Shows access attempts outside of regular working hours, filtering for high-sensitivity data. |
Incident and Threat Overview | Recent Incident Log | Logs details of recent incidents and their investigation status. |
Compromised Credential Detection IP Risk Assessment |
Identifies login attempts using known compromised credentials, signaling potential breaches. Lists IPs flagged as high-risk in recent access attempts, integrating threat intelligence for further context. |