Allscripts

Healthcare Applications

Allscripts - Health IT solutions for clinical and financial management in healthcare.

Detection Rules for Allscripts
These detection rules will focus on various aspects of Allscripts such as health IT solution for clinical & financial in healthcare.

Provider: Allscripts

App : Allscripts MITRE Tactic MITRE Technique Criticality
Unauthorized Access to Patient Records Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Query IP reputation databases (e.g., AbuseIPDB).
Check user’s location and access time for anomalies.
Incident Creation Criteria Create an incident if access occurs from unknown IP or during unusual hours without justification.
Suspicious Login Attempts Initial Access T1078.001: Valid Accounts High
Investigation Actions (APIs) Perform GeoIP lookup.
Analyze login times and patterns across accounts.
Incident Creation Criteria Incident if multiple failed login attempts from unusual locations occur in a short period.
Access to EHR Records by Non-Assigned Clinicians Credential Access T1081: Credentials in Files Medium
Investigation Actions (APIs) Validate patient-clinician assignments.
Cross-check access logs against the user’s department and assigned roles.
Incident Creation Criteria Incident if a clinician without assignment accesses specific patient data without proper request.
Data Exfiltration via File Exports Exfiltration T1020: Automated Exfiltration High
Investigation Actions (APIs) Monitor export patterns.
Query unusual file export or transfer frequencies and destinations.
Incident Creation Criteria Incident if high-volume or unusual exports are detected, especially to external locations.
Modifications to EHR Records Impact T1490: Inhibit System Recovery Medium
Investigation Actions (APIs) Check audit logs for recent modifications.
Verify modifications for high-risk fields like patient status or history.
Incident Creation Criteria Incident if unauthorized or suspicious modifications are detected in patient records.
High Frequency of Privilege Escalations Privilege Escalation T1134: Access Token Manipulation High
Investigation Actions (APIs) Monitor role assignments and changes.
Check for frequent privilege adjustments by the same user or admin account.
Incident Creation Criteria Incident if high-frequency privilege changes are detected without a valid reason.
Unusual Access from External IP Addresses Initial Access T1102: Web Service Medium
Investigation Actions (APIs) Use IP lookup to verify address details.
Analyze access time and behavior post-login.
Incident Creation Criteria Incident if access is detected from high-risk or unexpected locations repeatedly.
Unusual API Call Patterns Defense Evasion T1071: Application Layer Protocol Medium
Investigation Actions (APIs) Query API logs for high-frequency calls.
Review the endpoints accessed for sensitive or restricted data.
Incident Creation Criteria Incident if repeated API calls indicate potential abuse or unauthorized data access.
Attempted Access Outside of Standard Hours Persistence T1037: Boot or Logon Initialization Scripts Medium
Investigation Actions (APIs) Validate access time with the user’s regular work hours.
Check access attempts against previous behavior.
Incident Creation Criteria Incident if multiple off-hour accesses are attempted without documented work authorization.
Use of Compromised Credentials Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Use threat intelligence to confirm compromised credentials.
Monitor for use of known breached passwords or tokens.
Incident Creation Criteria Incident if user credentials match known compromised sources or are used from unrecognized locations.

APIs and Their Scopes

App : Allscripts Required API Scopes Required Usage
Unauthorized Access to Patient Records EHR Audit API read:audit:patient Retrieve audit logs on patient record access to identify unauthorized access patterns.
Suspicious Login Attempts Identity Management API read:login:events Track login attempts, including IP addresses and timestamps, to detect unusual patterns.
Access to EHR Records by Non-Assigned Clinicians Role Assignment API read:role:assignment Check role-based access controls and validate access permissions against clinician roles.
Data Exfiltration via File Exports Data Export API read:export:activity Monitor export actions for patterns indicative of data exfiltration.
Modifications to EHR Records Record Management API read:record:modification Track modifications in patient EHR records for unauthorized changes to high-risk fields.
High Frequency of Privilege Escalations Access Management API write:privilege:escalation Monitor privilege changes, track frequency of escalations, and correlate with user identity information.
Unusual Access from External IP Addresses Security Events API read:access:external Query access records to detect logins from suspicious or high-risk external IP addresses.
Unusual API Call Patterns API Gateway Monitoring API read:api:usage Analyze API call frequencies and target endpoints to detect anomalous usage patterns.
Attempted Access Outside of Standard Hours Access Control API read:access:hours Retrieve access attempts outside of normal work hours to identify potential persistence techniques.
Use of Compromised Credentials Credential Monitoring API read:compromised:credentials Check for known compromised credentials and monitor access attempts for potential unauthorized usage.

Reports and Widgets for CISO

Report Name Widgets Description
Access Activity Report Login Attempts by Location Maps login attempts by geographic location to detect suspicious locations.

Login Success/Failure Rates

User Access Patterns

External IP Access Summary

Shows successful and failed login attempts, providing insight into potential brute force attempts.

Tracks individual user access over time to detect unusual patterns.

Lists recent access from external IPs, highlighting any suspicious locations.

Data Access Compliance Report High-Risk Patient Record Access Lists access to sensitive patient records by high-risk users.

Role-Based Access Violations

Exported Records Log

Identifies users accessing records outside of their assigned role permissions.

Shows details on patient record export activities for audit and compliance.

Privilege Escalation Monitoring Privileged User Access Timeline Displays access by privileged users over time to identify unusual activity spikes.

Recent Privilege Escalations

Lists recent instances of privilege escalation, including details on the user and reason.

EHR Modification Tracking Record Modification Overview Summarizes modifications to high-risk fields in patient records for accountability.

Most Modified Records

Highlights records with frequent modifications, indicating possible unauthorized changes.

Anomalous Activity Dashboard After-Hours Access Summary Shows access attempts outside of regular working hours, filtering for high-sensitivity data.
Incident and Threat Overview Recent Incident Log Logs details of recent incidents and their investigation status.

Compromised Credential Detection

IP Risk Assessment

Identifies login attempts using known compromised credentials, signaling potential breaches.

Lists IPs flagged as high-risk in recent access attempts, integrating threat intelligence for further context.