In March 2014, Boston Children’s Hospital learned the worst possible security news—from a third-party vendor with no formal relationship to the facility.
That vendor told the pediatric facility that it had seen online documents threatening the hospital, as well as posted documents with information on physicians such as cell phone numbers, addresses and work locations. And the information also included details of Boston Children’s infrastructure, such as the main IP address of its organizational web site.
Any kid could find this stuff easily online, but it was clear someone was trying to damage the reputation of Boston Children’s, said Daniel Nigrin, MD, senior vice president and CIO in the division of endocrinology, during the Cybersecurity Forum at HIMSS17.
Then came a video from the activist hacking organization Anonymous, accusing the hospital of having tortured a child. “I’ve been a CISO for 16 years; this was a new one me,” Nigrin recalled.
In particular, the charge from Anonymous centered on a teenage girl that the hospital determined was suffering from malnutrition. The case went to court, where a judge’s ruling removed the child from parental custody. The family fought the decision, and the controversy found its way to Anonymous, which decided that Boston Children’s needed to be taught a lesson.
“We wondered if it was the real Anonymous; thankfully, the decision was to take the threat seriously,” Nigrin said. The hospital convened an incident response team and starting forming contingency plans for an expected attack, which included “going dark” and cutting itself off from the Internet while assessing the systems and processes still necessary to keep the facility running.
In the meantime, Boston Children’s contacted local police and the FBI, who were reluctant to step in proactively, and told hospital executives to get back to them if anything happened. Three weeks went by without incident, and the facility was hit with low-value distributed denial of service attacks that were handled. But then, tactics started to change as attacks increased in volume.
One week later on a Saturday night, the cat-and-mouse game ended with a dramatic uptick in attacks and a third party was engaged to help the hospital defend itself. The concerted Anonymous cyber attack started April 14 and ended on April 27. At its peak, the hackers were sending 30-day levels of malicious traffic in very short periods of time.
The teenage patient at the center of the controversy had long since been discharged, but Anonymous was demanding she be sent home, according to Nigrin. The group threatened the hacking of documents of the hospital’s staff was coming next, with a HIPAA breach thereafter. Then, Boston Children’s saw a penetration of attacks across all organization web sites and ports, which were shut down, and also saw a massive influx of malware-laden emails—100 times more than normal—and because of the high volume, that some malware eventually would get through, so it shut down the email system temporarily.
Boston Children’s recontacted local and federal authorities, and this time, they were much more interested in what was happening, and told the hospital not to notify the press. While reporters were calling for information, the hospital was not responding. It didn’t matter; reporters already knew. The top story in the next day’s Boston Globe read, “Cyberattack Hits Children’s Hospital.”
The hospital wasn’t the only organization being attacked; an energy company that had sponsored an annual walkathon also was hit and advised to stop helping Boston Children’s. Then, within 36 hours, the attacks subsided. Boston Children’s gradually brought external facing web sites back on line after expensive penetration testing from a third-party vendor.
Before the attacks, Nigrin did not think a children’s hospital would be targeted, “so you cannot assume you are above this,” he warned colleagues. “We were fortunate to have a three-week period to prepare.”
In the current cyber environment, CISOs need to be much more aggressive, he asserted. “You need to push through security measures—there’s no excuses anymore. We’re beyond allowing ourselves to get pushed by that pushback. Focus on the pain and millions of dollars that can be spend to end an organizational incident. I urge you to use this experience as a burning platform. If your organization is not paying attention, scream louder and ask them to talk to me.”
Also See: 6 top IT security for 2017
The FBI later told Boston Children’s to pay attention to its audio-video conferencing systems, after the FBI itself was hacked by Anonymous—the group had been on calls and published transcripts, because the FBI calls had not been secure, Nigrin said.
After the attack, Boston Children’s conducted a round of security re-education and urged employees to be more observant. Soon after, that training was put to the test as the hospital was hit by phone phishing efforts.
The hospital had cyber insurance in place, but had to fight for coverage because the insurer contended what while there was an attack there was no breach. “We argued that if we had not done what we did, we would have had a massive data breach,” Nigrin said.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access