Last April, during the parents-versus-hospital custody dispute over teenager Justina Pelletier, Boston Children’s Hospital found itself under cyberattack, apparently by the hacker group Anonymous. The hospital’s website was flooded by traffic that hindered its operation, and other online operations were affected as well.
The assault brought widespread condemnation — BetaBoston called the attackers not activists but “criminals” — and subsided after about a week.
Now, Dr. Daniel Nigrin of Children’s offers some details and lessons from the assault in the latest New England Journal of Medicine: When Hacktivists Target Your Hospital.
He writes that the attack began with a warning message on Twitter relaying a set of demands, and then the hackers posted “the home and work addresses, phone numbers, and e-mail addresses of some of the people involved in the case (a tactic called ‘doxing’). The hackers also posted technical information about the hospital’s public-facing website, suggesting that it might become a target.” A few weeks later, the “distributed denial of service” — the flood of traffic — attack began.
Over the course of the next week, the hospital was subjected to several other attacks that were intended to do more than affect its Internet connectivity. These included multiple attempts to penetrate its network through direct attacks on exposed ports and services, as well as through the use of “spear phishing” e-mails, which are intended to get recipients to click embedded links or open attachments that would provide a means for the attackers to gain access to the portion of the hospital’s network behind its firewall.
No patient data were damaged or exposed, Nigrin writes, but the experience underscores the important of planning for the possibility of losing Internet connectivity.
Such planning is important, since preparation for downtime has traditionally focused on total loss of network access or application availability. The scenario we experienced posed a different type of risk, since many systems now utilize Internet-based resources and services. Rather than making applications completely unavailable, the attack rendered only certain functionalities within them unavailable; for instance, clinicians could create and print prescriptions but could not route them electronically to pharmacies. Communicating the problem in this degree of detail to clinicians on the fly, when normal communication channels were affected by the attack, was challenging, but it taught us new lessons about contingency planning.
It is also critical to understand an organization’s dependence on e-mail. For example, when faced with the massive influx of malware-laden e-mail, the hospital took the precautionary step of temporarily shutting down its entire e-mail system. The shutdown gave IT staff time to quarantine malicious e-mail and to notify staff of the absolute importance of not clicking links or opening attachments without being certain that they were safe. And although having no e-mail was a minor inconvenience for most employees (and a nice respite for some), many internal processes actually depend on e-mail for normal operations, so workarounds had to be developed.
And perhaps the key lesson: “Health care organizations can no longer assume that they are immune from organized attacks” by hackers, and must protect themselves.