Even Hospitals Get Hacked: Lessons from Boston Children’s Hospital

We might think hospitals would be left alone when it comes to cyber attacks, but unfortunately that’s not the case. Back in April, Boston Children’s Hospital was hacked, apparently by the well known group Anonymous.

According to an article on www.commonhealth.wbur.org, the hospital’s website was flooded with traffic and its operations were hindered.

Now, Dr. Daniel Nigrin from the hospital is sharing details and lessons from the attack. He published his remarks in the latest New England Journal of Medicine: When Hacktivists Target Your Hospital.

The Common Health article covers Nigrin’s remarks and tells us the attack started with a warning message on Twitter, giving a set of demands. The hackers then posted people’s personal information like addresses and phone numbers. Later they posted technical information about the hospital’s website, suggesting it might be targeted. A few weeks after that, the distributed denial of service (DDoS) attack began.

Nigrin writes: “Over the course of the next week, the hospital was subjected to several other attacks that were intended to do more than affect its Internet connectivity. These included multiple attempts to penetrate its network through direct attacks on exposed ports and services, as well as through the use of ‘spear phishing’ e-mails, which are intended to get recipients to click embedded links or open attachments that would provide a means for the attackers to gain access to the portion of the hospital’s network behind its firewall.”

The article points out that while no patient data was damaged or exposed, a lesson to be learned is to remember how important it is to plan for the possibility of losing Internet connectivity.

Nigrin continues: “Such planning is important, since preparation for downtime has traditionally focused on total loss of network access or application availability. The scenario we experienced posed a different type of risk, since many systems now utilize Internet-based resources and services. Rather than making applications completely unavailable, the attack rendered only certain functionalities within them unavailable; for instance, clinicians could create and print prescriptions but could not route them electronically to pharmacies. Communicating the problem in this degree of detail to clinicians on the fly, when normal communication channels were affected by the attack, was challenging, but it taught us new lessons about contingency planning.”

“It is also critical to understand an organization’s dependence on e-mail. For example, when faced with the massive influx of malware-laden e-mail, the hospital took the precautionary step of temporarily shutting down its entire e-mail system. The shutdown gave IT staff time to quarantine malicious e-mail and to notify staff of the absolute importance of not clicking links or opening attachments without being certain that they were safe. And although having no e-mail was a minor inconvenience for most employees (and a nice respite for some), many internal processes actually depend on e-mail for normal operations, so workarounds had to be developed,” Nigrin writes.

Perhaps the most important lesson to take from this is that health care organizations need to remember they are not immune to these kinds of attacks – and must protect their data.


For more information, click here: http://commonhealth.wbur.org/2014/07/cyberattack-boston-childrens