Hackers purportedly representing Anonymous hit Boston Children’s Hospital with phishing and DDoS attacks this spring. The hospital fought back with vigilance, internal transparency and some old-fashioned sneakernet. That – and a little bit of luck – kept patient data safe.
On March 20, Dr. Daniel J. Nigrin, senior vice president for information services and CIO at Boston Children’s Hospital, got word that his organization faced an imminent threat from Anonymous in response to the hospital’s diagnosis and treatment of a 15-year-old girl removed from her parent’s care by the Commonwealth of Massachusetts.
The hospital’s incident response team quickly convened. It prepared for the worst: “Going dark” – or going completely offline for as long as the threat remained.
Luckily, it never came to that. Attacks did occur, commencing in early April and culminating on Easter weekend – also the weekend of Patriot’s Day, a Massachusetts holiday and the approximate one-year anniversary of the Boston Marathon bombings – but slowed to a trickle after, of all things, after a front-page story about the incident ran in The Boston Globe.
No patient data was compromised over the course of the attacks, Nigrin says, thanks in large part to the vigilance of Boston Children’s (and, when necessary, third-party security firms). The organization did learn a few key lessons from the incident, and Nigrin shared them at the recent HIMSS Media Privacy and Security Forum.
As Anonymous Hit, Boston Children’s Hit Back
As noted, the hospital incident response team – not just the IT department’s – planned for the worst. Despite that fact that the information Anonymous claimed to have, such as staff phone numbers and home addresses, is the stuff of “script kiddies,” Nigrin says Children’s took the threat seriously.
Attacks commenced about three weeks after the initial March 20 warning. Initially, the hospital could handle the Distributed Denial of Service (DDoS) attacks on its own. Anonymous changed tactics. Children’s responded. The hackers punched. The hospital counterpunched. As the weekend neared, though, DDoS traffic hit 27 Gbps – 40 times Children’s typical traffic – and the hospital had to turn to a third-party for help.
The attacks hit Children’s external websites and networks. (Hackers also pledged to hit anyone linked to Children’s – including the energy provider NStar, which played no role in the child custody case at all but sponsors Children’s annual walkathon.) In response, Nigrin took down all websites and shut down email, telling staff in person that email had been compromised. Staff communicated using a secure text messaging application the hospital had recently deployed. Internal systems were OK, he says, so Children’s electronic health record (EHR) system, and therefore its capability to access patient data, wasn’t impacted.
In contrast to this internal transparency, Children’s, at the urging of federal investigators, didn’t communicate anything externally. Nonetheless, word got to The Boston Globe, which ran its front-page story on April 23.
Nigrin, again, prepared for the worst. He didn’t have to. After the article came out, the Twitter account @YourAnonNews took notice, urging hackers to stop targeting a children’s hospital. Attacks continued, but at a much smaller clip.
6 Quick Tips for Beating Back Hackers
In reflecting on the Anonymous attack, Nigrin offers the following security lessons that Boston Children’s learned.
- DDoS countermeasures are crucial. “We’re not above these kinds of attacks,” Nigrin says.
- Know which systems depend on external Internet access. As noted, the EHR system was spared, but the e-prescribing system wasn’t.
- Get an alternative to email. In addition to secure testing, Children’s used Voice over IP communications.
- In the heat of the moment, make no excuses when pushing security initiatives. Children’s had to shut down email, e-prescribing and external-facing websites quickly. “Don’t wait until it’s a fire drill,” Nigrin says.
- Secure your teleconferences. Send your conference passcode securely, not in the body of your calendar invite. Otherwise, the call can be recorded and posted on the Internet before you even hang up, he says.
- Separate signals from noise. Amid the Anonymous attack, several staff members reported strange phone calls from a number listed as 000-000-0000. At the time, it was hard to tell if this was related, and it made the whole incident that much harder to manage.
Above all, Nigrin says healthcare organizations need to pay attention to the growing number of security threats the industry faces. “There are far more than we have seen in the past,” he says.