- BOSTON – Boston Children’s Hospital was fairly quiet about its run-in last spring with the hacktivist group Anonymous until recently, but now it wants to share the story because there were cybersecurity lessons learned that the entire healthcare industry can benefit from.
Dr. Daniel Nigrin, Boston Children’s Senior Vice President and CIO, went into great detail about the distributed denial of service (DDoS) attacks during last week’s HIMSS Privacy and Security Forum. Though no Children’s patient data was ever accessed, the organization had to shut down some of its Web pages and some patients and medical personnel were unable to access online accounts.
The Anonymous hackers posted “details” of BCH external website that weren’t all that sensitive, such as its IP address and web server infrastructure information. Nigrin said he believes even the “script kiddies” out there could have figured out this information with relative ease. However, because it was it was embedded in some threatening text, it caught Boston Children’s attention. “We’re affiliated with Harvard and there are always political challenges that turn your hair gray, but this [incident] was a little bit weird and caught us off-kilter,” Nigrin said. “If there was any lesson learned, it was that we need to take these potential threats seriously and I’m thankful for the fact that we did.”
Interestingly, the organization wasn’t just using the its IT team, it worked with its general incident response team that generally deals with situations such as floods and the Boston Marathon Bombings. IT was included, but it wasn’t an IT-centric project. Even with a lot of patching and work on the network, Nigrin said the organization remained concerned that that it would leave itself vulnerable to its network being hacked into.
Boston Children’s contacted state and federal authorities early on, but the severity of the situation began to set in when it started to receive some low-level dedicated denial of service (DDoS) attacks. According to Nigrin, it didn’t have to change a significant amount of infrastructure early on as a result of these attacks and increased traffic volume.
After [the early attacks], we went through what I called “cat and mouse” changes where we would make network changes and they would follow with a new DDoS tactic. This meant that they could tell we were adjusting to new strategies and they would accommodate those modifications. We were fearful that more was coming and it did.
There was a massive uptick in DDoS volume from the Anonymous hackers on the Friday before the 2014 Boston Marathon. As a result, Nigrin said Boston Children’s engaged a third party vendor to assist with the attacks because it was no longer able to accommodate the volume of traffic. “Without their assistance in filtering traffic, we would have been paralyzed,” he said.
At its peak, Boston Children’s hit about 27 GBPS of DDoS traffic, or about 40 times what its usual inbound traffic would have been. But the attacks weren’t limited to DDoS by that time, as there was direct penetration attacks on exposed ports and web sites and a barrage of malware-infected email. In response, the hospital took down all externally facing sites and shut down the email system for 24 hours while reinforcing employee education on phishing attacks.
There was light at the end of the tunnel, though, as Anonymous Twitter activity helped show how fragmented the group is. Despite consistent threatening messages from other Anonymous accounts, the @YourAnonNews account tweeted “To all the ‘Anons’ attacking the CHILDREN’s HOSPITAL in the name of Anonymous – IT IS A HOSPITAL: STOP IT.” After that, the DDoS and other attacks slowly began to dissipate.
With the incident now in Boston Children’s rearview, Nigrin said both he and the organization have quite a few takeaways. “[Now] I don’t think that because we’re a healthcare organization, we’re above or immune to these attacks,” he said. Here are a few areas of focus following the attacks:
DDoS counter measures – Nigrin explained that having the infrastructure and planning in place to deal with these types of threats it is important.
Inventory – Knowing which systems depend on internet access and having contingency plans is also crucial. Because the Boston Children’s EHR system is locally hosted, it remained up and running without the internet. But it still had to explain to staff why they couldn’t send prescriptions to pharmacies without email, which Nigrin said was tricky.
Importance of email – In the event the internet is down, the organization needs to have other communication forms as well, such as secure SMS.
New security initiatives – Nothing drives new security projects like an incident, so may as well take advantage of the opportunity, right?
There were some items that our security team had been pushing for for years, such as web proxies. Even if clinical staff and researchers were concerned about the burden, that’s too bad. We implemented 3-4 new security measures in the span of about 48 hours. Don’t wait until you’re in the middle of a fire drill to push these initiatives through, because they will pay off in the end.
Securing teleconference meetings – Nigrin said to leave no stone unturned, as hackers can plug into insecure teleconferences if the password is included in the meeting invite itself.
Signal v. noise – At various points over the few weeks of attacks, Nigrin said that it became hard to separate the events that really were important from the ones that were mainly the result of heightened sensitivity from the incident.