HIMSS 2017: How one hospital prepared for, and survived, a ‘hacktivist’ cyberattack

Sometimes, hackers aren’t motivated by money when they go after patient records. Luckily for hospitals and health systems, even so-called “hacktivists” can be stopped with the same defenses that fend off other cyberattacks.

Daniel Nigrin, MD, MS, is senior vice president for information services and chief information officer at Boston Children’s Hospital. He’ll share his hospital’s experiences with a hacktivist attack as part of a cybersecurity forum at HIMSS17 in Orlando on Sunday, Feb. 19.

As recounted by the Boston Globe, the hospital was targeted by the computer hacker network known as Anonymous because of a widely publicized case of a 15-year-old patient being taken out of her parents’ custody due to the hospital’s charges of medical child abuse.

Nigrin didn’t go into the specifics of the patient, just referring to a “nationally known” case that motivated the hacker group. 

“It was very much in the news, and so our attackers got wind of this case and decided they didn’t like what they were hearing or reading,” Nigrin says.

Before the attack, firewalls were in place at the hospital, and there was a small information security team—what Nigrin describes as an “average level” of preparedness for a healthcare provider. Still, he admits there were blind spots in areas the hospital never imagined, like denial-of-service attacks.

That was one of a variety of tactics used by Anonymous, along with phishing e-mails containing malware and attempts at penetrating the hospital’s firewall. Nigrin said the weeks of attacks eventually forced the hospital to call in third-party security to help.

No patient data was compromised during the extended attacks, Nigrin says. The hospital had prepared for the worst, such as being “completely cut off” from electronic records or computers of any kind to place orders. The key to the approach, he explains, was not solely focusing on technological solutions.

“We didn’t treat this as just an IT issue,” Nigrin says. “We really engaged the hospital’s overall incident response team,” including administrators and clinicians.

For the former group, cybersecurity is an easier sell than it was a few years ago, with Nigrin emphasizing it should be among the top priorities for hospitals. For the latter, he says the concerns about inconveniencing physicians and other staff members with measures like two-factor authentication can’t outweigh the need to protect data.

“That kind of thing you just can’t tolerate anymore. It’s just not a good enough excuse,” Nigrin says.

The good news for healthcare organizations is, while hackers may have different motives—including political ones—it doesn’t take dozens of different plans to respond to those attacks. Preparation throughout a facility’s department is key, Nigrin says, but on the technology side, the defenses needed are “really no different” for these different kinds of intrusions.

“Whether it’s ransomware, whether it’s hacktivist accounts, whether it’s disgruntled employees or former employees, essentially the tools, techniques and approaches you have to use are exactly the same,” he says.

You can find more information on the Feb. 19 morning session at HIMSS17, entitled “How Boston Children’s Hospital Survived an Attack by Anonymous,” here.