Boston’s CIO Talks Cyber Attack and Lessons Learned

Boston Children’s Hospital learned first-hand about cyberattacks when it had a run-in last spring with hacktivist group Anonymous. Now it wants to share the story because it feels there are cyber security lessons learned from the experience that the entire healthcare industry can benefit from.

Daniel Nigrin, MD, chief information officer at Boston Children’s Hospital, in his presentation Lessons Learned from Boston Children’s: When Hacktivists Attack Your Hospital,” which he shared with the audience at the Healthcare IT NewsPrivacy & Security Forum this past March goes into great detail about the multi-level attack. There appears to be a connection between the attack and the group’s involvement with a highly publicized child custody case, involving a Children’s patient.

The attacks affected the hospital on multiple fronts and lasted over a week. Floods of malware, denial-of-service and attacks on public ports were all part of the assault. Though no Children’s patient data was ever accessed, the organization had to shut down some of its web pages and some patients and medical personnel were unable to access online accounts.

While the attack is in Boston Children’s rearview, Nigrin said both he and the organization have quite a few takeaways:

DDoS counter measures – Nigrin explained in his presentation that having the infrastructure and planning in place to deal with these types of threats is important.

Inventory – Knowing which systems depend on internet access and having contingency plans is also crucial. Because the Boston Children’s EHR system is locally hosted, it remained up and running without the internet. But it still had to explain to staff why they couldn’t send prescriptions to pharmacies without email, which Nigrin said was tricky.

Importance of email – In the event the internet is down, the organization needs to have other communication forms as well, such as secure SMS.

New security initiatives – Nothing drives new security projects like an incident, so may as well take advantage of the opportunity, right?

Securing teleconference meetings – Nigrin said to leave no stone unturned, as hackers can plug into insecure teleconferences if the password is included in the meeting invite itself.

Signal v. noise – At various points over the few weeks of attacks, Nigrin said that it became hard to separate the events that really were important from the ones that were mainly the result of heightened sensitivity from the incident.

Perhaps the most critical point that Nigrin wants to share is paying closer attention, “As an industry, we’ve got to pay closer attention to these threats, and prioritize our efforts against them, far more than we have done in the past online accounts.”