BCH CIO shares experience with Anonymous cyberattack

BOSTON--Boston Children’s Hospital (BCH) faced a bizarre cyberthreat earlier this year and learned valuable lessons to prepare for future incidents, according to Daniel Nigrin, MD, MS, the organization’s senior vice president of information services and CIO, who shared the experience during a session at HIMSS’ Privacy and Security Forum on Sept. 8.

In March, BCH was notified by an external cyberspace intelligence group that “Anonymous”—the infamous hacktivist group—had posted on Twitter and Pastebin. The organization objected to BCH’s involvement in a teenage patient’s custody battle.

The attack began with a dox--the release of personally identifiable information or compromising details--of staff and the presiding judge in the patient’s case. Anonymous also posted the IP address of the BCH website and some other details that weren’t too difficult for anyone to figure out, said Nigrin. All the details were embedded in threatening texts, which he said was “weird and scary and caught us off kilter.”

Not sure how to proceed, the organization decided to err on the side of caution. Rather than ignore the activity, they decided to take the threats seriously. They convened their incident response team which is the general emergency management team that deals with forming contingency planning for any unexpected event. The team is not IT-centric, which Nigrin said was “incredibly important.”

If this was the actual Anonymous hacktivist group, “I was fairly concerned we were vulnerable,” he said. They discussed the need to potentially go dark to protect the hospital’s data. But, would they still be able to care for patients and submit claims? They decided to message the entire organization because they wanted everyone to be aware and more vigilant. They also contacted the authorities.

Three weeks later, low-level distributed denial of service (DDoS) attacks began. Much of that was mitigated by the network changes BCH had made to accommodate the increase in traffic. Thus began a “cat and mouse” exchange with BCH implementing fixes and Anonymous finding new tactics and continuing back and forth. “They could tell we were adjusting and we were fearful more was coming and it did. It was frustrating,” said Nigrin.

Next came the weekend of Patriot's Day—a Monday holiday in Massachusetts and the one-year anniversary of the Boston Marathon bombings. “The city was already on edge with concerns about copycat events.” BCH engaged a third party to assist in filtering traffic. The organization experienced intermittent connectivity as well as a 40-fold increase from the usual rate of inbound traffic. Without that third party’s assistance, Nigrin said BCH would have been paralyzed.

While the authorities worked on tracking all possible connections, Anonymous posted a new message, saying a HIPAA breach was coming. The attack escalated to direct penetration attacks on exposed ports. BCH took down virtually all externally facing websites. Nigrin recommended that other organizations keep an inventory of such sites so they have a ready list.

BCH also began experiencing a massive influx of malware-laden emails. They shut down all email for about 24 hours which Nigrin called “a gutsy move. It was very disruptive to the organization.” They also hadn’t realized just how important email was to the hospital’s infrastructure and how dependent staff were on it. Fortunately, they had recently implemented secure text messaging which was helpful in the struggle to communicate with 15,000 employees.

Nigrin and other members of BCH leadership went on foot around the hospital to get the word out about the “criticality of not opening emails” to ensure that no malware made its way through filters.

Federal authorities advised BCH to keep quiet about the attacks so as not to fuel the fire and motivate Anonymous to continue. Unfortunately, an article on the situation made the front page of the Boston Globe in April.

Inexplicably, someone posted a message that said whoever is attacking BCH should stop and leave the organization alone. Nigrin said Anonymous seemed to self-police. That message led to a rapid decline in messages. BCH gradually brought its external facing websites back up after extensive testing.

BCH learned several lessons from their experience. “DDoS measures are critical,” said Nigrin. Healthcare organizations are not immune or above such attacks. “It’s likely to happen again.”

Organizations need to know what functions depend on internet access and develop contingency plans. They also should have plans for alternative forms of communication outside of email. Healthcare institutions must push security initiatives through. While there are numerous competing priorities, “there are no excuses” for not properly planning. Had the attack not died down on its own, Nigrin said he’s not sure what could have happened. “This stuff is important. We’ve got to pay closer attention.”