DDoS Assault on Boston HospitalHacktivist Group Suspected of Attacking Children's Hospital
To date, distributed-denial-of-service attacks have been relatively rare in the healthcare sector, especially compared with DDoS assaults in the financial sector. But DDoS attacks on Boston Children's Hospital's website have security experts debating whether these attacks could become far more common in healthcare.
In a April 25 statement provided to Information Security Media Group, Boston Children's Hospital confirmed a report published by the Boston Globe that the hospital's public website had been undergoing cyber-attacks for nearly a week, which made some online services, such as patient appointment scheduling, sporadically inaccessible.
"Boston Children's website has been the target of multiple attacks designed to bring down the site by overwhelming its capacity," the statement says. "Boston Children's technical and security professionals are working to resolve the situation as soon as possible. We have also contacted law enforcement authorities, who are investigating the source of the attacks. There is no information to suggest that patient information has been compromised, and patient care has not been interrupted."
The hacktivist group Anonymous is suspected of launching the attacks against the hospital, which threatened the medical center in the weeks leading up to the DDoS assault, according to the Boston Globe report. The hacker group is thought to be retaliating against the hospital because of anger over an ongoing child custody case that's drawn national attention.
That case involves two Connecticut parents who have lost custody of their teenage daughter, Justina Pelletier, to the state of Massachusetts over allegations by the hospital that the parents medically abused the girl.
In addition to Children's Hospital, the website of Wayside Youth and Family Support Network, the residential facility where the teenager has been living while under state custody, has also been under DDoS attack in recent days.
"Wayside has experienced some limited disruptions of service," says the Framingham, Mass.-based facility in a statement to ISMG. "Though we do not know the source, we are dismayed and concerned that someone would try to disrupt the important work we do with hundreds of children and families in various community and home settings. Our team remains vigilant in protecting confidential information as it relates to our clients and our staff."
The Boston Globe reports that while "there is no direct evidence" linking Anonymous to the attacks this week against Children's, cybersecurity experts say the incident "bore the hallmarks of the mysterious network of Internet agitators."
Boston Children's Hospital would not comment specifically on whether Anonymous is suspected in the attacks. However, an April 25 Twitter message apparently posted an Anonymous news group known as @YourAnonNews, says: "To all Anons attacking Children's Hospital in the name of Anonymous ... It's a hospital, stop it."
Cyber-attacks on Rise?
Security experts disagree about whether the DDoS attack against Boston Children's Hospital is an indication that such attacks are on the rise in healthcare.
Rodney Joffe, senior vice president at security technology firm Neustar, believes that the DDoS attack is an "anomoly" and "outlier" and not a sign of more DDoS attacks in the healthcare sector. "Everyone, even attackers, know someone who's been at a hospital or is in a hospital, and this is socially unacceptable even to them," he says. The Children's Hospital attackers "will be slapped down" by their hacker peers, he predicts. "It's like child abusers in jail, they never survive because even the bad guys hate them."
Joffee says the DDoS attack on Children's Hospital is the first he's seen against a healthcare facility. "The more common types of cyber-attacks against healthcare are aimed at getting information that can be used for tax and other fraud," he says.
Larger healthcare organizations face frequent cyber-attacks, though not necessarily DDoS assaults, says Jennings Aske, former CISO and privacy officer at another Boston-area healthcare provider, Partners HealthCare. He recently joined speech recognition software vendor Nuance as its CISO.
"Partners saw millions of external attacks, and network enumerations a month," he says. "However, during my time there, it did not face a DDoS attack." Partners, Massachusetts' largest healthcare delivery network, includes Massachusetts General and Brigham and Women's hospitals, among others.
"To-date, the DDoS attacks directed at providers have been rare, largely tied to extortion attempts. The attackers would bring down the phone system or network and demand payment to stop the attack," he says.
"That being said, DDoS attacks led by 'hacktivists' directed at healthcare providers will likely become more frequent. The attackers could be motivated not only by a high-profile case, like the one at issue in the Children's attacks, but also led by groups concerned in general with the privacy and security of medical records."
In contrast, David Kennedy, founder of security consulting firm TrustedSec, claims that DDoS attacks already are becoming more common in the healthcare sector.
"The reason for DDoS type attacks is to perform service interruptions. The healthcare sector isn't equipped to even handle direct attacks let alone the ability to exhaust bandwidth," Kennedy says. "It is extremely vulnerable."Kennedy says attacks by Anonymous against healthcare organization linked to political or ideological reasons are, indeed, rare. But, he notes, "We have seen a huge increase in state-sponsored attacks originating from China occurring heavily on the healthcare industry; we aren't exactly sure why yet."
More healthcare organizations need to adopt a proactive security program to thwart DDoS attacks and other threats, Kennedy says. "From our analysis, the healthcare industry is ... behind every other industry vertical when it comes to security," he says.
To mitigate the risk for DDoS, Kennedy suggests "using a cloud service for websites, using caching servers, appropriately blocking - as much as you can - the DDoS source addresses."
Cris Ewell, CISO at Seattle Children's Hospital, says he's been seeing an uptick in "targeted attacks" and "malicious software" attacks against his organization.
Healthcare organizations that conduct research are a likely target for DDoS attacks, he notes. "Often animals are used and this can cause an issue with political or other hacktivist type organizations. I am aware of incidents involving DDoS-type attacks in the past related to animal research or use of animals in medical education," Ewell says. "While not the primary type of attack, they can be devastating to a healthcare organization - especially if it impacts a provider that hosts your electronic medical record or other critical application. "
Still attacks by those interested in committing fraud, such as cyber-criminals and organized crime, is a greater concern than hacktivist attacks, he says. He suggests that healthcare organizations carefully monitor advisories about all types of threats against the healthcare sector.