Healthcare DDoS Attack: Mitigation LessonsBoston Children's Hospital CIO Offers Insights After Disruption
The main lesson from a distributed-denial-of-service attack on Boston Children's Hospital last spring is that such attacks represent a real threat in healthcare that must be mitigated, says CIO Daniel Nigrin, M.D.
Until that incident, many healthcare organizations, just like Boston Children's, didn't put disruptive DDoS attacks high on their list of threats to mitigate, Nigrin says in an interview with Information Security Media Group at the recent Healthcare Information and Management Systems Society privacy and security forum in Boston. That's because such attacks mainly occurred in other sectors, such as banking.
"The kind of cyber-attack that's not necessarily meant to seize data ... was certainly not on my list [of top infosecurity threats] until that event," Nigrin says. "I think it's likely to come up again. I hope not for us, but surely someone somewhere [in the healthcare sector] will experience something like this. So we'll have to take preparations to protect against these kinds of attacks like we do data breaches and the other kinds of things that are in the news these days."
The hacktivist group Anonymous is suspected of launching the attacks in retaliation for Boston Children's involvement in a controversial child custody case that had drawn national attention in the months and weeks before the assault.
Business Continuity Issues
Among the lessons learned from the attack is the need for healthcare organizations to reassess their disaster recovery planning, including taking inventory of all internal systems that depend on Internet connectivity, which can be disrupted during a DDoS attack, he says.
"There are many [systems] that work in a partial way without Internet connectivity, but don't have full functionality unless that Internet connectivity is enabled," he says. During the DDoS attack, for example, the pediatric hospital's electronic health record system could not enable clinicians to transmit electronic prescriptions to outside pharmacies because of a lack of Internet access.
In the interview, Nigrin also discusses:
- How Boston Children's discovered it was under DDoS attack;
- How the initial "low level" DDoS attack, which was manageable for the medical center, eventually escalated into a massive assault that also affected other Boston area hospitals;
- How the hacktivists behind the DDoS attack made unsuccessful attempts to penetrate Boston Children's systems, and why the hospital temporarily took down all external facing websites and turned off its e-mail system for 24 hours.
In addition to being Boston Children's Hospital CIO, Nigrin is also senior vice president for information services. He is responsible for all clinical, research, teaching and administrative IT systems at the hospital, serving more than 10,000 users. Nigrin is also assistant professor of pediatrics at Harvard Medical School, a senior staff member of the Children's Hospital Informatics Program, and a practicing member of the division of pediatric endocrinology at Boston Children's.