Exclusive Report: What Can U.S. Healthcare IT Leaders Learn, in the Wake of Wanna Cry? | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Exclusive Report: What Can U.S. Healthcare IT Leaders Learn, in the Wake of Wanna Cry?

May 17, 2017
by Mark Hagland and Heather Landi
| Reprints
What can U.S. provider leaders learn from the Wanna Cry cyberattack crisis?

What emerged on Friday morning, May 12, European time, and quickly spread across the world as one of the most intensive and extensive ransomware-based attacks to date, affecting organizational operations of all kinds in approximately 150 countries, seemed to have gotten somewhat under control by early this week, even as the attack has jolted the information technology world across the planet.

Variously known as the Wanna Cry or Wanna Decryptor ransomware virus, the phenomenon on Friday virtually shut down several dozen regional health authorities within the National Health Service of the United Kingdom, while simultaneously impacting the operations of such diverse entities as Spain’s national telephone service, La Telefónica; Germany’s railway system, Deutsche Bahn; automotive plants of the French car manufacturer, Renault; the Russian Interior Ministry; and universities in China and Taiwan.

In his breaking news article on Friday, Healthcare Informatics Managing Editor Rajiv Leventhal  quoted Creighton Magid, a partner at the international law firm Dorsey & Whitney, who noted that “The cyberattack, using a ransomware bug known as WannaCry, appears to have used an NSA exploit known as ‘Eternal Blue’ that was disclosed on the web by Shadow Brokers.  Microsoft released a patch earlier this year to address the vulnerability, but it appears that a number of hospitals and other users have not applied the patch.” Like the DDOS attack last October,” Magid said, “this attack shows that interconnected devices and systems are vulnerable to attack by nations, non-state actors and just plain crooks,” he says, adding that an attack of this scope points to the potential for an entirely different type of damage:  shutting down entire businesses, hospital systems, banks, and critical infrastructure.”

As the cyberattack’s impact continued to spread worldwide into and through Saturday, Editor-in-Chief Mark Hagland quoted a report published online at 7:50 AM eastern time that day by The New York Times’ Mark Scott, in which Scott wrote that “The attack is believed to be the first in which such a cyberweapon developed by the N.S.A. has been used by cybercriminals against computer users around the globe. While American companies like FedEx said they had also been hit,” he added, “experts said that computer users in the United States had so far been less affected than others because a British 22-year-old cybersecurity researcher inadvertently stopped the ransomware from spreading,” referring to the Kryptos Logic IT specialist. “The 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog and who confirmed his involvement but insisted on anonymity because he did not want the public scrutiny,” Scott wrote, “found the kill switch’s domain name—a long and complicated set of letters. Realizing that the name was not yet registered, he bought the name himself. When the site went live, the attack stopped spreading, much to the researcher’s surprise.” Scott quoted Matthieu Suiche, founder of Comae Technologies, a cybersecurity company based in the United Arab Emirates, as saying that “The kill switch is why the U.S. hasn’t been touched so far. But it’s only temporary,” Suiche added. “All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”

As it turns out, that researcher was able to devise a “kill switch” for the virus, which had already shut down patient care delivery at dozens of British regional health authorities, and frustrated operations at a full range of other business, governmental, and educational organizations worldwide.


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

What U.S. healthcare IT leaders need to know

So what does all this mean for U.S. healthcare providers? A fair amount, say industry experts and observers. “There are several lessons here,” says Mac McMillan, president and CEO of the Austin, Tex.-based CynergisTek IT security consulting firm. “One is an old lesson that we still haven’t learned as an industry, and that is that basic IT hygiene, keeping systems up to date, and not keeping systems you can’t patch, like medical devices, or segmenting them away—that people still aren’t doing those things to the extent that they need to. Basic hygiene could have saved the National Health Service here.” The National Health Service in the U.K. was still operating on the abandoned Windows XP platform, as Hagland noted in his blog on Sunday. And, says McMillan, “That’s insane.”

Meanwhile, McMillan goes on to say, “A recommendation made a few years ago by the National Security Advisor regarding the federal government’s weaponizing information systems and then not reporting that weaponization to vendors—the recommendation back then was actually that the potential cost to the private sector, to businesses, was so high that it outweighed the government doing those things. The third lesson that comes out of this,” he says, “is that it’s going to happen again; it’s just a matter of time, because all of this information is out there on the Internet. And when you look at zero-day exploits, the Symantec Threat Center recently said that there are over 4,500 zero-day attack vulnerabilities in systems that there is no fix for. So any hacker who finds those, can weaponize that, and run that attack, and they’ll have a massive initial impact, because there won’t be any way to respond. And unfortunately, the hacker community has decided that disruption in itself has become the goal.”

On the positive side of things, McMillan says, “There are several reasons why the U.S. healthcare system didn’t experience the same level of impact as elsewhere. Number one is that there have been so many attacks over the last 24 months, that we’ve actually seen investment in advanced malware technologies, email and malware gateways, advanced firewalls, so we actually have some protections to defend against these things. Number two, when this information came out from this Shadow group, and the data from the CIA, at least a lot of hospitals we work with, were right on top of that, and very interested in what to do. So as soon as Microsoft and Cisco and other vendors published their patches two months ago, the hospitals applied them.”

With regard to the vulnerability that the U.K.’s National Health Service had when this attack hit, Lee Barrett, the executive director of EHNAC, the Electronic Health Network Accreditation Commission, a Farmington, Conn.-based independent, federally recognized, standards development organization and accrediting body in U.S. healthcare, says that “Whoever the attacker was in this case, they knew that the N.H.S. was vulnerable” in working on the Windows XP operating system, “and targeted that platform. That was a major, major thing. The other thing is that what this tells organizations,” he says, “is that you’d better have your risk mitigation and preparedness plans in place and be prepared to review them, so that you can react in the moment and mitigate and reduce the amount of exposure for your organization.”

In that context, Barrett says, “In many cases, the organizations that had a good plan in place saw less impact than those who did not have a good risk mitigation and preparedness plan in place. Importantly, you need to be doing backups of all of your data, so that in the event of a ransomware attack, you’ve got a current backup of your system to reduce potential loss, and can get back to business as usual; this speaks to basic business continuity planning.”

U.S. healthcare—still far too reliant on basic tools like firewalls, antivirus protection

Looking at the broad picture around IT security in U.S. healthcare, Garrett Hall, an analyst with Orem, Utah-based KLAS Research, says while healthcare provider organizations have improved their security readiness in recent years, this recent attack indicates that the healthcare industry remains particularly vulnerable. “With all the changes in healthcare and all the budget constraints, it’s a tough issue, but we are encouraged by some of the progress we’re seeing, yet, ultimately, we’re seeing that there needs to be additional progress made,” he says.

Hall co-authored the KLAS 2017 cybersecurity report published in February. In collaboration with the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), KLAS interviewed 200 healthcare organizations about their security programs, speaking primarily with chief information security officers (CISOs), CIOs, chief technology officers (CTOs) and other IT security professionals.

That report found that U.S. healthcare organizations are still, by and large, relying on foundational technology, such as firewalls, antivirus and malware-protection solutions, and encryption, for protection from cyberattacks.  According to KLAS, software for data loss prevention (DLP), identity and access management (IAM), mobile device management (MDM), security information and event management (SIEM) and anomalous-behavior monitoring has yet to make the projected impact due in part to still-maturing deployments and lack of resources and understanding, Hall notes.  “That was a little disconcerting to see; that a firewall vendor was having the greatest impact on cybersecurity. We anticipated that it would be more DLP vendors or vendors providing more advanced technologies, so it does suggest that healthcare is still behind on their security readiness. Even though we see improvements, we still have further to go as an industry,” he says.

One of the challenging aspects of this particular cyberattack is its complexity. In a webinar sponsored by the Armonk, N.Y.-based IBM Corporation, Kevin Albano, X-Force Iris global lead for threat intelligence at IBM Security, shared with listeners on Tuesday some insights into the Wanna Cry/Wanna Decryptor virus. The virus, he noted, infiltrates endpoints in a system and encrypts all its files, demanding a ransom payment of $300.00 U.S. in bitcoin, exploiting a known Windows vulnerability that enables remote-code execution; organizations that did not make use of the Microsoft Windows patch made available in March are now particularly vulnerable. “This is a version of WannaCry that does not have the propagation component to it, this is just the ransomware itself,” Albano told webinar attendees. “There’s another aspect to it that is the propagation aspect, using the Eternal Blue exploit, and then the DoublePulsar payload to be able to implement the WannaCry ransomware. There are three components working within it—one is the ransomware, the other is the External Blue exploit that takes advantage of vulnerability within Windows operating system, the third thing is the double pulsar payload that’s used to deliver the ransomware itself.” And, he noted, “it is the auto-propagation using the vulnerability and the exploit that is causing much of the harm as its spreading through vulnerable systems.”

What CIOs, CISOs and other healthcare IT leaders need to do next

Meanwhile, say industry experts, though U.S. hospitals by and large escaped the damaging impact of the hit that British hospitals have taken, there’s still a long journey ahead for them on IT security. Still, says CynergisTek’s McMillan, “One of the reasons that U.S. healthcare did better in this situation is that, over three years ago, OCR [the Office of Civil Rights of the Department of Health and Human Services] started cracking down on organizations with obsolete systems, declaring that a HIPAA violation. So a lot of our health systems have been doing a better job of working to eliminate these things and keep them refreshed. And everybody has become sensitive to the need to communicate quickly about threat information. So even though we don’t yet have an integrated threat alert system in the U.S., the information has been flowing.”

Some very basic “hygiene” processes must be attended to, says EHNAC’s Barrett. “For one thing, organizations need to make sure that they’re doing ongoing backups and backups of all of their data. In the event that you get hit by one of these ransomware attacks,” he says, “you need to have a current backup of your system available, to reduce the potential loss of your system, and can get back to business as usual, so it gets back to business continuity planning.” Asked about what interval is most appropriate for the auditing of backups—most patient care organizations in the U.S. are doing backup audit at most once a quarter, and many are doing backup audit only once every half-year or even year—Barrett says, “Most of the breaches and ransomware are found after they’ve been in organizations for quite a while, often for months. My best practice is, I tell organizations that they should be auditing their backups at least on a monthly basis. And that goes back to what level of risk you can afford.”

Indeed, Barrett continues, “I don’t think an organization wants to go much more than a 30-day loss in the event of a ransomware attack. So I’d say 30 days, whether you do this yourselves or you have a third-party organization do it for you. And the dialogue I was having… and it ranges pretty widely in terms of how much risk an organization at the board or audit committee level, is willing to take. And larger organizations… Can you as a hospital, afford to lose nine months or a year’s worth of data? My feeling is that you can’t. And I continue to talk to organizations that still haven’t taken this seriously, and just keep pointing the finger, saying, it’s not going to happen to us, we’re too small.”

Another absolutely key strategy, says John A. “Drew” Hamilton, Ph.D., of the Center for Cyber Innovation, at Mississippi State University (Starkville, Miss.), is basic network segmentation. “You need to separate duties and functions, to limit the damage” when a cyberattack occurs. And compartmentalization could at least limit the ability of a ransomware attack to propagate across your system.” What’s more, he says, “I think that you have to assume that people will attack you had, you’re going to have different kinds of failures. So, defense in depth is important. And with the big attacks you see, at least two big things have gone wrong. If you have an individual whose account is compromised, you should limit the damage that can go from there. The breach last year in the Office of Personnel Management in the federal government, where all the HR data was compromised was staggering. You didn’t have it compartmentalized.”

A core obstacle: the historical conservatism of healthcare operations

One of the core challenges remains a business-cultural one: healthcare remains one of the most conservative of U.S. industries, both in terms of its investments in progressive information technology, and also in terms of its data management and governance. Xu Zou, the co-founder and CEO of the Mountain View, Calif.-based ZingBox, an IoT (Internet of Things) security solutions provider, says, “We’re working in the more conservative verticals like healthcare and manufacturing. A lot of [healthcare organizations], once they’ve passed their regulatory certification requirements, they’re hesitant to make further changes,” he says. “That’s what we’re facing now. And those medical devices will probably stay on Windows XP without a security patch, probably forever. And even though the FDA is encouraging providers to patch their devices—only now are hospitals taking action. The challenge is that hospitals don’t want to have to go through the entire FDA certification process a second time,” he adds.

In all this, of course, resource issues remain a huge issue for many patient care organizations, particularly smaller and rural hospitals and many medical groups. Asked what under-resourced hospitals and other patient care organizations can do, CynergisTek’s McMillan says, “I’m going to give you two answers. My first answer will be based on the assumption that they can do this; the second will be based on what I really believe needs to happen in this country. The first answer is, if they’re going to continue to go it alone, they’re going to have to focus on the basics, and based on what can I realistically do myself, and what should I outsource to somebody else. In that case,” he says, “they need to think about their EHR as a service, as opposed to owning it. Because they’re better protected in a tier 1 hosted environment. And then the hospital can focus on medicine, and the tier 1 support system can help them.”

That having been said, McMillan goes on to say that, on a broader level, “My personal opinion is that healthcare is at the same place that the banking industry was in the 90s. In the 90s, the regulations really started to bite the banking industry, and all of a sudden, the small community banks could not keep up. So we all of a sudden had the emergence of the regional banks and the expansion of the big banks acquiring the small banks, because it became too much for them to do effectively. And the Federal Reserve understood that you couldn’t have a small community bank out there connected to the Federal Reserve, that wasn’t protected.”

In that regard, McMillan says, “In healthcare we do a disservice,” by assuming that even the smallest and least-resourced hospitals should perforce remain in operation. “Everybody says, gee, we’ve got to make it easier for them. Nonsense!” he says. “The information that they maintain for patients is just as important as the information that the large hospitals maintain So we shouldn’t be watering down [regulations and mandates around data security]; we should be saying, if you can’t do it yourself, you need to hire someone who can, or think about being acquired. And we are fast approaching a time when the small hospital cannot manage by itself any longer. And it’s not just about the data, it’s about the disruption. The small hospital hit by a ransomware attack, it’s even more devastating than with a big hospital, because those people don’t have other options, they’re often in rural areas. And we’re fast approaching a time when the stakes are just too high for the small guy to do it effectively. And it’s not fair, to be honest, but it is what it is. Nobody wanted to see their local bank that had been there for 100 years, go away. But he fact is that they couldn’t provide the same level of service of Bank of America or Wells Fargo or whoever, at the same cost or level of security. So eventually, that happened. And today, people don’t even go into the bank. Most young people haven’t even seen the inside of their bank.”



The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


FDA Releases Draft Premarket Cybersecurity Guidance for Medical Device Manufacturers

October 19, 2018
by Heather Landi, Associate Editor
| Reprints

The Food and Drug Administration (FDA) has released draft guidance to the healthcare industry that updates cybersecurity recommendations for medical device manufacturers with the aim of addressing vulnerabilities and evolving cybersecurity threats.

The draft premarket cybersecurity guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, identifies issues related to cybersecurity that manufacturers should address in the design and development of medical devices to ensure better protection of devices against cybersecurity threats that could interrupt clinical operations and delay patient care.

The new guidance is intended to provide recommendations to the medical device industry regarding cybersecurity device design, labeling and that FDA recommended documentation be included in pre-market submissions for devices vulnerable to cybersecurity threats. The recommendations build on the framework that the FDA created in its 2014 guidance for manufacturers.

According to the FDA, these updated recommendations also will facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market.

“Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” FDA Commissioner Scott Gottlieb, M.D., said in a statement. “The FDA has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders. In this way, we can help ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate.”

“Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system,” Gottlieb said in his statement, noting that the rapidly evolving nature of cyber threats necessitated an updated approach “to make sure [the guidance] reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices.”

“This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” Gottlieb said.

As part of its focus on strengthening medical device cybersecurity, the FDA also announced this week an agreement with the Department of Homeland Security to increase collaboration on medical device security. The agreement, between the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications, is meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. Such collaboration can lead to more timely and better responses to potential threats to patient safety, the agencies said.

“Our strengthened partnership with DHS will help our two agencies share information and better collaborate to stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities and assist the health care sector in being well positioned to proactively respond when cyber vulnerabilities are identified. This agreement demonstrates our commitment to confronting cybersecurity risks and the unscrupulous cybercriminals who may seek to put patient lives at risk,” Gottlieb said in a statement about the partnership.

With regard to the draft guidance issued this week, it incorporates new recommendations, including a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device users are able to respond quickly to potential threats, the FDA said.

The draft guidance also introduces two tiers of devices—those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and standard cybersecurity risk, which includes devices that contain software—based on potential harm to patients from cybersecurity threats. The draft guidance outlines the documentation for inclusion in a premarket submission to the agency to demonstrate that the design of the medical device has adequately mitigated risk.

The FDA will hold a public workshop Jan. 29-30 to discuss the newly released draft guidance.


More From Healthcare Informatics


GUEST BLOG: The Cybersecurity Shortage: Closing the Gap

October 17, 2018
by Mac McMillan, Industry Voice
| Reprints
The gap between the level of cybersecurity preparation that should exist in the current environment, and the reality, is both troubling and in need of closer examination

We are by all estimates well over a million cybersecurity professionals short of what we need and racing towards an even bigger shortage in the decade to come.  Current approaches are not likely to produce the number of cyber warriors we are going to need to close this gap.  Not for want of good intention, but I believe we won’t achieve our intended goal, because the environment has changed and if we don’t recognize this change we may never catch up.  There are multiple factors affecting this paradigm shift, but the biggest of them all is the rapidly evolving nature of technology that is moving at lightning speeds and the associated exponential growth in threat produced as a byproduct. 

Closely related is what this means for the rapidly expanding competency that cybersecurity professionals will have to possess just to be effective in the future.  We have known for decades that cybersecurity is a dynamically changing field affected by changes in the physical environment, changes in technology, the evolving nature of threat and the operational impacts of users.  The enterprise is never static, and every change presents a new opportunities and new risks.  If we take healthcare as one example of this just the past two decades have witnessed amazing changes in technology adoption, the rise of hyperconnectivity, the increase in the sophistication and frequency of attacks and the endless application of technology to operations, simple and complex.  This will move even faster in the future as technologists are already talking about faster processing speeds, quantum computing, artificial intelligence, etc.  Making it harder and harder for those who have to secure the enterprise to do that.

In fact, today’s cybersecurity professionals have to be as diverse as the thing they are trying to secure, meaning many different cyberwarriors with very different specializations.  Analysts, administrators, engineers, program experts, threat hunters, monitors, architects, etc.  Making it all the more impossible for current approaches to succeed.  The supply is not going to catch up with the demand one cyberwarrior at a time.  That ship has sailed.  All the college programs in the land, although important, are not going to get us there.  You cannot create a cyberwarrior army large enough, fast enough to solve this problem.  We need a different approach.

In today’s and tomorrow’s information technology environment, everyone who uses a computer will need basic cybersecurity skills, and everyone who works in IT will need specific job-related cybersecurity knowledge and we need both general and specialized cybersecurity professionals.  Individuals who write code should know how to do so with security in mind.  Database developers and administrators should understand the threats associated with what they are doing and how to avoid them.  System engineers should understand network security principles and how to apply them to what they do.  And on and on.  Information system designers, developers, manufacturers, consumers and users need to accept and embrace this basic requirement.  Curriculums from the earliest stage where information technology is introduced should include cybersecurity training.  Curriculums in career fields where information technology will be critical to accomplishing that skill should include cybersecurity training.  No information technology degree should be achievable without cybersecurity as part of the curriculum.  We should promote greater professionalization of the cybersecurity field to define specific career paths from the very specialized to the general practitioner to the strategist to ensure not only the expertise needed at the tactical level, but the professionals with the breadth and scope of knowledge and experience needed at the higher levels of responsibility to lead and develop effective cybersecurity strategies and programs. 

The gap between the good guys and the bad guys is growing, because we are still trying to solve the problem in the same antiquated way, one cyberwarrior at a time.  There is zero unemployment in the field right now, and many of the people filling cybersecurity roles today are only marginally competent.  Because not only does it take education in multiple disciplines to be become knowledgeable in the field it takes experience, which can only be attained in time.   We are never going to be successful following the path we’re on today.   We need to recognize the paradigm shift that has occurred and embrace the new reality.  Everyone who deals with information technology has to be part cyberwarrior.  Everyone has the responsibility to understand basic computer security skills and the cyber threats that can keep them from accomplishing their mission.  In the military we call this awareness of risk operational security and every soldier, sailor, airman and Marine from top to bottom is charged with understanding operational risks so they can mitigate them regardless of their job specialty.  

Some organizations are beginning to realize this new reality and are taking steps to change how they approach educating the workforce of the future.  One such organization is the University of Texas, which I had the pleasure of supporting recently, who is building a new graduate certificate program within their healthcare curriculum to train members of the workforce to move into healthcare, particularly former veterans.  What is unique about this curriculum is that they have integrated cybersecurity knowledge so that graduates of this program not only prepare themselves for a career in healthcare by learning practical skills, but they learn about where cybersecurity is important and why they need to understand it to be successful.  Their lab environment is unique in that it replicates the hospital experience, admissions, ER, the smart patient room, OR, radiology, pharmacy, etc. and in each lab cybersecurity will be taught along with the information technology associated with those environments as well as the cyber threats that affect both privacy and security there.  A curriculum that teaches not only practical skills needed to work in healthcare, but how to protect patient data and operations.  The program has included several experienced healthcare CISOs as contributing staff lending real world expertise to what they are building.  These are the type of visionary programs we need more of if we are going to close this gap in cybersecurity skills.

Mac McMillan is president and CEO of the Austin, Texas-based CynergisTek consulting firm.


Related Insights For: Cybersecurity


Six Lessons From Boston Children’s ‘Hacktivist’ Attack

October 17, 2018
by David Raths, Contributing Editor
| Reprints
CIO Daniel Nigrin, M.D., says hospitals must prepare for DDoS and ransomware

Most health system CIOs have heard about the 2014 attack on Boston Children’s Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospital’s senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack.

Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016. 

 According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Children’s Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Children’s Hospital computer network that he temporarily knocked Boston Children’s Hospital off the Internet. 

 In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. “The bottom line is that in healthcare, we have not paid attention to cybersecurity,” he said. “In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations — educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.”

He offered six lessons learned from Boston Children’s experience:  


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

1. DDoS countermeasures are critical. No longer can healthcare organizations assume that a DDoS attacks are things that only occur against corporate entities, he said. “Prior to this event, I had never thought about the need to protect our organization against a DDoS attack,” he said. “I will submit that the vast majority of my CIO colleagues were in the same boat. And that was wrong. I think now we have gotten this understanding.”

2.  Know what depends on the internet. Having a really detailed understanding of what systems and processes in your organization depend on internet access is critical, Nigrin stressed. You also mush have good mitigation strategies in place to know what to do if you lose internet access — whether it is because you have a network outage due to a technical issue or a malicious issue. “As healthcare has become more automated and dependent on technology, these things are crippling events. You have got to know how you are going to deal with it ahead of time. Figuring it out on the fly is not going to work.”

3. Recognize the importance of email. Email may be seen as old-school, Nigrin noted, but it is still the primary method to communicate, so you have to think about how you can communicate and get the word out in scenarios where you don’t have email or lose voice communication. “In our case, we were super-lucky because we had just deployed a secure texting platform, so we could do HIPAA-compliant texting, and when our email was down, that was how we communicated, and it was very effective,” he explained.

4. Push through security initiatives – no excuses anymore.  Because he is a doctor himself, Nigrin feels OK picking on doctors about security. Historically they have always pushed back on security measures such as dual-factor authentication. He paraphrases them saying “Come on, Dan, that is an extra 10 seconds; I have to carry a secure ID, or you have to send me a text message on my phone. It is a pain. I don’t want to do it. I am the highest-paid employee in your organization and that is time better spend on something else.” But Nigrin argues that we can’t afford to think like that anymore. He used the Anonymous attack as an opportunity to push through four or five security initiatives within the next two to three months when he had everyone’s attention. “The platform was burning, and the board of trustees was willing to expend the money to pay for it all. They all of a sudden recognized the risk.”

5. Securing audio- and teleconference meetings. Nigrin said this topic wouldn’t have occurred to Boston Children’s until they were warned by the FBI. “The FBI told us about an attack that affected them when they were dealing with Anonymous. When Anonymous was attacking the FBI, the FBI convened internal conference calls on how to deal with it. Anonymous had already breached their messaging platform and intercepted the calendar invites that invited everyone to dial in. Anonymous basically was called into the meeting. Within 30 minutes of one of those meetings, the entire audio transcript of the conference call was posted to YouTube. “So we took heed of that and made sure that when we had conference calls, we sent out PINs over our secure texting platform,” he said.

6. Separating signal from noise. During the attack, Boston Children’s set up a command center and told employees: if you see something, say something. “We didn’t know what attack was coming next. We were flying blind,” Nigrin said. “We started to get lots of calls into our command center with reports of things that seemed somewhat suspicious,” he remembers. People got calls on their cell phone with a recorded message saying your bank account has been compromised. Press 1 to talk to someone to deal with it. “Today we would recognize this as some type of phishing scam and hang up,” he said, “but at the time it was sort of new. People started calling us and we didn’t know if this was Anonymous trying to get into the bank accounts of our senior clinicians. Was it part of the attack? It was tough for us to detect signal from noise.”

In the Q&A after his presentation, listeners were curious about how much the incident cost the hospital. Nigrin said there two big costs incurred: One was the technology it had to deploy in an emergent way to do DDOS protection and penetration testing. The other was revenue lost from philanthropic donations. Together they were close to $1 million.

Another person asked if the hospital had cyber insurance. Nigrin said they did, but when they read the fine print it said they were covered only if they were breached and technically they were never breached, so the insurance company was reluctant to pay. Although they eventually got compensated for a good share of it, the hospital also made sure to update its policy.

Still another attendee asked Nigrin if ransomware attacks were still targeting hospitals. He said they definitely were. “Think about community hospitals just squeaking by on their budgets,” he said. “They don’t have millions to spend, yet their data is valuable on the black market. Attackers recognize we are dead in the water as entities if we don't have these systems. We have important data and will do anything to get our systems back up and running.”

Nigrin said even large health systems can be vulnerable because some technology they deploy is run by third-party vendors who haven’t upgraded their systems. An example, he said, might be technology to record videos in the operating room setting. Some vendors, he said, are not accustomed to thinking about security. They are unable to update their software so it works on more modern operating systems. That leaves CIOs with a tough choice. “We can shut off the functionality or take the risk of continuing to use outdated and unpatched operating systems. Those vendors now have woken up and realize they have to pay more attention.”



See more on Cybersecurity