Easter weekend is one of the craziest three-day stretches in the calendar year in Boston, which made the hack against Boston Children’s Hospital all the more difficult.
The Easter/President’s Day/Marathon Monday trifecta in Boston makes that weekend already very stressful, but in 2014 especially so with it being the one-year anniversary of the Marathon bombing. Luckily, for Boston Children’s, a 395–bed facility, IT leaders had time to prepare for the hack.
According to Paul Scheib, chief information security officer (CISO) at Boston Children’s, the hospital found out about the potential attack in mid-March. People who claimed to be representing the hacktivist collective known as Anonymous had posted threats to Boston Children’s on PasteBin because of a controversial child custody case going on in the hospital.
Despite the prior knowledge, the distributed denial-of-service (DDoS) attack put Boston Children’s up against the metaphorical wall on Easter weekend. “At some point, I think Sunday, the levels [of attack] increased to such a significant level that it basically congested all of the Internet circuits coming into the hospital and the greater Harvard [Medical School] community. We get Internet access through Harvard, as does many of the Harvard affiliated hospitals. It was this bleed over effect with other large Boston hospitals feeling the impact of the DDoS attack,” Scheib recalls.
The hack made life incredibly difficult at Boston Children’s, recalls Scheib. Internet-related activity, such as ePrescribing and transitions-of-care information sharing, suffered. Also, the hospital was forced to take down its email system as well as patient and physician portals for a period of time. The attack forced the hospital to put in place several workarounds and harken back to older processes.
“It tests your ability to respond to an incident and [figure out] what communications is required within your organization to ensure that business as usual can continue,” says Scheib.
Whether it’s “activism” hacks or cyber criminals looking to gain access to valuable information, healthcare organizations like Boston Children’s are living in a new world, where these kinds of threats are very real and no one is safe. No longer is a data breach limited to a forgotten USB drive or a stolen computer. Threats to data security are now coming from hackers, who in turn, could be coming all the way from China, as the Franklin, Tenn.-based large hospital chain, Community Health Systems, found out.
Along with Boston Children’s, attacks against Community Health and the Healthcare.gov website were two other notable hacks in 2014, but this is a growing industrywide problem, says Dan Berger, CEO of the Carpinteria, Calif.–based RedSpin, a data security testing provider. “It was only a matter of time before there was so much electronic health data for an organized group of hackers or even a lone wolf hacker to go after,” he says.
According to an annual report from the Ponemon Institute, the Traverse City, Mich.-based consulting firm, the percentage of healthcare organizations that have reported a cyber attack has doubled in the last five years, from 20 to 40 percent. The hacking threat has become such a problem that this past summer, the Federal Bureau of Investigation (FBI) sent multiple warnings to healthcare organizations saying they were at risk.
Jeremy Molnar, vice president of technical compliance services at CynergisTek, an Austin, Tex.-based consulting firm, notes that the amount hackers could see medical records for on the open market is only going to increase over time. Berger adds that unlike a credit card, which can be changed, a medical record is permanent and has many avenues in which hackers can exploit for fraud.
Moreover, Chris Van Pelt, principal in the healthcare IT practice at PricewaterhouseCoopers Advisory LLC, told HCI that healthcare organizations may find themselves in the crosshairs of foreign governments and other crime syndicates looking to gain intellectual property; similar to what happened with Community Health. “These criminals and governments are coming at anything they can get access to. Water seeks its own level, and they’re going to access anything they can. So frankly, whatever size patient care organization you are, they’re coming after you,” says Van Pelt.
At the height of the crisis over the Easter Weekend at Boston Children’s Hospital, Scheib’s team decided to divert traffic to a third-party vendor’s offsite service that filtered out the DDoS attacks. That allowed them to resume normal operations the next day.
After the DDoS attacks died down, the hackers began targeting the organization through phishing emails and application-level attacks. To counter this, the hospital put into place application-level firewalling and brought down its email for a time. This went on for about a week until someone, also claiming to be associated with Anonymous, essentially told the hackers to back off.
Phishing attacks are a whole new ball game, noted Scheib. Recently, UC Davis Health System notified 1,800 patients of a phishing scam that compromised three physicians’ email accounts. Dothan-based Southeast Alabama Medical Center (SAMC), a 400-bed community facility serving Southeastern Alabama and portions of the Florida panhandle, has taken a multi-layered approach to safeguarding data against phishing scams. The organization has invested in advanced email filtering technologies to block unwanted messages and keep its system free of adware, spyware and viruses.
Similarly, Boston Children’s has looked at technologies to help block phishing attacks but overall, Scheib admits because of human nature it’s difficult to stop. “No matter how much you train, people will click on a link by accident, not knowing what it’s unintended for. We’ve done a lot of training and raised awareness on it, but by no means is it never going to happen,” he says.
Organizations must prepare, and risk and gap analyses are vital, say Molnar and Berger. So is being annoying: “You’ve got to scream, yell, and basically be a pain in the neck in the executive suite. Security in healthcare is not just the domain of IT, it extends to everyone in the organization,” says Berger.