Supporters of the faceless collective known as Anonymous have taken up the cause of a young girl, after the State of Massachusetts removed her from her parents earlier this year. However, the methods used to show support may have unintended consequences, which could impact patient care.
On Thursday, the Boston Children's Hospital confirmed that they were subjected to multiple DDoS attacks over the Easter holiday. Said attacks, which have continued throughout the week, aim to take the hospital's website offline. Similar attacks, including website defacement, have also targeted the Wayside Youth and Family Support Network. Both organizations are at the heart of a sensitive topic: child welfare and the rights of a parent.
No one person or group has come forward to claim responsibility for the attacks, but chatter on the Internet has put the blame for these incidents on Anonymous and those supporting OpJustina.
Anonymous in action
OpJustina started earlier this year after supporters of Anonymous learned of Justina Pelletier, a fifteen year-old girl who was removed from her parents' care by the State of Massachusetts.
Justina was diagnosed with mitochondrial disease (a disorder that causes loss of muscle coordination and weakness) years ago, but by all accounts lived a normal life.
Earlier this year, she was admitted to Boston Children's after getting the flu. A different team of doctors questioned the diagnosis of mitochondrial disease, instead telling her parents (Lou and Linda Pelletier) that their daughter's problem was mental, diagnosing her with somatoform disorder.
Her parents disagreed, and started the process of having their daughter discharged from Boston Children's, which led to a war of words with the doctors. The heated debate over the girl's condition led to her parents being removed from the hospital by security and the Department of Children and Families being brought in.
After a series of legal maneuvers, Justina was made a ward of the state, and removed from her family's care. At issue is the controversial concept called medical child abuse.
The legal dilemma, and the family's charge of kidnapping against the state to the media, is what led Anonymous supporters to rally around the girl's cause.
Initially, Anonymous used social media and personal blogs to spread their support and draw the media's spotlight. They also setup petitions calling for the girl to be returned to her family.
The activism started in February, gaining momentum in March, but that started to slow some by the end of the month. All that changed when lawyers representing the family released a note allegedly written by Justina, stating that workers in the facility where she is staying were abusing her. At that point, OpJustina gained traction again, and the various Web-based attacks increased.
A new threat vector
When asked his opinion on OpJustina as it relates to the attacks on healthcare organizations, one senior security professional in the medical industry said, "It's disturbing."
Speaking anonymously, as he wasn't cleared to speak on the record about this topic, he clarified those thoughts with personal experience.
Aside from passive attacks, where a poorly developed website is defaced by a bot scanning the Web, healthcare organizations don't usually consider activism to be a high-value threat. In fact, attacks such as those that targeted Boston Children's Hospital and Wayside Youth and Family Support are not considered likely, especially in the children's arena.
However, if the rumors and reported goals of OpJustina are true, the scary part of this type of attack for a healthcare organization isn't the DDoS attacks or defacement, it's the pivoting between systems that the attackers will do in order to obtain information. Such actions could inadvertently cause serious problems.
In theory, one of the systems being used to pivot could be a bio-medical system, which if tampered with – even unintentionally – could adversely affect patient care. In the case of Boston Children's Hospital, the patient is a kid.
Systems such as heart monitors, connected to a nurse's station in order to generate alerts, could see a flood of false positives, leading to degraded care.
Or worse, attackers pivoting between systems could accidentally disable one of those bio-medical systems, preventing a legitimate alert from reaching the nurse. Such a situation, unlikely but still possible depending how an organization's network is configured, would stand as a horrific unintended consequence of digital activism.
The experts CSO spoke with, including the professional who needed to remain anonymous, agree that those supporting Anonymous with OpJustina don't appear to be looking to cause physical harm to anyone, be they a child or adult. They're looking to right a perceived injustice.
But the problem is, the systems deployed by healthcare organizations are are so complex, so interconnected, and sadly, so fragile, that someone from Anonymous – during the process of searching for information related to a given cause or working on a defacement – could inadvertently hurt somebody.
This is because those conducting the attack will make assumptions about how a given system is networked or connected, but the reality of how those systems are linked is something completely different.
On the record, Eric Cowperthwaite, Vice President of Advanced Security and Strategy for Core Security, added that healthcare organizations need to be aware that things are changing.
"As healthcare becomes more and more regulated, more and more politicized, there will be an increase in public attention paid to cases like that of Justina Pelletier. And such cases will become more controversial as well," he told CSO in a statement.
"Hacktivist organizations are going to take notice of these things, especially because they will hold strong opinions that coincide with the questions surrounding patient care, patient rights, healthcare costs, etc. that become involved. Because of this, healthcare needs to realize that they are definitely going to be targets for hacktivist organizations."
This is the exact reason, he explained, why it's important that the security team within a healthcare organization be aware of contentious issues that are being dealt with by the business.
In related news, the FBI issued a warning to healthcare organizations earlier this month, urging them to upgrade security.
"The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely," the FBI's memo stated in part.
Trey Ford, Global Security Strategist at Rapid7, commented further.
"Healthcare networks are not typically built with inherent mechanisms for detecting leaks or breaches in the way that financial networks might be. When payment information like credit and debit cards are stolen and moved to the black market, the payment system is designed to pinpoint a ‘common point of purchase’ so affected accounts can be quickly identified and isolated."
In contrast, Ford added, when fifty people have their identities stolen from a health care provider, there is no simple mechanism to pinpoint where the data was taken from, and who else may be affected.
"The timeline required to open new lines of credit, or assume identities is longer. This means the criminal responsible for the initial theft is protected by that wide gap between the crime and the detection."