Hackers purportedly representing Anonymous hit Boston Children's Hospital with phishing and DDoS attacks this spring. The hospital fought back with vigilance, internal transparency and some old-fashioned sneakernet. That – and a little bit of luck – kept patient data safe. On March 20, Dr. Daniel J. Nigrin, senior vice president for information services and CIO at Boston Children’s Hospital, got word that his organization faced an imminent threat from Anonymous in response to the hospital’s diagnosis and treatment of a 15-year-old girl removed from her parent’s care by the Commonwealth of Massachusetts.The hospital’s incident response team quickly convened. It prepared for the worst: “Going dark” – or going completely offline for as long as the threat remained.[ More: ‘Anonymous’ Targets Boston Children’s Hospital ]Luckily, it never came to that. Attacks did occur, commencing in early April and culminating on Easter weekend – also the weekend of Patriot’s Day, a Massachusetts holiday and the approximate one-year anniversary of the Boston Marathon bombings – but slowed to a trickle after, of all things, after a front-page story about the incident ran in The Boston Globe. No patient data was compromised over the course of the attacks, Nigrin says, thanks in large part to the vigilance of Boston Children’s (and, when necessary, third-party security firms). The organization did learn a few key lessons from the incident, and Nigrin shared them at the recent HIMSS Media Privacy and Security Forum.As Anonymous Hit, Boston Children’s Hit Back As noted, the hospital incident response team – not just the IT department’s – planned for the worst. Despite that fact that the information Anonymous claimed to have, such as staff phone numbers and home addresses, is the stuff of “script kiddies,” Nigrin says Children’s took the threat seriously.Attacks commenced about three weeks after the initial March 20 warning. Initially, the hospital could handle the Distributed Denial of Service (DDoS) attacks on its own. Anonymous changed tactics. Children’s responded. The hackers punched. The hospital counterpunched. As the weekend neared, though, DDoS traffic hit 27 Gbps – 40 times Children’s typical traffic – and the hospital had to turn to a third-party for help.The attacks hit Children’s external websites and networks. (Hackers also pledged to hit anyone linked to Children’s – including the energy provider NStar, which played no role in the child custody case at all but sponsors Children’s annual walkathon.) In response, Nigrin took down all websites and shut down email, telling staff in person that email had been compromised. Staff communicated using a secure text messaging application the hospital had recently deployed. Internal systems were OK, he says, so Children’s electronic health record (EHR) system, and therefore its capability to access patient data, wasn’t impacted.[ Research: Healthcare Security Brings Challenges, Opportunities, No Big Surprises ]In contrast to this internal transparency, Children’s, at the urging of federal investigators, didn’t communicate anything externally. Nonetheless, word got to The Boston Globe, which ran its front-page story on April 23.Nigrin, again, prepared for the worst. He didn’t have to. After the article came out, the Twitter account @YourAnonNews took notice, urging hackers to stop targeting a children’s hospital. Attacks continued, but at a much smaller clip. 6 Quick Tips for Beating Back HackersIn reflecting on the Anonymous attack, Nigrin offers the following security lessons that Boston Children’s learned.DDoS countermeasures are crucial. “We’re not above these kinds of attacks,” Nigrin says.Know which systems depend on external Internet access. As noted, the EHR system was spared, but the e-prescribing system wasn’t.Get an alternative to email. In addition to secure testing, Children’s used Voice over IP communications.In the heat of the moment, make no excuses when pushing security initiatives. Children’s had to shut down email, e-prescribing and external-facing websites quickly. “Don’t wait until it’s a fire drill,” Nigrin says.Secure your teleconferences. Send your conference passcode securely, not in the body of your calendar invite. Otherwise, the call can be recorded and posted on the Internet before you even hang up, he says.Separate signals from noise. Amid the Anonymous attack, several staff members reported strange phone calls from a number listed as 000-000-0000. At the time, it was hard to tell if this was related, and it made the whole incident that much harder to manage.Above all, Nigrin says healthcare organizations need to pay attention to the growing number of security threats the industry faces. “There are far more than we have seen in the past,” he says. Related content news Okta launches Cybersecurity Workforce Development Initiative New philanthropic and educational grants aim to advance inclusive pathways into cybersecurity and technology careers. By Michael Hill Oct 04, 2023 3 mins IT Skills Careers Security news New critical AI vulnerabilities in TorchServe put thousands of AI models at risk The vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. By Shweta Sharma Oct 04, 2023 4 mins Vulnerabilities news ChatGPT “not a reliable” tool for detecting vulnerabilities in developed code NCC Group report claims machine learning models show strong promise in detecting novel zero-day attacks. By Michael Hill Oct 04, 2023 3 mins DevSecOps Generative AI Vulnerabilities news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe