Boston Children’s Hospital: Hacktivism and DDoS attacks
Boston Children’s Hospital (US): Hacktivism and DDoS attacks
In 2014, the Boston Children’s Hospital (located in the US) was targeted by a DDoS attack. A DDoS attack is a Distributed Denial of Service attack, meaning that multiple systems target a single system in such a way that the targeted system cannot deliver its intended services. The person behind the attack purportedly represented Anonymous, a well known hacktivism group (Eastwood, 2014; Radware, 2015). Hacktivism is a combination of the words hacking and activism. Hacktivism is carried out as a form of protest or under the guise of it.
Boston Children’s Hospital was first threatened via Twitter, because of a high-profile child custody case. The hospital admitted a girl in their care who was taken into custody by Massachusset’s child services. The case received national attention, and some religious and political groups felt that the government interfered with parental rights (Raymond, 2018). After the hospital did not comply to the threats, multiple DDoS attacks were initiated (Radware, 2015). The attacks were found out to be carried out by one man, claiming to be affiliated to Anonymous, who has been sentenced to 10 years in prison (Cote, 2018; Raymond, 2018).
The first DDoS attack resulted in bringing down the external website of the hospital. The second set of attacks slowed legitimate inbound and outbound traffic. Mitigation methods that were already in place helped to prevent worse, as well as the efforts of an external security firm (Eastwood, 2014; Radware, 2015). The third set of attacks were directly targeted at the hospital networks to try and gain access. The attackers also used spear phishing (tailored phishing attempts) emails to try and gain access to the hospital’s network (Radware, 2015; Raymond, 2018).
As Boston Children’s Hospital had a multidisciplinary incident response team and policy already in place, they were able to mitigate the DDoS attacks. However, the hospital’s network was disrupted over the course of two weeks. The hospital lost over $600.000 as a result of the DDoS attacks (Cote, 2018). However the attacks could have yielded much worse consequences according to Radware (2015). They suggest the following potential consequences could have happened:
- Inability to route prescriptions electronically to pharmacies
- Email downtime for departments where email supports critical processes
- Inability to access remotely hosted electronic health records
Several of these could have had deadly consequences. Furthermore, because Boston Children’s Hospital shares an Internet Service Provider (ISP) with seven other hospitals, the attack could have spilled over, leading to potential impacts to their network and operations.
All healthcare organisations must be aware that they may be seen as attractive targets for different types of cyberattacks by all sorts of actors, including hacktivist groups. While full protection against attacks is not possible, having actionable incident response plans and teams in place will help to prevent worst case scenarios from being realised. These plans should be communicated well and updated constantly as threats and risks evolve (Eastwood, 2014; Radware, 2015).
Literature