Three years ago, Boston Children’s experienced every hospital’s nightmare when it was hit with phishing and DDoS attacks by Anonymous.
It was a story that dominated the headlines — and not just those of health IT or even healthcare publications. And it’s a story Daniel Nigrin, MD, has told to various times (including in a webinar with healthsystemCIO.com in 2015).
But it’s one he’ll gladly tell again to help educate fellow leaders, as he did during a session that was part of the AMDIS/HIMSS Physicians’ Executive IT Symposium at HIMSS. And let’s face it, the need is there. According to a report from TrapX Labs, sophisticated cyberattackers are now responsible for nearly a third of all major HIPAA data breaches reported in 2016, which represents a 300 percent increase in the last three years.
The result has been “an awakening” across the industry when it comes to cybersecurity, said Nigrin, who has been CIO at Boston Children’s for 16 years. Although he thought he had seen and heard everything after more than a decade at the helm, nothing could’ve prepared him — or his team — for an incident like this. Anonymous, a hacking collective that routinely targets corporations, famous people, or financial institutes in the name of social justice, took aim at the hospital in what they later claimed was in defense of a young patient who they believed was mistreated. The group posted details about the case online, along with information about BCH’s technology infrastructure (including the type of web server and the IP address). They eventually launched a DDoS attack, rendering the site inaccessible at times, and sent a massive influx of malware-laden emails.
Fortunately, the hospital avoided any major downtimes and managed to keep data safe, largely because leadership was proactive in shutting down any exposed ports, and because they kept the staff in the loop by sending out emails emphasizing vigilance. After a few very tense weeks, the attacks stopped when an Anonymous higher-up thought better of putting thousands of lives — those of children, no less — in the name of justice.
“I never thought a children’s hospital would never be the target of hackers,” said Nigrin. “This was a first.” It emphasized the need to have measures in place — a sentiment that is now shared by many. Rather than bury their heads in the sand when it comes to cybersecurity, leaders want to know how to protect their organizations.
“We have an obligation to talk about it and help colleagues understanding that this is a real threat,” he said. In that spirit, Nigrin shared some of the key lessons learned during BCH’s ordeal.
- Trust your instincts. Rather than speculate as to whether the threats were legitimate, Nigrin convened the hospital’s incident response team to formulate a contingency plan.
- Be transparent. When Nigrin’s team send out an email to 15,000 staffers about the imminent threats, it was worded “in an urgent way,” so there was no room for misinterpretation.
- Don’t go it alone. Because of the nature of the attack, BCH contacted the FBI and engaged a third-party vendor to help filter malicious traffic.
- Be prepared to “go dark.” In the event that ports are exposed, leadership has to be ready to cut off Internet attacks in order to protect data. In that same vein, know which systems — or which features within systems — depend on Internet access, and have contingency plans for those. In BCH’s case, “The EHR may not have gone down, but the functions that rely on Internet connections suffered,” said Nigrin.
- Don’t push back. “You need to view cybersecurity as a cost of doing business,” he noted. “When we’re able to protect patients and their privacy, it will be worth it.
- Email isn’t the only form of communication. Nigrin’s team relied heavily on secure texting when email was down, which proved invaluable.
- It’s not an IT issue. In BCH’s case, “It wasn’t IT saying, ‘we need to shut this down,’” he said. We put together an interdisciplinary group,” and made sure every leader knew the impact it would have on operations.
- The job is never finished. Cybersecurity “is a constant moving target, and it requires constant education.” For BCH, it means running simulated phishing exercises where those who click on suspicious links receive added training.
And finally, he encouraged all leaders who have experienced an attack to share the experience with others, which will help shine an even brighter light on cybersecurity.