Boston Children’s Hospital: Hacktivism and DDoS attacks

Boston Children’s Hospital (US): Hacktivism and DDoS attacks

In 2014, the Boston Children’s Hospital (located in the US) was targeted by a DDoS attack. A DDoS attack is a Distributed Denial of Service attack, meaning that multiple systems target a single system in such a way that the targeted system cannot deliver its intended services. The person behind the attack purportedly represented Anonymous, a well known hacktivism group (Eastwood, 2014; Radware, 2015). Hacktivism is a combination of the words hacking and activism. Hacktivism is carried out as a form of protest or under the guise of it. 

Boston Children’s Hospital was first threatened via Twitter, because of a high-profile child custody case. The hospital admitted a girl in their care who was taken into custody by Massachusset’s child services. The case received national attention, and some religious and political groups felt that the government interfered with parental rights (Raymond, 2018). After the hospital did not comply to the threats, multiple DDoS attacks were initiated (Radware, 2015). The attacks were found out to be carried out by one man, claiming to be affiliated to Anonymous, who has been sentenced to 10 years in prison (Cote, 2018; Raymond, 2018).

The first DDoS attack resulted in bringing down the external website of the hospital. The second set of attacks slowed legitimate inbound and outbound traffic. Mitigation methods that were already in place helped to prevent worse, as well as the efforts of an external security firm (Eastwood, 2014; Radware, 2015). The third set of attacks were directly targeted at the hospital networks to try and gain access. The attackers also used spear phishing (tailored phishing attempts) emails to try and gain access to the hospital’s network (Radware, 2015; Raymond, 2018).

As Boston Children’s Hospital had a multidisciplinary incident response team and policy already in place, they were able to mitigate the DDoS attacks. However, the hospital’s network was disrupted over the course of two weeks. The hospital lost over $600.000 as a result of the DDoS attacks (Cote, 2018). However the attacks could have yielded much worse consequences according to Radware (2015). They suggest the following potential consequences could have happened:

  • Inability to route prescriptions electronically to pharmacies
  • Email downtime for departments where email supports critical processes
  • Inability to access remotely hosted electronic health records

Several of these could have had deadly consequences. Furthermore, because Boston Children’s Hospital shares an Internet Service Provider (ISP) with seven other hospitals, the attack could have spilled over, leading to potential impacts to their network and operations.

All healthcare organisations must be aware that they may be seen as attractive targets for different types of cyberattacks by all sorts of actors, including hacktivist groups. While full protection against attacks is not possible, having actionable incident response plans and teams in place will help to prevent worst case scenarios from being realised. These plans should be communicated well and updated constantly as threats and risks evolve (Eastwood, 2014; Radware, 2015).

Literature

Cote, J. (2018, August 1). Somerville man convicted for attack on Boston Children’s Hospital computer network – The Boston Globe. Retrieved 30 September 2019, from BostonGlobe.com website: https://www.bostonglobe.com/metro/2018/08/01/somerville-man-convicted-for-attack-boston-children-hospital-computer-network/xIBNuhaO0n3FJIxwz4Z9SL/story.html

Eastwood, B. (2014, September 15). How Boston Children’s Hospital Hit Back at Anonymous. Retrieved 30 September 2019, from CIO website: https://www.cio.com/article/2682872/how-boston-childrens-hospital-hit-back-at-anonymous.html

Radware. (2015). DDoS Case Study: DDoS Attack Mitigation Boston Children’s Hospital. Retrieved from https://security.radware.com/ddos-experts-insider/ert-case-studies/boston-childrens-hospital-ddos-mitigation-case-study/

Raymond, N. (2018, August 1). Massachusetts man convicted of cyber attack on hospital. Reuters. Retrieved from https://www.reuters.com/article/us-massachusetts-cyber-idUSKBN1KM6D0