Six Lessons From Boston Childrens Hacktivist Attack

Boston Children’s Hospital CIO Daniel Nigrin, M.D., discussed how the distributed denial of service (DDoS) attack his organization endured in 2014 spurred it to action. Most health system CIOs have heard about the 2014 attack on Boston Childrens Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospitals senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack.Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016. According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Childrens Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Childrens Hospital computer network that he temporarily knocked Boston Childrens Hospital off the Internet. In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. The bottom line is that in healthcare, we have not paid attention to cybersecurity, he said. In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.