In 2014, Boston Children's Hospital became the first health care organization to be targeted by a hacktivist group. Because the hospital uses the same Internet Service Provider (ISP) as seven other area health care institutions, the organized DDoS attacks had the potential to bring down multiple pieces of Boston's critical health care infrastructure.
Download a Copy Now
Everyone Is a Potential Target: Denial of Service (DoS) Attack Case Analysis on Boston Children's Hospital
Boston Children's Hospital (BCH) is ranked nationally in 10 pediatric specialties, with about 25,000 inpatient admissions each year and 557,000 visits scheduled annually through 200+ specialized clinical programs. In 2014, Boston Children's Hospital became the first health care organization to be targeted byby DDoS attacks from a hacktivist group. Because the hospital uses the same Internet Service Provider (ISP) as seven other area health care institutions, the organized DDoS attacks had the potential to bring down multiple pieces of Boston's critical health care infrastructure.
With health care now highly dependent on digital records and network connectivity, inability to access information systems could have far-reaching impacts beyond dollars spent. Patient and staff safety could be compromised. Lives could be lost.
While Boston Children's Hospital and the other health care institutions survived the attacks with the DDoS attack mitigation strategies, their experiences should serve as a wakeup call for any health care entity that isn't already serious about DDoS protection. To its credit, the medical community seems to have recognized the gravity of the situation, and many institutions are implementing rigorous DDoS prevention measures.
What follows is a summary by Radware's Emergency Response Team as experienced from the front lines. It describes their DDoS attack mitigation efforts to stop the attack.
The DDoS Attacks on Boston Children's Hospital: A Timeline
Purportedly the work of hacktivist group Anonymous, the DDoS attacks launched against Boston Children's Hospital began with a threat and then involved three major strikes.
Pre-Strike Doxing
On March 20, 2014, leaders at Boston Children's Hospital received word of a threatening Twitter message attributed to Anonymous. The message related to a high-profile child-custody case in which a 15-year-old girl with a complex diagnosis was taken into custody by Massachusetts protective services. The message threatened retaliation if the hospital did not take disciplinary action against certain clinicians and return the child to her parents. Attackers even posted personal information—home addresses, email addresses, and phone numbers—of some of the people involved. (This activity is known as "doxing.")
DDoS Attack Strike #1 - Low-Rate Attacks
Starting in early April 2014, the attackers made good on their threats, targeting the hospital's external website with a DDoS attack.
DDoS Attack #2 - Attacks Ramp Up
Over the course of a week, the attacks increased to the point that they slowed legitimate inbound and outbound traffic. This second string of attacks—DDoS attacks, scans, and intrusion attempts—included TCP fragmented floods, out-of-state floods, and DNS reflection floods (including UDP fragment floods). DDoS attack mitigation efforts were able to stop DDoS attacks from reaching the targeted servers.
DDoS Attack Strike #3 - Attacks Peak
The third strike peaked at nearly four times that of the second strike, reaching 28 Gbps. This time, the attackers made multiple attempts to penetrate the hospital's network through direct DDoS attacks on exposed ports and services. The attackers also used "spear phishing" emails to try to lure recipients into clicking embedded links or opening attachments, thereby granting access to part of the network behind the hospital's firewall.
DDoS Attack Mitigation: The Response to the DDoS Attacks
As soon as it became aware of the initial threat, Boston Children's Hospital activated its multidisciplinary incident response team. The team had to quickly assess what services would be compromised or lost if the hospital were to lose Internet connectivity. (The hospital had not conducted such an assessment prior to the DDoS attacks.) The team quickly identified three critical potential impacts:
- Inability to route prescriptions electronically to pharmacies
- Email downtime for departments where email supports critical processes
- Inability to access remotely hosted electronic health records
The Boston Children's Hospital team invoked Radware's Emergency Response Team to perform DDoS attack mitigation, and used Radware's scrubbing center to handle the massive rate of DDoS attacks. Because Boston Children's Hospital shares an ISP with other hospitals, seven other health care institutions also faced potential impacts to their network and operations.
Lessons Learned
The DDoS attacks against Boston Children's Hospital are significant not because of their technical sophistication but because they demonstrate that any organization, including healthcare entities, can be a target for cyber-attacks.
As Boston Children's Hospital CIO Dr. Daniel J. Nigrin subsequently wrote in The New England Journal of Medicine, "In clinical settings, such attacks can clearly have adverse effects on patient care. Health care organizations should strongly consider investing the time and resources in IT security systems and operational best practices to ensure that they are prepared to … defend against these new threats, if and when they occur" ("When 'Hacktivists' Target Your Hospital," The New England Journal of Medicine 371 (2014): 393-395).
Healthcare entities, like all organizations, must ensure continual vigilance regarding information security. Organizations want to know how to prevent DDoS attacks, but foolproof anti-DDoS protection isn't possible. Instead, organizations need to devote resources to developing a strategic DDoS mitigation plan, and that plan must be communicated well and updated constantly as threats and risks evolve.
This kind of vigilance becomes all the more important because of the potential for a domino effect. We have entered an era in which cyber-attacks can be more than disruptive and expensive—they can also be deadly. Had Radware's DDoS attack mitigation not been successful, care delivery—and patients' lives—at Boston Children's Hospital and seven other hospitals would have been in peril.