Healthcare lessons learned from 'hacktivist' attack

Hospitals cannot assume they're safe from hackers, writes Daniel J. Nigrin, M.D., in a perspective on healthcare cybersecurity at The New England Journal of Medicine.

Nigrin (pictured), senior vice president for information services and CIO at Children's Hospital Boston, writes about lessons learned from an attack in April believed to be the work of the hacker group Anonymous. There is no direct evidence implicating the group in the attack, though it took up the cause of a teen girl placed in state custody.

"As healthcare organizations push forward to further enable electronic health records ... the potential effect of losing Internet connectivity is large, and the analysis required to understand that effect is complex," Nigrin writes.

In addition to flooding the hospital's website with traffic, there were other attacks against its electronic systems. Instead of losing access to networks or applications totally, only certain functions were unavailable. Clinicians could create and print prescriptions, for example, but could not route them electronically to pharmacies.

The attackers also used "spear phishing" emails, attempting to get recipients to click on embedded links or open attachments, in an attempt to gain access to the network behind the firewall, according to Nigrin. Informing staff of these problems was difficult with traditional forms of communication also affected. The hospital shut down its email system entirely in response.

No patient data were damaged or exposed, Nigrin writes, but the experience underscores the need for organizations to be prepared--the message of multiple warnings to healthcare in recent months.

In a second piece on cybersecurity at NEJM, Eric Perakslis, executive director of Harvard Medical School's Center for Biomedical Informatics and former CIO and chief scientist at the U.S. Food and Drug Administration, reiterates that HIPAA compliance does not equal security.

"Just as public health strategies have been developed to detect and track emerging epidemics, identify population risks and vulnerabilities, and prevent or ameliorate adverse effects, analogous approaches can be used to improve cybersecurity in healthcare delivery organizations," Perakslis writes.

He advocates for an "active learning approach" to cybersecurity, including:

  • Active, real-time surveillance of emerging cyber threats
  • Risk-based analysis and modeling that takes threats, risks and vulnerabilities of information systems into account
  • Creating effective regulation to ensure safety and privacy without being burdensome

To learn more:
- find Nigrin's article
- read Perakslis's piece