NEJM: When hackers attack a hospital

Contingency plans crucial to protect patients

Writing in NEJM this week, Boston Children's Hospital CIO Dan Nigrin explains why "health care organizations can no longer assume that they are immune from organized [cyber] attacks" and must prepare contingency plans for such events.

In April of this year, Nigrim's hospital was the victim of a cyberattack allegedly launched by the computer hacker group Anonymous.

Nearly every hospital has suffered a data breach—and experts warn it will get worse

Background on the Boston Children's attack

Anonymous is believed to have launched repeated cyberattacks against the Boston Children's website in protest of a controversial child-custody case.

The case involves 15-year-old Justina Pelletier, who was brought by her family to the hospital last year for treatment of severe intestinal problems and other issues. Physicians concluded that Pelletier's symptoms were mainly psychiatric and said the family was pushing for unnecessary treatment.

The hospital filed medical abuse charges against the family; the Massachusetts Department of Children and Families supported those charges.

On March 25, Juvenile Court Judge Joseph Johnston said that the parents' refused to cooperate with health care providers and were verbally abusive to hospital staff. Johnston ruled the parents unfit to provide for the child's medical and psychiatric needs and awarded the state permanent custody of Justina.

While there was no definitive evidence linking Anonymous to the attacks that took place against Children's, experts say the attempt to cripple Internet operations with a barrage of traffic is a hallmark of the hacker group.

Hackers from China increasingly target medical organizations

Moreover, Anonymous had publicly voiced interest in the case. Several weeks before the attack, the group claimed responsibility for an attack against the website of Wayside Youth and Family Support Network, the residential facility where Justina has been living under state custody. Anonymous also posted a YouTube manifesto threatening Boston Children's and Pelletier physician Alice Newton, who was the head of the hospital's child abuse prevention unit and filed the charges in the case.

The manifesto stated, "To the Boston Children's Hospital why do you employ people that clearly do not put patients first?", adding, "We demand that you terminate Alice W. Newton from her employment or you to [sic] shall feel the full unbridled wrath of Anonymous. Test us and you shall fail."

Anonymous also released the Internet address of Boston Children's website and details about the type of computer servers the facility uses. Although the website remained functional, some patients and medical staff for several days could not use their online accounts to check appointments, test results, and other information after the hospital shut down certain Web pages. No patient data was compromised.

Nigrin: Advance planning is critical to keep patients safe

According to Nigrin, "advance planning, well-trained and dedicated staff, the support of a multidisciplinary team, and the resources and expertise of the ISP and third-party partners" played a critical role in ensuring that no patient was harmed and no patient information was compromised.

In the NEJM article, Nigrin explains what hospitals must do in order to prepare themselves for such an attack.

First, he says hospitals should take inventory of all of their systems—clinical, research, and business processes and systems, among others—that depend on internet connectivity and create contingency plans in response to losing internet connectivity. Specifically, writes Nigrin, the organization should make preparations for how to facilitate internal processes that normally depend on email in case of an email outage. 

Hospital networks may leak valuable data

Nigrin also says that it is important to create workarounds in case of attacks to the hospital's EHR system. He writes, "Advance planning and attention to information security and business continuity cannot be stressed enough" and that organizations must "put...contingency plans and security technologies in place" to protect patient data (Nigrin, NEJM, 7/31).

Hear from our experts

Ernie Hood, Senior Research Director

Data breaches are pretty much (or just about) inevitable; what hospitals are failing to do is prepare for them.

We know from studies that the top indicator of how bad the consequences of a breach will be is how quickly and effectively an organization reacts to it. But hospitals are not spending the time needed to prepare for a breach in advance.


Next in the Daily Briefing

Chikungunya is spreading throughout the U.S. Here are the states most affected

Read now