It may not occur to many of you that hacktivists should be on your security risk analysis (SRA). In fact, they really must be on there in this digital age. You never know what could trigger a hacktivist to focus on your business and put you under attack. Why you may ask – well let’s discuss that now.
In this episode:
Are hacktivists on your SRA? – Ep 168
Today’s Episode is brought to you by:
Where to meet us
- 4medapproved Healthcare Cybersecurity Officer Live Webinar Workshop – Sept 12, 13, 19, 20, 2018 Use GRINDLE20 to get a 20% discount.
- Georgia Pediatric Practice Administrators, October 18
Next HIPAA Boot Camp
Live in Tucker, GA
October 25th and 26th
Want to be part of Help Me With HIPAA? Donate to the cause at www.HelpMeWithHIPAA.com/give
HMWH App now has more features. You can now access a PDF with the show notes ready for your HIPAA training documentation! Find it under the bonus feature in the app for both the Apple and Android versions. It is a little gift box on the app bar.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
Are hacktivists on your SRA?
This week’s conviction of a hacktivist who took action back in 2014 against Boston Children’s hospital prompted this topic.
Boston Children’s got on the hacktivists radar when a case made the news. The parents of a 14-year-old girl had some medical issues. The doctors said she needed certain treatment. The parents disagreed and wanted to remove her from the hospital’s care. They potentiated the state and got her declared a ward of the state. The parents lost custody.
Anonymous then picked up the story and decided the girl’s rights had been violated so they should take action against the hospital. A guy in Massachusetts apparently took on the job for the collective. He used 40,000 malware-infected network routers to perform a DDoS attack for a week in April 2014.
Anonymous is the most famous of the hacktivists groups. They are the ones who have the Guy Fawkes masks. But a DDoS is a common attacker method for disrupting networks.
They did all kinds of attacks in the process going after the website, spear phishing employees, etc. They wreaked havoc for a week going after network resources, not the data.
The Center for Internet Security posted a blog about it back then: https://www.cisecurity.org/ddos-attacks-in-the-healthcare-sector/
Anonymous took action by conducting DDoS attacks against the hospital’s network, which resulted in others on that network, including Harvard University and all its hospitals, to lose Internet access as well. The networks experienced outages for almost a week, and some medical patients and medical personnel could not use their online accounts to check appointments, test results, and other case information, according to the Boston Globe. As a result, the hospital spent more than $300,000 responding to and mitigating the damage from this attack, according to the attacker’s arrest affidavit.
Apparently, the larger network that was impacted included 65,000 IP addresses. Now that was a huge impact. There is a case where the likelihood may be medium but the impact will be critical. Something you should consider how to address in your plans even if you don’t need a full plan.
What is also important to realize is that no matter who gets mad at you they can cause this kind of problem for you for as little as $150. That is what it costs to buy a week-long attack on your IP address on the dark web. All it will take is a little cash plus one really mad patient or patient relative or ex-employee or disgruntled employee or even hacktivists you don’t even know are out there.
There are other articles explaining cases of these types of attacks on healthcare such as:
BTW, it isn’t just hacktivist that could derail you these days. At any time you could even become a target of political activists that create havoc in your environment. It can be way unexpected and less than reasonable based on a crazy case in Oklahoma. This one had to do how communications and access were handled during an internet outage.
Children’s also had those communication issues to worry about during their attack. The phishing email attacks forced them to stop using email completely to communicate with the staff which made things much harder to manage. Guess what! Communications during an emergency will be covered in an upcoming episode.
It may not be something you have to list as a high-risk item on your SRA but you should at least consider the impact and how you would deal with these types of issues. By making the evaluation you can find ways to make small preparations or even know which one of your plans you will activate if an attack occurs. This isn’t a thing to take lightly these days.
Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!