Updated April 25, 2014, at 1:30 p.m. with comments from Boston Children’s Hospital.
Officials at Boston Children’s Hospital confirmed that they’d weathered some digital mayhem affecting the clinic’s web services in the weeks following threats from the online hacker group Anonymous.
Starting the weekend of April 19, BCH’s website has been "the target of multiple attacks designed to bring down the site by overwhelming its capacity," the hospital said. Similar types of attacks have been shown in lab testing to bring down medical devices and other hospital systems.
The hospital’s website has faced some outages, but it’s not clear that the disruptions are related to Anonymous and the group’s public demands regarding a pediatric patient made a ward of the state, BCH officials said. The hospital’s website was intermittently in and out of service during the writing of this article.
The Anonymous video called for volunteers to help overload BCH’s web services, a type of attack that many medical devices are also susceptible to. The Anonymous video doesn’t call for targeted attacks on medical devices, but many life-saving or sustaining technologies operate on hospital networks.
In a video uploaded late last month on YouTube a synthesized voice threatened to unleash "the full unbridled wrath of Anonymous" should BCH refuse to fire Dr. Alice Newton, a physician who helped bring medical child-abuse charges against the parents of 15-year-old Justina Pelletier.
Justina has been under the care of Massachusetts child protection agency since February 2013 and was living in a locked ward at BCH until she was transferred in January to a nearby residential care facility, the Wayside Youth & Family Support Network.
Web services at both Wayside and BCH have had issues in recent weeks, with a Twitter account purportedly associated with Anonymous claiming credit for helping overload Wayside’s website with traffic, causing it to lose service.
"Though we do not know the source, we are dismayed and concerned that someone would try to disrupt the important work we do with hundreds of children and families in various community and home settings," Wayside told the Boston Globe.
BCH told MassDevice.com that no patient information has been compromised and that patient care has not been interrupted.
"Boston Children’s technical and security professionals are working to resolve the situation as soon as possible," the hospital said. "We have also contacted law enforcement authorities, who are investigating the source of the attacks. We expect to return to normal operations soon, and are focused on providing our patients and families with the highest quality care throughout this challenging time."
Cyber-attacks that attempt to overload servers with a flood of requests, sometimes called "denial of service" or DoS attacks, aim to disrupt an organization’s workflow by wiping out access to cloud-based tools and resources. Programmers can insulate their systems from such attacks by ensuring that servers and devices aren’t permanently knocked out after being bombarded, but recent testing has shown that many medical devices lack such protections.
Researchers at SecureState reported last year that their penetration testing found that devices such as IV pumps and X-ray machines are vulnerable to the fairly rudimentary form of attack. Earlier last year a pair of security researchers used a DoS hack to demonstrate that a Philips (NYSE:PHG) Xper hospital management system could be infiltrated and "owned" fairly easily.
In September 2012 hackers used the same attack to take down web host GoDaddy.com, bringing down millions of websites worldwide – including MassDevice.com.