The hospital attack that wasn’t
How Boston Children’s dodged an attack
This past week the FBI released details on a cyberattack against Boston Children’s Hospital in November of last year. Prior to the attack, CISA and others sent alerts out to the healthcare community warning stakeholders of an imminent state-sponsored cyberattack. There were no specifics to the threat given at the time, but now we know more.
Iranian state actors had identified and developed exploits to attack Microsoft Exchange and Fortinet vulnerabilities. Once their malicious code was successfully embedded in numerous organizations, they notified a cyber-tracking company of their intent to launch the attack, identifying a children’s hospital as one of the intended victims.
Fortunately, cyber experts discovered that Iranians had exploited HVAC systems and were planning to use that as their threat vector. That clue allowed the FBI and other cybersecurity experts to identify Boston Children’s as the intended target, and they thwarted the attack.
What does this tell the rest of us? The degree of vulnerabilities we face is often underestimated. ANY networked device can be an attack vector. If you’re plugging all of these holes yourself, or not paying for professional IT management, these types of vulnerabilities are often unaccounted for. What’s worse is if you are attacked, not having professional IT management in place delays response times when every moment is critical.
As protectors of sensitive information, it’s the law and your responsibility to do all that you can to maintain effective defenses. If you’re unsure of where you stand, we can test your network and improve your protection.