Activism's slippery slope: Anonymous targets children's hospital

Supporters of the faceless collective known as Anonymous have taken up the cause of a young girl, after the State of Massachusetts removed her from her parents earlier this year. However, the methods used to show support may have unintended consequences, which could impact patient care.

On Thursday, the Boston Children's Hospital confirmed that they were subjected to multiple DDoS attacks over the Easter holiday. Said attacks, which have continued throughout the week, aim to take the hospital's website offline. Similar attacks, including website defacement, have also targeted the Wayside Youth and Family Support Network. Both organizations are at the heart of a sensitive topic, child welfare and the rights of a parent.

No one person or group has come forward to claim responsibility for the attacks, but chatter on the Internet has put the blame for these incidents on Anonymous and those supporting OpJustina.

Anonymous in action:

OpJustina started earlier this year after supporters of Anonymous learned of Justina Pelletier, a fifteen year-old girl who was removed from her parent's care by the State of Massachusetts.

Justina was diagnosed with mitochondrial disease (a disorder that causes loss of muscle coordination and weakness) years ago, but by all accounts lived a normal life.

Earlier this year, she was admitted to Boston Children's after getting the flu. A different team of doctors questioned the diagnosis of mitochondrial disease, instead telling her parents (Lou and Linda Pelletier) that their daughter's problem was mental, diagnosing her with somatoform disorder.

Her parents disagreed, and started the process of having their daughter discharged from Boston Children's, which led to a war of words with the doctors. The heated debate over the girl's condition led to her parents being removed from the hospital by security and the Department of Children and Families being brought in.

After a series of legal maneuvers, Justina was made a ward of the state, and removed from her family's care. At issue is the controversial concept called medical child abuse.

The legal dilemma, and the family's charge of kidnapping against the state to the media, is what led Anonymous supporters to rally around the girl's cause.

Initially, Anonymous used social media and personal blogs to spread their support and draw the media's spotlight. They also setup petitions calling for the girl to be returned to her family.

The activism started in February, gaining momentum in March, but that started to slow some by the end of the month. All that changed when lawyers representing the family released a note allegedly written by Justina, stating that workers in the facility where she is staying were abusing her. At that point, OpJustina gained traction again, and the various Web-based attacks increased.

A new threat vector:

When asked his opinion on OpJustina, as it relates to the attacks on healthcare organizations, one senior security professional in the medical industry said, "It's disturbing."

Speaking on background, as he wasn't cleared to speak on the record about this topic, he clarified those thoughts with personal experience.

Aside from passive attacks, where a poorly developed website is defaced by a bot scanning the Web, healthcare organizations don't usually consider activism to be a high-value threat. In fact, attacks such as those that targeted Boston Children's Hospital and Wayside Youth and Family Support are not considered likely, especially in the children's arena.

However, if the rumors and reported goals of OpJustina are true, the scary part of this type of attack for a healthcare organization isn't the DDoS attacks or defacement, it's the pivoting between systems that the attackers will do in order to obtain information. Such actions could inadvertently cause serious problems.

In theory, one of the systems being used to pivot could be a bio-medical system, which if tampered with even unintentionally could adversely affect patient care. In the case of Boston Children's Hospital, the patient is a kid.

Systems such as heart monitors, connected to a nurse's station in order to generate alerts, could see a flood of false positives, leading to degraded care.

Or worse, attackers pivoting between systems could accidentally disable one of those bio-medical systems, preventing a legitimate alert from reaching the nurse. Such a situation, unlikely but still possible depending how an organization's network is configured, would stand as a horrific unintended consequence of digital activism.

The experts CSO spoke with, including the professional who needed to remain on background, agree that those supporting Anonymous with OpJustina don't appear to be looking to cause physical harm to anyone, be they a child or adult. They're looking to right a perceived injustice.

But the problem is, the systems deployed by healthcare organizations are are so complex, so interconnected, and sadly, so fragile, that someone from Anonymous during the process of searching for information related to a given cause or working on a defacement could inadvertently hurt somebody.

This is because those conducting the attack will make assumptions about how a given system is networked or connected, but the reality of how those systems are linked is something completely different.

On the record, Eric Cowperthwaite, Vice President of Advanced Security and Strategy for Core Security, added that healthcare organizations need to be aware that things are changing.

"As healthcare becomes more and more regulated, more and more politicized, there will be an increase in public attention paid to cases like that of Justina Pelletier. And such cases will become more controversial as well," he told CSO in a statement.

"Hacktivist organizations are going to take notice of these things, especially because they will hold strong opinions that coincide with the questions surrounding patient care, patient rights, healthcare costs, etc that become involved. Because of this, healthcare needs to realize that they are definitely going to be targets for hacktivist organizations."

This is the exact reason, he explained, why it's important that the security team within a healthcare organization be aware of contentious issues that are being dealt with by the business.

In related news, the FBI issued a warning to healthcare organizations earlier this month, urging them to upgrade security.

"The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely," the FBI's memo stated in part.

Trey Ford, Global Security Strategist at Rapid7, commented further.

"Healthcare networks are not typically built with inherent mechanisms for detecting leaks or breaches in the way that financial networks might be. When payment information like credit and debit cards are stolen and moved to the black market, the payment system is designed to pinpoint a common point of purchase' so affected accounts can be quickly identified and isolated."

In contrast, Ford added, when fifty people have their identities stolen from a health care provider, there is no simple mechanism to pinpoint where the data was taken from, and who else may be affected.

"The timeline required to open new lines of credit, or assume identities is longer. This means the criminal responsible for the initial theft is protected by that wide gap between the crime and the detection."

Join the CSO newsletter!

Error: Please check your email address.

Tags AnonymoushacktivismDDoS attacksecurityhealthcare data securityOpJustinaBoston Children's Hospital

More about CSOFBIRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts