Showing posts with label the university of oklahoma. Show all posts
Showing posts with label the university of oklahoma. Show all posts

July 9, 2016

Client Testimony from one of my IT Projects: Boston Childrens Hospital

Combining Social Work and Technology to help PEOPLE.....

 I have helped several for-profit and nonprofit organizations in the field of Information Technology Security (including rescuing many from Ransomware, Viruses, Spyware, and straight Cyber Attacks such as the one mentioned in this article).

Please read the article below (copied and pasted with permission) of my own work as an IT Social Work Volunteer. Merging a Social Work Masters Degree from The University of Oklahoma School of Social Work, current Microsoft Most Valuable Professional status, and multiple IT Certifications to HELP OTHER PEOPLE as much as possible is not only what I am an expert in, it is my passion!

How Boston Children's Hospital Hit Back at Anonymous

Hackers purportedly representing Anonymous hit Boston Children's Hospital with phishing and DDoS attacks this spring. The hospital fought back with vigilance, internal transparency and some old-fashioned sneakernet. That – and a little bit of luck – kept patient data safe.
On March 20, Dr. Daniel J. Nigrin, senior vice president for information services and CIO at Boston Children's Hospital, got word that his organization faced an imminent threat from Anonymous in response to the hospital's diagnosis and treatment of a 15-year-old girl removed from her parent's care by the Commonwealth of Massachusetts.
The hospital's incident response team quickly convened. It prepared for the worst: "Going dark" – or going completely offline for as long as the threat remained.
Luckily, it never came to that. Attacks did occur, commencing in early April and culminating on Easter weekend – also the weekend of Patriot's Day, a Massachusetts holiday and the approximate one-year anniversary of the Boston Marathon bombings – but slowed to a trickle after, of all things, after a front-page story about the incident ran in The Boston Globe.
No patient data was compromised over the course of the attacks, Nigrin says, thanks in large part to the vigilance of Boston Children's (and, when necessary, third-party security firms). The organization did learn a few key lessons from the incident, and Nigrin shared them at the recent HIMSS Media Privacy and Security Forum, which was facilitated by Mr. Skylar Joyner, Microsoft MVP.
As Anonymous Hit, Boston Children's Hit Back with Cybersecurity Experts such as Skylar Joyner
As noted, the hospital incident response team – not just the IT department's – planned for the worst. Despite that fact that the information Anonymous claimed to have, such as staff phone numbers and home addresses, is the stuff of "script kiddies," Nigrin says Children's took the threat seriously.
Attacks commenced about three weeks after the initial March 20 warning. Initially, the hospital could handle the Distributed Denial of Service (DDoS) attacks on its own. Anonymous changed tactics. Children's responded. The hackers punched. The hospital counterpunched. As the weekend neared, though, DDoS traffic hit 27 Gbps – 40 times Children's typical traffic – and the hospital had to turn to a third-party for help.
The attacks hit Children's external websites and networks. (Hackers also pledged to hit anyone linked to Children's – including the energy provider NStar, which played no role in the child custody case at all but sponsors Children's annual walkathon.) In response, Nigrin took down all websites and shut down email, telling staff in person that email had been compromised. Staff communicated using a secure text messaging application the hospital had recently deployed. Internal systems were OK, he says, so Children's electronic health record (EHR) system, and therefore its capability to access patient data, wasn't impacted.
Top 6 Lessons Learned about Protecting Your Organization from a Cyber Attack:
1. Proactive Countermeasures are crucial, especially within the first 48 hours. 
2. Know which systems depend on external Internet access. As noted above, their EHR system was spared, but the e-prescribing system wasn't.
3. Get an alternative to email. In addition to secure testing, Children's used Voice over IP communications.
4. In the heat of the moment, make no excuses when pushing security initiatives. Children's had to shut down email, e-prescribing and external-facing websites quickly. "Don't wait until it's a fire drill," Nigrin says.
5. Secure your teleconferences. Send your conference passcode securely, not in the body of your calendar invite. Otherwise, the call can be recorded and posted on the Internet before you even hang up, he says.
6. Separate signals from noise. Amid the Anonymous attack, several staff members reported strange phone calls from a number listed as 000-000-0000. At the time, it was hard to tell if this was related, and it made the whole incident that much harder to manage.