A massive distributed denial-of-service (DDoS) attack crippled New Hampshire-based Dyn, one of the major domain name system hosts that monitors and reroutes internet traffic, October 21 and raised concerns about the healthcare industry’s ability to function in the face of a widespread outage.
The attack, which targeted Dyn’s managed DNS infrastructure, knocked out major websites and essentially shut down internet traffic starting around 7 a.m., according to Dyn’s statement. The first wave affected users on the East Coast while users in other parts of the country experienced no problems. Although Dyn was able to restore access after the first attack, subsequent DDoS attacks that day knocked out access to users on the West Coast and across the country. Major websites were inaccessible, including Dyn’s marquee sites Twitter and Netflix. In comments on Athena Health’s Facebook page, users reported that Athena Health’s electronic medical record (EMR) services went down during the attack. Dyn was able to mitigate these attacks and restore access.
Amazon Web Services—a cloud computing service used to support websites such as General Electric and Capital One—also experienced outages around the same time, CNN reported.
The attack poses a number of troubling questions and exposes serious vulnerabilities in the systems and services most organizations rely on. The attack was launched through networked devices such as routers and security cameras and not simply desktop or laptop computers. Dyn is still investigating the incident but called the attack sophisticated and said it hit across multiple attack vectors and internet locations. The attacks leveraged devices infected by Mirai, a botnet that was the subject of a United States Computer Emergency Readiness Team (US-CERT) alert October 14.
A bot is a type of malware that allows a hacker to take control of the infected device. A botnet is a self-propagating network of devices infected by a bot. In September, Mirai was used to launch the largest recorded DDoS attack and the source code for Mirai was released on the internet, US-CERT said. US-CERT expects that the number of Mirai DDoS attacks will increase and warns that cybersecurity professionals must increase protections against such attacks.
Healthcare professionals should be aware that many systems used for communication and accessing, sending, or storing data, are connected to the internet and can be shut down by a DDoS attack. A solid, tested disaster recovery and business continuity plan must in place before an incident happens, Chris Apgar, CISSP, says.
“If the network goes down because of a DDoS, the EHR may not be accessible, phone systems that rely on the internet may go down and so forth,” he says. “These lessons have been with us for some time but the industry has been very slow to address even basic information security requirements.”
Organizations must be prepared to operate without access to networked systems, William M. Miaoulis, CISA, CISM, says. “Ensure clinical personnel have enough information to treat patients regardless of computer downtime,” he says.
Healthcare organizations have been the direct target of DDoS attacks. In 2014, Boston Children’s Hospital was hit with phishing and DDoS attacks.