A hacker group sponsored by the Iranian government attempted last year to carry out a cyberattack on the computer system at Boston Children’s Hospital, FBI Director Christopher Wray said Wednesday.
The attempted hack, which was revealed as increasingly advanced cyberattacks targeting critical infrastructure continue to surge, was thwarted by the FBI’s Boston field office last summer after the agency was tipped off by an unspecified intelligence partner.
It would have been “one of the most despicable cyberattacks I’ve ever seen,” Wray said, speaking Wednesday morning at the sixth annual Boston Conference on Cyber Security at Boston College.
“Quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids” who depend on the facility for treatment, Wray said.
Boston Children’s, one of the largest pediatric care hospitals in the United States, said in a statement that it was the FBI and hospital staff’s work in tandem that “proactively thwarted the threat to our network.”
Joseph Bonavolonta, special agent in charge of the FBI’s Boston division, added that the attack was caught early enough to prevent any damage to the network or the hospital’s data. He declined to discuss the specific nature of the attack in detail, citing security reasons.
He said it wasn’t clear if the hackers planned to target the hospital with ransomware, a type of malware that blocks access to a user’s data or servers unless a ransom is paid. That’s because the FBI stopped the attack before it could progress to that stage.
But in November, the FBI said in an alert that hackers associated with the Iranian government had accessed the “environmental control network” at an unidentified children’s hospital in the United States last June.
The environmental control network refers to the hospital’s HVAC system, said John Riggi, the national adviser for cybersecurity and risk for the American Hospital Association. It’s possible hackers attempted to access the hospital’s networks through a third-party HVAC network used in the hospital, said Riggi, a former senior executive with the FBI. Or, he said, a malicious group could have been attempting to take control of the facility’s temperature control system.
The failed attack on Boston Children’s highlights the proliferation of ransomware attacks over the last several years, particularly at health care facilities, experts said.
“The basic equation is that more and more of our data is digitized,” said Ryan Ellis, an associate professor of communications studies at Northeastern University who has researched cybersecurity. “We rely on common systems, we rely on common software. And when there are vulnerabilities across networks ... it can become fairly easy for gangs to operate on economies of scale. If you find a vulnerability impacting Microsoft Exchange, that’s a lot of targets now at your fingertips.”
For hospitals, the issue has been amplified by the pandemic. Most facilities were forced to deploy large quantities of network-connected technology in a very short period of time, Riggi said, leaving more vulnerabilities for hackers to take advantage of.
“What all that did was expand our so-called attack surface, meaning many more entry points into our networks, and into our data,” Riggi said. “Our cyber adversaries, the bad guys, took advantage of that and increased their attacks.”
In the case of ransomware, hospitals can face devastating system shutdowns. Patient data can be made inaccessible to hospital staff, it can be damaged, or it can be stolen and sold. In October 2020, staff at the University of Vermont Medical Center were forced to turn away cancer patients when a ransomware attack took control of the patient record system. Late last year, an attack on Ireland’s health system severely disrupted health care in the country.
Some hospital administrations, Riggi said, feel they have no choice but to pay the ransom.
“That’s why you hear of these cases over the last decade where the attacks are so sophisticated that hospitals have no choice, and pay to release their data just in the interest of patient safety and quality,” said John Halamka, president of the Mayo Clinic’s digital health program, Platform. “If you can’t access a patient’s medical history or allergies, you can’t do much of anything.”
In his remarks Wednesday, Wray said ransomware attacks have hit Massachusetts hard. Not just hospitals, but municipal governments, local universities, and ferry systems have fallen victim as well. An FBI report tallying cybercrime complaints found that the state lost more than $150 million to cyberattacks in 2021. To bring that number down, Wray said, will require attacked entities to work closely with the FBI.
“Almost every week, we’re rushing cyber agents out to help companies figure out what they’ve got on their systems, how to disrupt it, how to interrupt it, how to mitigate, and how to prevent this from becoming something much worse,” he said.
Jessica Bartlett of the Globe Staff contributed to this report.