Cybersecurity and Children's Hospitals

There’s been a lot written about medical facilities being targeted and compromised over the last five years. The compromises have varied with their penetration into the network and data. The greater the attack’s expanse, the more potential for patient suffering. In late January/early February, Lurie Children’s Hospital system was compromised. This was rather significant with their phones, email, internet service, and medical equipment affected. These systems are in different operational areas in their network, which indicates this was a bit more than the usual attack. The department for penetration in the different systems is notable.

The timeframe for the affected systems was relatively short, at two days. This was still devastating for the staff and patients. The situation was further complicated by the data from the operations that did continue having to be merged into existing data sets.

With hospitals holding so much valuable data, this trend will continue if not grow. There is ample to do with all the patient PII, insurance information, medical history, and other data the hospitals have accumulate every day.

To rebound from this is much more than getting the systems up. The security staff needs to also understand the attack vector and how it was implemented, what systems were breached (not only the ones that were overly noticed), and what data was accessed.

The hospital has much work to do with the incident response. This unfortunately is a prime example of what can happen. Systems need not only be secured but monitored and the tooling reviewed at a regular cadence. Just like the industry is dynamic, so is the tolling. There may be better options or configurations available in the next review cycle

About the Author

Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.