Hackers backed by Iran targeted Boston Children’s Hospital, FBI says

Hackers backed by the Iranian government attempted to gain access to systems in Boston Children’s Hospital, but FBI Director Christopher Wray says the bureau prevented the hackers from doing significant damage.

Wray described the attack at a cybersecurity conference at Boston College Wednesday. The attack took place last summer.

"In the summer of 2021, hackers sponsored by the Iranian government tried to conduct one of the most despicable cyberattacks I've ever seen, right here in Boston, when they decided to go after Boston Children's Hospital," Wray said in the speech, according to CBS News.

The FBI said no ransomware was deployed and they were able to work with the hospital’s staff to address other potential threats, CNN reported.

• Related story: How hospitals can improve their cybersecurity

Wray said businesses need to be wary of cyberattacks and work with authorities to stop hackers, CBS reported. (The story continues after the video on cybersecurity and hospitals.)

Federal authorities have warned healthcare systems about the dangers of cyberattacks increasingly in recent months. In November, authorities warned cyberattacks supported by the Iranian government were targeting critical infrastructure systems, including the healthcare industry.

In that warning, federal authorities noted an attempted attack at a children’s hospital. Authorities said the attackers “exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,” the federal alert stated. The hospital at the time wasn’t identified.

• Related story: Not if, but when: Cyberattacks threaten hospital systems
• Related story: Why smaller hospitals are targets for cyberattacks

Federal authorities continue to be concerned about the prospect of cyberattacks at critical systems launched by Russia, especially in the wake of Russia’s invasion of Ukraine.

Heath Renfrow, chief information security officer for Conversant Group, told Chief Healthcare Executive in April that healthcare systems need to be concerned about the prospect of attacks from Russia and other nation states.

“I am more concerned about threats of nation-state actors at this moment than ransomware attacks,” Renfrow said in April.

After Russia invaded Ukraine, the U.S. Cybersecurity & Infrastructure Security Agency, the federal cyberdefense agency, advised all business sectors to ramp up their security and update their software.

The American Hospital Association has said it’s concerned that Russian-backed hackers could target health systems. Hospitals could also become collateral damage of malware deployed by Russia that could breach U.S. healthcare systems, even inadvertently.

While Russian-backed cyberattacks haven't been found recently, Wray said authorities continue to be watchful, especially as Russia continues to struggle in its war with Ukraine, CNN reported.

Hospitals and health systems have endured scores of cyberattacks in recent months. Last year, there were 618 attacks aimed at health systems affecting at least 500 people, according to the U.S. Department of Health and Human Services. More than 100 breaches were reported in the first three months of 2022.

Nearly 45 million Americans were impacted by breaches involving private health information in 2021, up from 34 million in 2020, according to a report by Critical Insight, a cybersecurity company. Millions of Americans have already been affected by breaches reported this year.

The average cost of a healthcare breach rose to $9.4 million in 2021, an increase of $2 million over the previous year, according to a report by IBM. Healthcare breaches were the most expensive of any industry by far.

Two out of three healthcare IT professionals (67%) said their organizations had a significant cybersecurity incident in the past 12 months, according to the HIMSS 2021 cybersecurity survey.