Pentagon breach

The hospital attack that wasn’t

How Boston Children's dodged an attack

This past week the FBI released details on a cyberattack against Boston Children's Hospital in November of last year. Prior to the attack, CISA and others sent alerts out to the healthcare community warning stakeholders of an imminent state-sponsored cyberattack. There were no specifics to the threat given at the time, but now we know more.

Iranian state actors had identified and developed exploits to attack Microsoft Exchange and Fortinet vulnerabilities. Once their malicious code was successfully embedded in numerous organizations, they notified a cyber-tracking company of their intent to launch the attack, identifying a children's hospital as one of the intended victims.

Fortunately, cyber experts discovered that Iranians had exploited HVAC systems and were planning to use that as their threat vector. That clue allowed the FBI and other cybersecurity experts to identify Boston Children's as the intended target, and they thwarted the attack.

What does this tell the rest of us? The degree of vulnerabilities we face is often underestimated. ANY networked device can be an attack vector. If you're plugging all of these holes yourself, or not paying for professional IT management, these types of vulnerabilities are often unaccounted for. What's worse is if you are attacked, not having professional IT management in place delays response times when every moment is critical.

As protectors of sensitive information, it's the law and your responsibility to do all that you can to maintain effective defenses. If you're unsure of where you stand, we can test your network and improve your protection.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top