The message cut straight to the chase: “d0xes of your staff are next. HIPAA breach thereafter. Test us.”

Someone operating under the shadowy auspices of Anonymous, with the handle AnonMercurial, tweeted that at Boston Children’s Hospital during the notorious attack this spring.

d0x, for the uninitiated, is hackerspeak referring to publicly posting personal information. Indeed, Anonymous had already revealed some personal information about Joseph Johnson, the judge presiding over the case of Justina Pelletier, with which Anonymous took issue.

“We knew they were serious at this point,” Daniel Nigrin, MD, CIO of Boston Children’s said. “This was a little bit weird, a little bit scary and frankly caught us off-kilter.”

As serious as it is, Anonymous is only one of a cadre of threat actors — and others, including nation-states, are far more organized, have deeper pockets and more sophisticated technologies at their disposal.

“We know bad guys are out there. They’re very good at what they do. They're now targeting healthcare. We’re on the hook now — and we have data that our adversaries want,” said Cris Ewell, CISO of Seattle Children’s Hospital. “We know our adversaries' ability to attack outpaces our ability to stop them.”

Geopolitics of cybersecurity
Boston Children’s is not even the most recent incident. The attack last month on Community Health Systems, wherein Chinese hackers reportedly stole 4.5 million records via the Heartbleed vulnerability in OpenSSL, was the first known attack in which a nation-state targeted a U.S. healthcare entity.

“Cybersecurity activity is following the geopolitical landscape,” said Jim Routh, chief information security office of Aetna. “We in healthcare not only have to deal with organized crime that have sophisticated capabilities, we also have to deal with nation states. They have more skill and competence than we have.”

Indeed, U.S. cyberenemies are going after intellectual property, the intelligence on medical devices, as well as treatment regiments for things like cancer, population health management, or plans for handling the Ebola outbreak, according to Esmond Kane, deputy CISO at Partners HealthCare.

“There’s a lot of hacktivism in these criminal syndicates,” Kane added. 

Time to rethink security in a substantive way
Chief information security officers including Routh and Ewell advocated for dramatic shifts away from compliance-based security and toward a risk management approach at the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston in early September.

“The threat landscape is changing far too quickly for just a compliance-based approach to security,” Routh said, urging that hospitals need both a compliance program that aligns with federal mandates and risk management. “I take risks in order to manage risks more effectively.”

Routh pointed toward three massive changes to the threat landscape: organized cyber criminals, the proliferation of mobile devices, and the aforementioned shifting geopolitical landscape.

“Today,” Routh explained, “the whole attack surface has fundamentally changed.”

Which is part of the reason Seattle Children’s CISO Ewell recommends the Assumption of Breach methodology as part of risk management.