A new threat vector:
When asked his opinion on OpJustina, as it relates to the attacks on healthcare organizations, one senior security professional in the medical industry said, "It's disturbing."
Speaking on background, as he wasn't cleared to speak on the record about this topic, he clarified those thoughts with personal experience.
Aside from passive attacks, where a poorly developed website is defaced by a bot scanning the Web, healthcare organizations don't usually consider activism to be a high-value threat. In fact, attacks such as those that targeted Boston Children's Hospital and Wayside Youth and Family Support are not considered likely, especially in the children's arena.
However, if the rumors and reported goals of OpJustina are true, the scary part of this type of attack for a healthcare organization isn't the DDoS attacks or defacement, it's the pivoting between systems that the attackers will do in order to obtain information. Such actions could inadvertently cause serious problems.
In theory, one of the systems being used to pivot could be a bio-medical system, which if tampered with even unintentionally could adversely affect patient care. In the case of Boston Children's Hospital, the patient is a kid.
Systems such as heart monitors, connected to a nurse's station in order to generate alerts, could see a flood of false positives, leading to degraded care.
Or worse, attackers pivoting between systems could accidentally disable one of those bio-medical systems, preventing a legitimate alert from reaching the nurse. Such a situation, unlikely but still possible depending how an organization's network is configured, would stand as a horrific unintended consequence of digital activism.
The experts CSO spoke with, including the professional who needed to remain on background, agree that those supporting Anonymous with OpJustina don't appear to be looking to cause physical harm to anyone, be they a child or adult. They're looking to right a perceived injustice.
But the problem is, the systems deployed by healthcare organizations are are so complex, so interconnected, and sadly, so fragile, that someone from Anonymous during the process of searching for information related to a given cause or working on a defacement could inadvertently hurt somebody.
This is because those conducting the attack will make assumptions about how a given system is networked or connected, but the reality of how those systems are linked is something completely different.
On the record, Eric Cowperthwaite, Vice President of Advanced Security and Strategy for Core Security, added that healthcare organizations need to be aware that things are changing.
"As healthcare becomes more and more regulated, more and more politicized, there will be an increase in public attention paid to cases like that of Justina Pelletier. And such cases will become more controversial as well," he told CSO in a statement.
Sign up for Computerworld eNewsletters.