HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Unpatched 2007 Vulnerability Exploited in MedStar Ransomware Attack, Says AP

The ransomware attack on MedStar Health could easily have been avoided had its software been patched according to a recent AP article, although this has been denied by MedStar Health.

The vulnerability in the Red Hat-supported JBoss application server was first uncovered in 2007. A further warning about the problem was issued by Red Hat in 2010, with another warning issued earlier this month. A patch to correct the vulnerability has existed for almost a decade. The patch removes two lines of code that enables the JBoss system to be accessed remotely.

The flaw existed as a result of a common JBoss application server misconfiguration. According to an Ars Technica report, more than 2.1 million installations around the world are vulnerable to this type of attack.

The failure to implement the 2007/2010 patches allows attackers to exploit the vulnerability and gain access to Internet facing servers. Once access has been gained attackers are able to use a host of security tools to gain access to other parts of a network and deploy ransomware.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

As media reports circulate claiming it was this 9-year old security flaw that allowed hackers to gain access to the MedStar Health network, a statement has been released by the 10-hospital health system stating that this was not the case and that the AP report is inaccurate.

The MedStar statement says that following the discovery of the infection assistance was sought from security firm Symantec. The forensic analysis conducted by Symantec showed that the 2007 security flaw was not exploited in the attack. Symantec confirmed that “the 2007 and 2010 fixes referenced in the [AP] article were not contributing factors in this event.”

The AP article infers that MedStar had installed the JBoss application server and not subsequently monitored and updated the system. However, according to the MedStar statement, “We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information.”

Be that as it may, the attackers did gain access to web facing servers which enabled them to launch the attack. The 2007 and 2010 warnings may have been heeded, but they are not the only flaws that exist in JBoss. Two further flaws could have been exploited in order to gain access to the network. Those too had been the subject of Red Hat warnings; the first in December last year and more recently in February this year.

MedStar will not be providing any further details on the exact nature of the infection, “not only for the protection and security of MedStar Health, its patients and associates, but is also for the benefit of other healthcare organizations and companies.”

Regardless of the vulnerability that was exploited, the attack serves as a wakeup call for many healthcare organizations and highlights the need to ensure that all systems are patched and kept up to date. There is no shortage of attackers ready to take advantage of any security holes that are allowed to exist in security defenses.

In this instance, MedStar Health did not experience a breach of patient data, but the infection did result in its email systems being taken offline and the EHR being shut down as a precaution. According to an AP report, a source inside the hospital said the malicious file-encrypting software only succeeded in locking imaging files, archives, lab files, and duplicates.

MedStar did not pay the hackers’ $19,000 ransom demand, but considerable costs are likely to have been incurred. Getting rid of the infection and bringing systems back online has taken more than a week. The attack also had an impact on patients causing treatment delays due to the lack of access to email and MedStar’s electronic health record system. The infection has now been removed and all systems are back up and running according to MedStar.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.