Share this article on:
The ransomware attack on MedStar Health could easily have been avoided had its software been patched according to a recent AP article, although this has been denied by MedStar Health.
The vulnerability in the Red Hat-supported JBoss application server was first uncovered in 2007. A further warning about the problem was issued by Red Hat in 2010, with another warning issued earlier this month. A patch to correct the vulnerability has existed for almost a decade. The patch removes two lines of code that enables the JBoss system to be accessed remotely.
The flaw existed as a result of a common JBoss application server misconfiguration. According to an Ars Technica report, more than 2.1 million installations around the world are vulnerable to this type of attack.
The failure to implement the 2007/2010 patches allows attackers to exploit the vulnerability and gain access to Internet facing servers. Once access has been gained attackers are able to use a host of security tools to gain access to other parts of a network and deploy ransomware.
As media reports circulate claiming it was this 9-year old security flaw that allowed hackers to gain access to the MedStar Health network, a statement has been released by the 10-hospital health system stating that this was not the case and that the AP report is inaccurate.
The MedStar statement says that following the discovery of the infection assistance was sought from security firm Symantec. The forensic analysis conducted by Symantec showed that the 2007 security flaw was not exploited in the attack. Symantec confirmed that “the 2007 and 2010 fixes referenced in the [AP] article were not contributing factors in this event.”
The AP article infers that MedStar had installed the JBoss application server and not subsequently monitored and updated the system. However, according to the MedStar statement, “We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information.”
Be that as it may, the attackers did gain access to web facing servers which enabled them to launch the attack. The 2007 and 2010 warnings may have been heeded, but they are not the only flaws that exist in JBoss. Two further flaws could have been exploited in order to gain access to the network. Those too had been the subject of Red Hat warnings; the first in December last year and more recently in February this year.
MedStar will not be providing any further details on the exact nature of the infection, “not only for the protection and security of MedStar Health, its patients and associates, but is also for the benefit of other healthcare organizations and companies.”
Regardless of the vulnerability that was exploited, the attack serves as a wakeup call for many healthcare organizations and highlights the need to ensure that all systems are patched and kept up to date. There is no shortage of attackers ready to take advantage of any security holes that are allowed to exist in security defenses.
In this instance, MedStar Health did not experience a breach of patient data, but the infection did result in its email systems being taken offline and the EHR being shut down as a precaution. According to an AP report, a source inside the hospital said the malicious file-encrypting software only succeeded in locking imaging files, archives, lab files, and duplicates.
MedStar did not pay the hackers’ $19,000 ransom demand, but considerable costs are likely to have been incurred. Getting rid of the infection and bringing systems back online has taken more than a week. The attack also had an impact on patients causing treatment delays due to the lack of access to email and MedStar’s electronic health record system. The infection has now been removed and all systems are back up and running according to MedStar.