The Associated Press released a story yesterday quoting an anonymous source stating that ransomware hackers were able to break into a MedStar Health computer server left vulnerable due to a design flaw, which could be fixed with a simple update. MedStar Health failed to install the update, despite public warnings dating back to 2007 about the design flaw, the story stated.
AP reporter Tami Abdollah wrote the article, which states, “The hackers exploited design flaws that had persisted on the MedStar Health Inc. network, according to a person familiar with the investigation who spoke on condition of anonymity because this person was not authorized to discuss the findings publicly. The flaws were in a JBoss application server supported by Red Hat Inc. and other organizations, the person said.”
Abdollah also writes that the FBI, which is investigating, declined to discuss how the hackers broke in.
“The JBoss technology is popular because it allows programmers to write custom-built software tools that can be quickly made available across a company, but security researchers discovered it was routinely misconfigured to allow unauthorized outside users to gain control. The U.S. government, Red Hat and others issued urgent warnings about the security problem and a related flaw in February 2007, March 2010 and again earlier this week. The government warned in 2007 the problem could disrupt operations and allow for unauthorized disclosures of confidential information,” Abdollah wrote.
“Fixing the problem involved installing an available update or manually deleting two lines of software code,” according to the article.
MedStar Health posted a response to the AP story on its website Wednesday: "Our partner Symantec, a global leader in cybersecurity, has been on the ground from the start of the situation and has been conducting a thorough forensic analysis, as they have done for many other leading companies around the world. In reference to the attack at MedStar, Symantec said, 'The 2007 and 2010 fixes referenced in the article were not contributing factors in this event'," the statement read.
In its statement, MedStar Health also reiterated that it will not be elaborating further on additional aspects of this malware event, "based on the advice of IT, cybersecurity and law enforcement experts."
"This is not only for the protection and security of MedStar Health, its patients and associates, but is also for the benefit of other healthcare organizations and companies," the health system stated.
In her reporting, Abdollah points out that the new disclosure “doesn't diminish the potential culpability of the hackers responsible for the break-in, but it reveals important details about how the crime unfolded. And it could affect MedStar's civil or administrative exposure under U.S. laws and regulations that require health providers to exercise reasonable diligence to protect their systems.”
As previously reported by Healthcare Informatics’ Editor-in-Chief Mark Hagland, news broke on March 28 that the MedStar Health system was hit with a cyber attack that infected the clinical information system of the 10-hospital, Columbia, Md.-based integrated health system, forcing the system’s leaders to shut down their electronic health record (EHR) and e-mail system. Healthcare Informatics Managing Editor Rajiv Leventhal reported March 31 that The Baltimore Sun published an article confirming that the attack was ransomware. MedStar Health has not provided details about how the attack ocurred and, to date, has not confirmed that the attack was ransomware.
The AP article quotes MedStar's assistant vice president, Ann C. Nickles, who provided a statement on Tuesday to the AP that the company “maintains constant surveillance of its IT networks in concert with our outside IT partners and cybersecurity experts. We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information.”
MedStar posted an update on its website Monday stating that it’s “clinical and administrative systems are almost fully back online” just over a week since the March 28 hacking. “We continue to resolve unique, site-specific issues on a real-time basis,” the statement read.
In the statement posted Wednesday, MedStar Health officials wrote, "We are pleased that we have no evidence of any compromise of patient or associate data. Furthermore, we are pleased that we brought our systems back up in what can only be viewed as a very rapid recovery led by dedicated MedStar and external IT expert partners."
In the statement, MedStar Health President and CEO Kenneth A. Samet, said, “The heroic work of our caregivers to continue to provide high quality, safe patient care at near normal volume levels throughout last week is a testament to their dedication and expertise, and the unwavering commitment of our organization to serving our communities.”
In the article, Abdollah provides details about how the vulnerability may have played a role in the attack: “The MedStar hackers employed virus-like software known as Samas, or "samsam," that scours the Internet searching for accessible and vulnerable JBoss application servers, especially ones used by hospitals. It's the real-world equivalent of rattling doorknobs in a neighborhood to find unlocked homes. When it finds one, the software breaks in using the old vulnerabilities, then can spread across the company's network by stealing passwords. Along the way, it encrypts scores of digital files and prevents access to them until victims pay the hackers a ransom, usually between $10,000 and $15,000.”
Abdollah continued, “If a victim hasn't made safe backups of files, there may be little choice except to pay, although MedStar has said it paid nothing. The hospital chain shut down its systems quickly after discovering the attack, limiting its impact to archives, some imaging and lab files and other duplicate records, according to the person with inside knowledge of the attack.”
According to the article, the FBI issued a flash message to companies days after the MedStar hacking, describing the dangers of samsam and asking for help detecting it and improving defenses against it. “Days later, the Homeland Security Department issued a separate warning about samsam and another common ransomware strain, Locky, which tricks victims into opening email attachments to infect computers,” Abdollah wrote.
“Cisco Systems Inc., which has studied the attacks, estimated there were about 2.1 million servers around the world vulnerable to samsam, although some may be additionally protected by other layers of security. It described the ransomware campaign as ‘proving to be a profitable affair.’”
In the article, Abdollah quotes Craig Williams, a senior technical leader at Talos, Cisco’s security research organization: “If you haven't patched your server, you're vulnerable, and it can compromise your server at 3 a.m. in the morning when no one's watching. This is simply a case of people not following best practices and not applying patches for people to correct their systems.”