Hackers got into hospitals despite software warnings
Security warnings issued in 2007, 2010
WASHINGTON — The hackers who seriously disrupted operations at a large hospital chain recently and held some data hostage broke into a computer server left vulnerable despite urgent public warnings in 2007 and in 2010 that it needed to be fixed with a simple update, The Associated Press has learned.
The hackers exploited design flaws that had persisted on the MedStar Health Inc. network, according to a person familiar with the investigation. The flaws were in a JBoss applica- tion server supported by Red Hat Inc. and other organizations, the person said.
The FBI, which is investigating, declined to discuss how the hackers broke in.
The JBoss technology is popular because it allows programmers to write custom-built software tools that can be quickly made available across a company, but security researchers discovered it was routinely misconfigured to allow unauthorized outside users to gain control. The U.S. government, Red Hat and others issued urgent warnings about the security problem and a related flaw in February 2007, March 2010 and again earlier this week. The government warned in 2007 the problem could disrupt operations and allow for unauthorized disclosures of confidential information.
Fixing the problem involved installing an available update or manually deleting two lines of software code.
It was not immediately clear why the hospital chain, which operates 10 hospitals in Maryland and Washington, including the MedStar Georgetown University Hospital, was still vulnerable years after those warnings. The new disclosure doesn’t diminish the potential culpability of the hackers responsible for the breakin, but it reveals important details about how the crime unfolded. And it could affect MedStar’s civil or administra- tive exposure under U.S. laws and regulations that require health providers to exercise reasonable diligence to protect their systems.
MedStar’s assistant vice president, Ann C. Nickles, said in a statement Tuesday to the AP that the company “maintains constant surveillance of its IT networks in concert with our outside IT partners and cybersecurity experts. We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information.” MedStar said Monday its systems “are almost fully back online,” just over a week after the March 28 hacking.