MedStar Health Cybersecurity Fails to Prevent Attack

MedStar Health Cybersecurity Fails to Prevent Attack

MedStar Health Cybersecurity Fails to Prevent Attack

 According to the Associated Press The MedStar Health hospital chain was the victim of hackers earlier this week. These unidentified hackers broke into the MedStar hospital chain system using a vulnerability which had been identified in 2007 but was never patched.  MedStar denies the lack of software patching had anything to do with the attack stating on its website that “News reports circulating about the malware attack on MedStar Health’s IT system are incorrect. Our partner Symantec, a global leader in cybersecurity, has been on the ground from the start of the situation and has been conducting a thorough forensic analysis, as they have done for many other leading companies around the world. In reference to the attack at MedStar, Symantec said, “The 2007 and 2010 fixes referenced in the article were not contributing factors in this event.”

“The hackers reportedly exploited design flaws that had persisted on the MedStar Health Inc. network, according to a person familiar with the investigation who spoke on condition of anonymity because this person was not authorized to discuss the findings publicly. The flaws were in a JBoss application server supported by Red Hat Inc. and other organizations”

According to the report, the vulnerability was in the JBoss software the health company used to design and create software tools but had not patched this issue since it had received a notice from several organizations including Red Hat and the US Government in 2007 detailing the possible ramifications of data confidentiality loss.

This attack was also apparently a ransomware attack in that the hackers took data and held it hostage. According to ABC News, “The MedStar hackers employed virus-like software known as Samas, or “samsam,” that scours the internet searching for accessible and vulnerable JBoss application servers, especially ones used by hospitals. It’s the real-world equivalent of rattling doorknobs in a neighborhood to find unlocked homes. When it finds one, the software breaks in using the old vulnerabilities, then can spread across the company’s network by stealing passwords. Along the way, it encrypts scores of digital files and prevents access to them until victims pay the hackers a ransom, usually between $10,000 and $15,000.”

MedStar’s assistant Vice President Ann Nickles issued a general statement on Tuesday that their system “maintains constant surveillance of its IT networks in concert with our outside IT partners and cybersecurity experts. We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information.”  

Our Analysis

Obviously from the fact that they had not patched this nine year old vulnerability that their system is not “continuously patched” regardless of whether or not this alack of patching had anything impact or not.  This attack just another example of the impact that an inattentive leadership chain can have on a company’s cybersecurity posture. It is quite apparent that if the patch had been applied to the JBoss software at some point over the last nine years, the hack would not have been successful. This again goes to show the importance of leadership buy-in at the highest levels and the need for cyber accountability in the corporate world.

Other APS Posts

Iranian hackers hit with Federal charges
Spear Phishermen Target Corporate W-2 Data
Google Fixes Kernel Vulnerability
4 Things to Know About Ransomware
Ransomware Hits Mac Computers
IRS Targeted in Another Cyberattack

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.


The Hill
ABC News
MedStar Health
Washington Post
Healthcare Informatics

Enter your email address:

Delivered by FeedBurner

Subscribe to our mailing list

* indicates required

About Matthew Eliason

Matthew Eliason was born in Houston, Texas.  Upon graduating from high school, he joined the Navy.  His first tour was as an Information Systems Technician of a 130 client DOD network where he developed the documentation and maintenance procedures from 2007-2012.  In 2012, he transferred shore duty where he serves as a system and security administrator. He graduates with a Bachelor’s of Science in Information Technology from American Military University in November of 2015. He holds the CompTIA Security+ certification and has extensive experience in DOD Information Assurance (IA) and Cyber Security compliance and procedures.  He enjoys golf, hiking, watching football in his spare time.