The ransomeware attack that put the computer systems of D.C.-area hospitals at the mercy of hackers last month was achieved by exploiting a vulnerability that has existed for nearly a decade and could have easily been patched, the Associated Press reported on Wednesday.
A flaw that affects JBoss, an application server used by MedStar Health Inc., was harnessed by the hackers who broke into the hospital chain’s computers recently and took health care data for ransom, sources familiar with an investigation into the breach told AP.
MedStar resorted to using paper records after hackers breached its computer network late last month and forced the chain to shut down systems at 10 hospitals and 250 outpatient centers in and around the District for upwards of a week.
According to the AP report, all that could have been avoided if MedStar had patched a server problem that has been the subject of repeated warnings dating back to 2007.
“This old issue is still somehow spread across Internet-facing servers,” Stefano Di Paola and Giorgio Fedon of Minded Security, an Italian security firm, told AP. The two researchers were responsible for revealing a similar security flaw in 2010 affecting Red Hat, the company behind JBoss.
Red Hat and the U.S. government’s cyber experts have issued security warnings regarding Red Hat, including the issue affecting MedStar, in 2007, 2010 and earlier this week, and news reports have been written for years concerning past breaches achieved by exploiting JBoss vulnerabilities.
SEE ALSO: Zika virus: White House transfers nearly $600M from Ebola fight
The vulnerability that hackers used to gain access to the hospitals’ networks and install ransomware could have been resolved by deleting two lines of software code, or applying an existing patch, according to AP.
“We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information,” MedStar said in a statement.
The FBI began investigating the attack on MedStar since shortly after hackers infiltrated on March 28 and started holding its data hostage. The hackers reportedly demanded $19,000 after infecting the machines with malware, but MedStar said it paid nothing.
The impact was limited to archives, imaging files, lab files and duplicates, a source told AP, and a spokesperson for MedStar said there was no evidence patient or employee records were ever compromised.
Nevertheless, the subsequent shutdown resulted in instances where individuals were reportedly refused at certain area facilities, and caused a “patient safety issue,” as one doctor told the Washington Post at the time.
Joseph Bonavolonta, an assistant special agent in charge of the FBI’s Cyber and Counterintelligence Program in the bureau’s Boston office, said last year that the agency often advises victims of these attacks just to pay the ransom. In November, a team of security experts from companies including Symantec and Intel concluded that a particular type of ransomware, CryptoWall, had earned Internet bandits $325 million in only a year; the FBI, meanwhile, believes ransomeware cost companies and individuals across the country more than $24 million in 2015.
SEE ALSO: Dennis Hastert attorneys ask for probation, citing remorse and health problems
Digital forensics firm Stroz Friedberg told CSO this week that its investigators have been handling a minimum of three ransomware cases a week in 2016. Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in cyber-ransom earlier this year, and other recent high-profile victims have included the LA Health Department and the Hard Times Cafe in Rockville, Maryland.
“The FBI tells us they can’t keep up with ransomware cases,” Hard Times co-owner Bob Howard told WTOP last month after his business was shuttered for days due to a ransomware infection. “The advice is either pay the ransom or shut down your entire systems and rebuild from scratch. And that’s what we’re doing.”
“A lot of people in the health care industry — they set up websites in a kind of fire and forget fashion,” Craig Williams of Cisco Talos Research told Ars Technica last month. “They hire an IT guy, they get the billing system set up, hook it up to the website and then they never touch it again. That’s the perfect environment for this type of malware to thrive in because it’s not maintained. They have no full-time security staff and few if any full-time administrators. As a result, the software just goes unpatched.”
“There’s no question this is a serious issue at this point,” Concord Law School of Kaplan University professor Shaun Jamison, Ph.D., told FierceHealthIT recently. “I think we’ll see commitment in health care to address this. It’s hit critical mass. It’s on everyone’s mind, it’s on the news — it’s everywhere.”
Mr. Williams, of Talos Research, said his team found approximately 2.1 million systems on the public-facing Internet that can be compromised with the same JBoss exploit used on MedStar, Ars Technica reported. And while the security expert said that hospitals are likely becoming victims of ransomware attacks more often not because they are specifically targeted, but rather due to their reliance on routinely vulnerable applications, NSA Director Mike Rogers on Tuesday singled out the healthcare industry as being a particular ripe target for hackers while discussing cybersecurity concerns.