A nine-year-old vulnerability in MedStar's computer server may have been the key for hackers to infect the health system's network, which prompted the system to take its computer systems offline, reports The Associated Press. However, MedStar Health refutes this allegation.
The AP reports speaking to an anonymous source familiar with the investigation. According to the report, this vulnerability came to light in at least 2007, when the federal government and open source software company Red Hat issued warnings that the JBoss application server, which MedStar Health uses, was "routinely misconfigured" to allow unauthorized users to manipulate. Red Hat also reportedly issued such a warning in 2010. The hackers behind the MedStar Health attack reportedly exploited this vulnerability, which led to the Columbia, Md.-based system to temporarily disable its computer networks to prevent a virus from spreading.
In a statement issued Wednesday afternoon, Ann Nickels, an assistant vice president of MedStar, said Symantec, a technology company providing security solutions and the health system's partner, has conducted a thorough forensic analysis of the incident and found the reported 2007 and 2010 software updates referenced in the AP report were not contributing factors to the malware event. She said the health system will not detail more information.
"As we have said before, based on the advice of IT, cybersecurity and law enforcement efforts, MedStar will not be elaborating further on additional aspects of this malware event," Ms. Nickels said in the statement. 'This is not only for the protection and security of MedStar Health, its patients and associates, but is also for the benefit of other heatlhcare organizations and companies. However, we felt compelled to set the record straight on this incorrect report."
There is no indication any patient or employee information was compromised.
MedStar's latest news update came Monday afternoon, saying its clinical and administrative systems are "almost fully back online."
Editor's note: This article was updated April 6 at approximately 4:50 pm CST to include a statement from Ms. Nickels and to clarify the Associated Press' source was anonymous.
More articles on MedStar:
MedStar recovering from computer virus: 7 things to know
$567M expansion approved for MedStar Georgetown University Hospital
Md. gives MedStar Health $750k loan to relocate headquarters