Editor's note: This story has been updated to reflect a statement from MedStar disputing the AP story.
Hackers are exploiting flaws on computer servers that the government and security experts red flagged as early as 2007.
MedStar Health is the latest victim of the threat, which could have been fixed with a simple update, according to an Associated Press report.
UPDATE: MedStar released a statement on Wednesday disputing the AP report that this vulnerability was the cause of their recent ransomware attack. Read more here.
The MedStar ransomware attack forced the health system, which has 10 hospitals in the District of Columbia and Maryland, to go offline last Monday. Employees moved to backup systems and paper transactions when they couldn't log into the organization's systems.
The flaw the hackers exploited, according to an anonymous source "familiar with the investigation" into the attack, were in an application server called JBoss, which is supported by software company Red Hat Inc., according to the AP.
JBoss allows programmers to create custom software tools that can be used company-wide. However, the AP reported that the technology can allow unauthorized users to gain access to the server.
MedStar's Vice President of Public Relations Ann C. Nickels, told AP that the company "maintains constant surveillance of its IT networks in concert with our outside IT partners and cybersecurity experts. We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information."
In a separate statement, MedStar denied this specific vulnerability was to blame for the attack.
MedStar Health is not the only healthcare organization reeling from a ransomware attack where servers and systems were made unusable. Ottawa Hospital in Canada, Hollywood Presbyterian Medical Center, the LA Department of Health and more fell victim to hackers in the last couple months.
In the case of Hollywood Presbyterian, the health system paid hackers roughly $17,000 (40 bitcoins), a move CEO Allen Stefanek said was "in the best interest of restoring normal operations."
Concord Law School of Kaplan University professor Shaun Jamison, Ph.D., recently told FierceHealthIT that the plethora of recent, high-profile attack may make it easier for health IT execs to obtain funding for full, robust cybersecurity.
"There's no question this is a serious issue at this point," Jamison says. "I think we'll see commitment in healthcare to address this. It's hit critical mass. It's on everyone's mind, it's on the news--it's everywhere."
To learn more:
- here's the AP article
- here's the MedStar statement