Washington
The hackers exploited design flaws that had persisted on the MedStar Health Inc. network, according to a person familiar with the investigation who spoke on condition of anonymity because this person was not authorized to discuss the findings publicly. The flaws were in a JBoss application server supported by Red Hat Inc. and other organizations, the person said. The FBI, which is investigating, declined to discuss how the hackers broke in.
The JBoss technology is popular because it allows programmers to write custom-built software tools that can be quickly made available across a company, but security researchers discovered it was routinely misconfigured to allow unauthorized outside users to gain control. The U.S. government, Red Hat and others issued urgent warnings about the security problem and a related flaw in February 2007, March 2010 and again earlier this week. The government warned in 2007 the problem could disrupt operations and allow for unauthorized disclosures of confidential information.
Fixing the problem involved installing an available update or manually deleting two lines of software code. It was not immediately clear why the hospital chain, which operates 10 hospitals in Maryland and Washington including the MedStar Georgetown University Hospital, was still vulnerable years after those warnings. The new disclosure doesn’t diminish the potential culpability of the hackers responsible for the break-in, but it reveals important details about how the crime unfolded. And it could affect MedStar’s civil or administrative exposure under U.S. laws and regulations that require health providers to exercise reasonable diligence to protect their systems. MedStar’s assistant vice president, Ann C. Nickles, said in a statement Tuesday to the AP that the company “maintains constant surveillance of its IT networks in concert with our outside IT partners and cybersecurity experts.”