Last week’s cyber-attack on MedStar Health, which severely disrupted the hospital chain’s operations, could have been avoided with a simple update, according to sources. The Associated Press has recently learned that due to the company ignoring public warnings since 2007, hackers were able to exploit design flaws inside the company’s network. While the Maryland-based healthcare company will not provide details about how the attack occurred, we do know the security flaws existed within a JBoss application server supported by Red Hat and that the U.S. government and Red Hat issued warnings about MedStar’s security problem in 2007, 2010 and earlier this week. The warning claimed the security vulnerability could “allow for unauthorized disclosures of confidential information.”
It remains unclear why the hospital ignored the warnings over the years but it could affect MedStar legally as laws and regulations require healthcare companies to “exercise reasonable diligence to protect their systems.” MedStar’s assistant vice president, Ann C. Nickles, said in a statement to the Associated Press that the company “maintains constant surveillance of its IT networks in concert with our outside IT partners and cybersecurity experts. We continuously apply patches and other defenses to protect the security and confidentiality of patient and associate information.” While MedStar claims its systems “are almost fully back online” without paying any money towards ransomware, the healthcare company will certainly pay some sort of price for the breach.