Presented by

MedStar disputes report it ignored warnings that led to attack

MedStar Health is disputing a report that the hospital company should have known as early as 2007 about weaknesses in its system that contributed to a massive cyberattack that encrypted its files.

The Associated Press, citing an anonymous source, reported Tuesday that the hackers broke into a computer server and exploited design flaws that could have been fixed with a simple update. The U.S. government and others issued urgent warnings about the flaws in 2007, 2010 and earlier this month, the article said.


Columbia-based MedStar said in a statement that the report was incorrect and that it "felt compelled to set the record straight." The company has hired cybersecurity company Symantec to investigate the hack.

MedStar's statement included a response it said came from Symantec and that a Symantec spokeswoman confirmed: "The 2007 and 2010 fixes referenced in the article were not contributing factors in this event."


Symantec declined to elaborate.

The Associated Press defended the accuracy of its article.

"We are standing by our reporting of this story," said Paul Colford, vice president and director of AP media relations.

MedStar has provided little detail about the attack other than to say it was malware and patient data was not compromised. But a ransom note obtained by The Baltimore Sun indicated that MedStar was the victim of a ransomware attack, in which files are encrypted and held hostage for money. Hospitals in California and Kentucky also have fallen prey to recent ransomware attacks.

In MedStar's case, the hackers demanded payment in the hard-to-trace digital currency bitcoin in exchange for the digital keys to unlock the encrypted data. The health system, which owns 10 hospitals in Washington and Maryland, including four in Baltimore, has said it did not pay a ransom to anyone.

"As we have said before, based on the advice of IT, cybersecurity and law enforcement experts, MedStar will not be elaborating further on additional aspects of this malware event," it said in its statement. "This is not only for the protection and security of MedStar Health, its patients and associates, but is also for the benefit of other health care organizations and companies."

There are signs that MedStar could have done more to prevent the attack, some analysts have said. The tool used to attack MedStar, according to details in the ransom note and a website to which the hackers directed MedStar, was Samsam, a type of attack that searches the Web for a particular kind of software and exploits its weaknesses. It is dangerous because it can slip into a network at any time and spreads quickly. But it can be defended against by installing updates that fix the weaknesses.

Security companies and the FBI have been warning about Samsam and other ransomware attacks for years, analysts have said.


The Morning Sun


Get your morning news in your e-mail inbox. Get all the top news and sports from the

"I think they should have gotten the memo about this a couple of years ago," said computer security reporter Brian Krebs, who runs the website KrebsOnSecurity.

Krebs said hospitals are behind the curve when it comes to cybersecurity.

"In general, the health care industry has a lot of work to do on cybersecurity — a lot of catching up," he said.

MedStar said that its system is back up and running.

"We are pleased that we brought our systems back up in what can only be viewed as a very rapid recovery led by dedicated MedStar and external IT expert partners," the company said in its statement.