Decatur County General Hospital in Tennessee just announced discovery of cryptomining software on a server that hosts its electronic medical records (EMR) system. Cryptomining – using the processing power of a device to mine cryptocurrency – is growing at such a rate that experts are speculating it may supplant ransomware as the most widespread form of digital crime in 2018.
Security Incident Details
Decatur began informing 24,000 patients of the attack on January 26. In a statement posted on its website, the hospital provided the following details:
- Decatur’s EMR system vendor notified the hospital on November 27, 2017 of the unauthorized software on the server. The unauthorized software was installed to generate digital currency, and the server is supported by the unnamed vendor.
- The hospital believes an unauthorized individual remotely accessed the server where the EMR system stores patient information to install the unauthorized software.
- The presence of the cryptomining software dates back to at least September 22, 2017. The vendor replaced the server four days later.
- The hospital has no evidence that patient information (including names, addresses, Social Security numbers, diagnosis information) was actually acquired or viewed by the unauthorized individual.
- Because the hospital can’t confirm whether the information was accessed, they are offering a 1-year subscription to a free online credit monitoring service.
Cryptomining Incidents on the Rise
By stealing someone’s computer processing power via embedded code in websites or software, you can make money. The Decatur hospital incident is just the latest in a string of events that highlights the growth of cryptomining:
- In the fall of 2017, researchers discovered a single Monero mining campaign that victimized 15 million users.
- The Check Point Global Threat Index found that Coinhive cryptomining software has become the most prevalent form of malware on the Internet. The cryptojacking malware Cryptoloot is now the third most prevalent.
- Cryptomining malware was recently found in the network of a European water utility provider.
- New cryptocurrency mining viruses are being spread using EternalBlue—the same NSA exploit that was leaked by the hacking group Shadow Brokers. The exploit is used to infect Windows computers to secretly mine Monero cryptocurrency.
The Decatur hospital incident provides another reminder that security incidents can happen throughout the supply chain. In this case, the system penetration was via a system managed by the hospital’s software vendor. The incident also highlights why ongoing network activity monitoring is necessary to monitor network traffic and resource drains.