Cryptomining Software Discovered on Tennessee Hospital's EMR Server

Posted on February 8, 2018
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack
A Tennessee hospital discovered cryptomining software installed on a server that hosts its electronic medical records (EMR) system. In January 2018, Decatur County General Hospital began notifying patients of a incident involving its electronic medical record systems. Its breach notification letter (PDF) reveals the hospital first learned about the security event from its EMR vendor:
On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf. The unauthorized software was installed to generate digital currency, more commonly known as “cryptocurrency.”
decatur_county_hospital_via_facebook.jpg
Decatur County General Hospital. (Source: Nashville Public Radio) Decatur County General Hospital subsequently launched its own investigation into the incident. So far, it's determined that a remote actor likely accessed the server on which its EMR system stores patients information including their names, addresses, dates of birth, Social Security Numbers, insurance details, and medical treatment records. It's also found that the cryptomining software had been active since at least 22 September 2017. The hospital's EMR vendor replaced the server and operating system four days after discovery. At this time, Decatur County General Hospital cannot confirm whether the individual responsible for the breach accessed patients' information stored on the server. It tells patients as much:
Again, while our investigation continues into this matter, we have no evidence that your information was actually acquired or viewed by an unauthorized individual, and based upon reports of similar incidents, we do not believe that your health information was targeted by any unauthorized individual installing the software on the server. Our investigation to date, however, has been unable to reasonably verify that there was not unauthorized access of your information.
Cryptomining emerged as a salient threat in 2017. Tools responsible for generating new units of cryptocurrency preyed upon 1.65 million users over the first eight months of the year. Since then, researchers have discovered a single Monero mining campaign that victimized 15 million users in the fall of 2017. Such findings have led some security experts to wonder whether cryptomining will supplant ransomware as the most widespread form of digital crime in 2018. Given that possibility, it's important that hospitals and other healthcare organizations maintain the security and integrity of their EMR systems. They can find guidance for that objective here. To learn more about how Tripwire can protect your healthcare organization against digital threats, click here.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!