Data Breach of the Month: Decatur County General Hospital

Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.

In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.

So without further ado, our breach of the month for February, 2018 is… the cryptocurrency mining malware attack against Decatur County General Hospital that inadvertently exposed the personal data of more than 20,000 people.

What Happened?

Decatur County General Hospital, in the small town of Parsons, Tennessee, recently notified approximately 24,000 people that their health information may have been exposed during a security breach last fall. Computer Programs and Systems, Inc., an electronic medical records vendor, discovered malware on a server which stored information on behalf of DCGH. The vendor discovered the malware in September, 2017, however, they did not send an incident report to notify DCGH until November 27th.

How did it Happen?

While this may be a minor event compared to the many recent breaches that have impacted millions of people, it is an example of a relatively new type of attack that is increasingly popular and lucrative for cyber criminals. DCGH believes that an unauthorized individual remotely accessed the server to install cryptocurrency mining software. This suggests that the primary goal of the attack was not to access the patient data on the server.

As the value of cryptocurrency has risen, more attackers are hijacking systems in order to put them to work mining cryptocurrency. “Mining” refers to dedicating some of a computer’s processing power to the complex equations required to verify cryptocurrency transactions, which is rewarded by a small payout in the currency. As attackers take over vulnerable systems, they are able to amass an army of computers to mine cryptocurrency without the costs of running their own systems. This type of attack puts tremendous stress on affected systems, drawing power and slowing performance.

How to Minimize the Risk of this Type of Breach

Cryptocurrency mining malware is difficult to detect and protect against. It is easily delivered—it can be run via a browser without installing an application—and requires little ongoing involvement from the attacker, which makes it more likely to run without being noticed. Attackers are simply looking for vulnerable systems, and unfortunately, health care organizations often present easy targets.

To maximize the chance of quickly identifying this type of attack, make sure that you have the systems in place to:

  1. Identify unusual activity on your systems—such as access outside of normal operating hours to servers that store private information, or by users whose duties should not require them to see that data.
  2. Seamlessly escalate alerts to an incident response platform—once unusual activity has been detected, you’ll need to coordinate an investigation, which is best done by creating an incident in an IRP, either manually or through a SIEM integration.
  3. Filter out the false positivessecurity automation tools can help sort through all the noise to identify genuine threats. In enterprise SOCs, a large percentage of alerts never get investigated, so a subtle attack like cryptocurrency mining malware is likely to slip through if filtering tools aren’t in place.

As we have discussed several times in this series, the speed at which you can understand what happened and communicate it to the necessary parties can have a significant impact on both the financial and reputational damage caused by a breach. In this case, even though the attackers appear to not have been directly targeting the personal data on the server, the fact that the data was exposed means that DCGH is subject to HIPAA data breach notification requirements. Having a centralized incident response platform with strong reporting features makes it easy to gather and export information to be sent to regulators, impacted clients, and internal stakeholders.

ZDNet recently reported that cryptocurrency mining malware is now comparable to ransomware in the profit it has generated for cyber criminals. With attacks on the rise against individuals as well as organizations, it is important for everyone to be prepared for how they will detect and respond to this type of incident.

We’ll see you back here next month for a new Breach of the Month.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.