[BreachExchange] Can Cryptojacking Result in a Databreach?

[Audrey McNeil]

https://www.jdsupra.com/legalnews/can-cryptojacking-
result-in-a-databreach-61227/

Healthcare organizations should be aware of a new method, referred to as
“cryptojackng,” that hackers are using to exploit the systems and networks
they infiltrate.  Hackers use cryptojackng methods to siphon energy
resources from a computer’s processor which they then use to mine for
bitcoins, a popular form of crypto-currency.

While the goal of cryptojacking is to obtain valuable energy resources, not
the data that may be stored on the targeted system, healthcare
organizations still need to be aware of this threat and take steps to
prevent hackers from penetrating their systems.

Cryptojacking presents risks to a healthcare organization, not only because
of the potential drain on the healthcare organization’s energy resources,
but also because cryptojacking could still met the definition of a security
incident under the Health Insurance Portability and Accountability Act
(“HIPAA”).

HIPAA defines a security incident as “the attempted or successful
unauthorized access, use, disclosure, modification, or destruction of
information or interference with system operations in an information
system.” (45 CFR 164.304).  Cryptojacking does involve the interference
with a system’s operation.  So, cryptojacking could trigger a reporting
requirement under HIPAA.

If any healthcare organization suspects their systems may be the victim of
a cryptojacking activity, it should immediately engage its IT department
and conduct a forensic analysis to determine the scope and nature of any
such activity and if any HIPAA reporting obligations have been triggered.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180529/1cb32b99/attachment.html>