Attacks/Breaches

2/8/2018
11:15 AM
50%
50%

Tennessee Hospital Hit With Cryptocurrency Mining Malware

Decatur County General Hospital is notifying 24,000 patients of cryptocurrency mining software on its EMR system.

Decatur County General Hospital (DCGH) in Parsons, Tennessee, recently discovered cryptocurrency mining malware on its its Electronic Medical Record (EMR) server. The hospital began informing 24,000 patients of the attack on January 26.

On November 27, 2017, the hospital received a security incident report from its EMR system vendor, which said unauthorized software, designed to mine cryptocurrency, had been installed on the server supported by the vendor. An ongoing investigation has indicated an unauthorized attacker accessed the server with the EMR system and injected the software.

The hospital's EMR server contained data including patient names, addresses, birthdates, and social security numbers, as well as diagnosis and treatment data. There is no evidence either type of data was taken or viewed, and so far it doesn't seem data theft was the attacker's goal. However, the hospital cannot definitively prove data was not compromised and is therefore notifying patients.

DCGH has not named the EMR system vendor and is offering patients the myTrueIdentity online credit monitoring service for one year. Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/8/2018 | 5:09:46 PM
Re: you'd assume the EMR data is encrypted
@tmerrem945: sensitive data that leaves a private network should be encrypted.  Data kept within a private network might be encrypted - but anyone (real person or system/application process), that needs access to those data values, has to have the means to decrypt that data. 

So, if an attacker has acquired the necessary credentials,  they'll have the access privileges that go with those credentials. 

Post breech forensics might be able to determine if the attacker used stolen credentials - but that can take time; and breech notification requirements don't always leave enough time for a complete investigation.  
tmerrem945
100%
0%
tmerrem945,
User Rank: Apprentice
2/8/2018 | 1:30:08 PM
you'd assume the EMR data is encrypted
It troubles me that the hospital cannot confirm if the data was taken or viewed.  Had the data been encrypted, then they can be certain the intruder wasn't able to view the information.  
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11415
PUBLISHED: 2018-05-24
SAP Internet Transaction Server (ITS) 6200.X.X has Reflected Cross Site Scripting (XSS) via certain wgate URIs. NOTE: the vendor has reportedly indicated that there will not be any further releases of this product.
CVE-2018-11412
PUBLISHED: 2018-05-24
In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode.
CVE-2018-11413
PUBLISHED: 2018-05-24
An issue was discovered in BearAdmin 0.5. Remote attackers can download arbitrary files via /admin/databack/download.html?name= directory traversal sequences, as demonstrated by name=../application/database.php to read the MySQL credentials in the configuration.
CVE-2018-11414
PUBLISHED: 2018-05-24
An issue was discovered in BearAdmin 0.5. There is admin/admin_log/index.html?user_id= SQL injection because admin\controller\AdminLog.php constructs a MySQL query improperly.
CVE-2018-10593
PUBLISHED: 2018-05-24
A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corrup...