While cryptocurrency, an encrypted digital-currency, seems esoteric to some because it is relatively new, those who are well versed in the field may be able to hack your websites and servers, possibly causing a HIPAA compliance issue.
Recently, Decatur County General Hospital in Parsons, Tennessee, sent out notifications to more than 20,000 patients about this very issue. Decatur’s electronic-medical-records (EMR) supplier notified the hospital on November 27, 2017, about the security incident. The EMR supplier’s notification stated that unauthorized software was installed on the server that was maintained for Decatur. The unauthorized software allowed the hacker to mine cryptocurrency, using the extra computing power of that server.
Many might wonder if this is really a HIPAA compliance issue. The issue falls on the fact that the hacker gained access to the server to install the unauthorized software. While an organization might be able to review logs to verify if the hacker obtained patient information, if the organization doesn’t maintain detailed logs, they would have to report it as a breach.
Decatur is still investigating the incident with the EMR supplier. Decatur is also offering one year of online credit monitoring for affected patients, at no cost to the patients. Decatur has set up a dedicated phone line to field all questions or concerns.
These types of attacks are common with servers running MS SQL and MYSQL, or with software and applications that aren’t locked down to prevent modification. To protect against such attacks, it is wise to conduct network penetration testing to ensure servers are secure, and web application penetration testing to ensure that web applications can’t be modified, including SQL injections. If you would like more information, get in touch with our trusted partner, MainNerve.
To learn more steps for protecting your healthcare organization from HIPAA compliance issues, join HIPAAgps today.