The well-established security firm Check Point recently ranked cryptomining as the leading cyber threat in healthcare – ahead of ransomware. Cryptomining malware, also known as cryptocurrency mining malware, refers to software programs and malware components developed to take over a computer’s resources and use them for cryptocurrency mining, without a user’s authorization. This hijacking of computer resources can result in shutdown and even total systems failure. Cryptomining is not specifically addressed by the HIPAA Security Rule. However, the threat of cryptomining malware should make covered entities and business associates evaluate their Security Rule compliance efforts, and, if necessary, implement additional cybersecurity measures as needed to protect against this unique and powerful threat.
Under the HIPAA Security Rule, covered entities and business associates must implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Cryptomining malware can compromise this confidentiality, availability, and integrity. To understand the nature of the threat posed by cryptomining malware, it is useful to first understand some basic concepts.
These include cryptocurrency, cryptography, and cryptomining.
What is Cryptocurrency?
Cryptocurrency is digital money that can be purchased, transferred, and/or sold. Cryptocurrency exists solely on the Internet. This form of currency is not backed by anything tangible (such as gold), nor is it backed or managed by any bank or government. Cryptocurrency transactions, or trades, are changed and verified by a decentralized (not affiliated with any one single entity) network of computers.
What is Cryptography?
Cryptography is a method of protecting information by encrypting it into an unreadable format known as cipher text. Cipher text can be converted to regular text through the process of decryption. Cryptography encrypts and protects the data used to help identify and track cryptocurrency transactions.
What is Cryptomining?
Cryptocurrency miners engage in cryptomining to earn more cryptocurrency (often referred to as “coins” or “Bitcoins”).
Here is how the mining process works:
Miners compete with other cryptominers to solve complicated mathematical problems. Solving the problems enables the miner to authorize a transaction and to chain together (blockchain) blocks of transactions. Once a transaction is included in a block, it is secure and complete.
For his or her mining activities, the miner receives a small amount of cryptocurrency of his or her own, The more currency a miner “mines,” the more currency a miner ends up owning. Cryptocurrency can then be sold for actual cash.
So, you may now be thinking, …..
“What Does Any of This Have to do with HIPAA Healthcare?”
Crpyotmining malware is surreptitiously installed on a user’s computer. Once it is installed, the cryptomining malware turns the affected computer, in effect, into a mining operation – one through which the miners solve their math problems and “earn” their coins and cash.
Here’s the problem: Cryptomining has an enormous appetite for computer power. As the malware is enabling the mining, the mining process consumes significant computing power, bandwidth, and even electricity. Particularly persistent forms of malware consume resources even after a user has logged off.
Eventually, a device or a network may simply become unable to keep up with mining malware’s energy requirements, causing the device or network to crash.
Since any Internet-connected device can be infected with cryptomining malware, those devices used by covered entities or business associates that are missing essential security features – which features include, but are not limited to, antivirus software, firewalls, updates and patches for operating systems – can, upon a malware attack, shut down or experience total system failure. ePHI data thus becomes compromised. As in, lost, rendered inaccessible, or damaged beyond repair. The HIPAA Security rule thus becomes implicated, and, if an organization is found to have implemented ineffective security safeguards, the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) can audit and fine that organization.
Compliancy Group Simplifies HIPAA Compliance
Covered entities and business associates can address their HIPAA cybersecurity compliance obligations under the Security Rule by working with Compliancy Group.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA cybersecurity issues so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!