Can Cryptojacking Result in a Databreach?

Healthcare organizations should be aware of a new method, referred to as “cryptojacking,” that hackers are using to exploit the systems and networks they infiltrate.  Hackers use cryptojacking methods to siphon energy resources from a computer’s processor which they then use to mine for bitcoins, a popular form of crypto-currency.

While the goal of cryptojacking is to obtain valuable energy resources, not the data that may be stored on the targeted system, healthcare organizations still need to be aware of this threat and take steps to prevent hackers from penetrating their systems.

Cryptojacking presents risks to a healthcare organization, not only because of the potential drain on the healthcare organization’s energy resources, but also because cryptojacking could still met the definition of a security incident under the Health Insurance Portability and Accountability Act (“HIPAA”).

HIPAA defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” (45 CFR 164.304).  Cryptojacking does involve the interference with a system’s operation.  So, cryptojacking could trigger a reporting requirement under HIPAA.

If any healthcare organization suspects their systems may be the victim of a cryptojacking activity, it should immediately engage its IT department and conduct a forensic analysis to determine the scope and nature of any such activity and if any HIPAA reporting obligations have been triggered.