Responsible disclosure

Today I've been scouring the web for news on cryptominer incidents to incorporate into next month's awareness materials on malware.

As well as the usual doom-n-gloom reports from assorted antivirus companies bigging-up the cryptominer threat, I came across an interesting letter from a US hospital, formally notifying patients about an incident.

The infection was identified back in September 2017, and eradicated within 4 days of detection.

Although the malware infection was a relatively benign cryptominer, the hospital sent a formal notification letter to patients at the end of January 2018 since the infected system held their medical data. 

Full marks to the hospital management for 'fessing up to the incident and publicly disclosing it, and for apparently handling the incident in a professional and reasonably efficient manner (although arguably 4 months is an age in Internet time).

They have offered free credit monitoring services, more appropriate in case of identity fraud ... which is a possibility if the malware gained privileged access to the system. I wonder, though, whether this letter was simply part of their pre-prepared generic response to a cyber-incident, perhaps a defensive move prompted by their lawyers just in case personal/medical information was disclosed inappropriately.

Anyway, there we go: a relevant little news clip to share and explain through the awareness program, for people to discuss and contemplate. We can use it in the awareness slide decks, briefing papers and maybe as a case study. There are aspects of interest to the general staff audience, to management, and to the professionals/specialists, so we get three times the value from one story. Cool!