When the HITECH Act of 2009 and Final Rule for HIPAA passed in 2013, the security of vendors and third parties became a concern for covered healthcare entities; big and small. Whenever a partner connects to your network and has access to your Protected Health Information (PHI) you are on the hook for their privacy and security readiness. The lack of a Business Associate Agreement (BAA) or other excuses no longer apply. This includes all entities that handle PHI, even dentists. For some reason a lot of dentists don’t believe HIPAA mandates apply to them.
With this in mind the FBI released a Private Industry Alert “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information” on March 22nd to be alert healthcare entities of (File Transfer Protocol) FTP server vulnerabilities, quote:
The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.”