When the HITECH Act of 2009 and Final Rule for HIPAA passed in 2013, the security of vendors and third parties became a concern for covered healthcare entities; big and small. Whenever a partner connects to your network and has access to your Protected Health Information (PHI) you are on the hook for their privacy and security readiness. The lack of a Business Associate Agreement (BAA) or other excuses no longer apply. This includes all entities that handle PHI, even dentists. For some reason a lot of dentists don’t believe HIPAA mandates apply to them.
With this in mind the FBI released a Private Industry Alert “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information” on March 22nd to be alert healthcare entities of (File Transfer Protocol) FTP server vulnerabilities, quote:
The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.”
Now what is an FTP server you many ask? Well they are primarily used to share files between two entities. Example, you are a dentist who shares patient information or files with an oral surgeon in a different practice. Another, you are a healthcare entity that employs dozens of remote billing coders who share patient billing data across the country. Maybe you are a physician who uses the consumer version of DropBox to store patient notes, photos and records for ease of access and availability across your mobile devices.
More often than not, the FTP configuration is set for “anonymous” logins that require a simple username/password to authenticate. These accounts are then shared amongst multiple staff members or, if provided by a vendor, known throughout the land for their default credentials. Hackers can then target these very weakly protected access points and steal valuable patient data. Current going going rate for a complete patient records is around $90. It’s a buck for an SSN. So you can see the economic incentive.
While anonymous FTP servers and the services they provide are simple, easy to use and don’t bug you with silly authentication requests they come with a tremendous amount of risk. At a $50k minimum penalty for a patient data breach, which always balloons to much more, it’s a very good idea to get a handle on how third parties and vendors are access your PHI. Also, it’s also a smart move to start weeding out all the consumer grade FTP/Cloud-Based file storage solutions in your practice.
Let me know your thoughts in the comments below.
Bill Mee says
The FBI also cites 2015 research that says 1 million FTP servers were configured to allow anonymous access. My guess is that the number of anonymous FTP servers has not dropped significantly since 2015 because it’s just easier to take the “if ain’t broke, don’t fix” mentality of vendor support. There is speculation that the FBI warning stems from discovery of FTP exploitation on some recent cases they have been working on. Anyone care to guess which ones?