According to a recent warning issued by the FBI, Healthcare organizations may be placing the protected health information of their patients in jeopardy by using anonymous FTP servers.
Cybercriminals are profiting from the lack of protection on FTP servers to access patients’ protected health information (PHI). Anonymous FTP servers enable unauthorised individuals to access data stored on the server. In anonymous mode, the only thing that is necessary to access data is a username. In certain scenarios, date can be accessed without even a password, and even if a password is required, a generic one can be utilised. Although criminals would need to guess the username, it is true that default usernames can be found online.
The risk involved in using anonymous FTP servers is rather significant. When PHI is stored on FTP servers it can easily be accessed by any member of the public. Additional private data saved on the servers may also be accessed and stolen. Said data could be sold to multiple third parties on the black market or used to blackmail healthcare organizations. On numerous occasions in 2016, cybercriminals stole data from healthcare organizations and demanded money on pain of releasing that information publicly.
Although there remains a risk of data being exfiltrated, there is additionally a risk of programs and files being sent in the opposite direction. An attacker may use access to an FTP server in order to upload malicious files. Alternatively, the FTPO server might be used to host illegal material. This would expose the healthcare provider to considerable legal risk.
The FBI has said that cyber criminals might also use an FTP server in anonymous mode, configured so as to allow “write” access in order to store malicious tools or launch targeted cyberattacks.
The FBI has referred to research carried out by researchers from the University of Michigan which showed that worldwide there are more than one million anonymous FTP servers in use, none of which offer protection for stored data.
The FBI states that all medical and dental organizations should liaise with their own IT departments and make sure that FTP servers are verified to see if they are running in anonymous mode. If in fact they are, all sensitive data and PHI stored on the servers must be removed immediately. Only files containing public information should be stored on anonymous FTP servers. If there is no requirement for anonymous FTP access, anonymous mode should be deactivated and secure passwords set for all user accounts.
