Protected health information at risk, FBI warns

The FBI in a private industry notification warned health care providers that cybercriminals are actively targeting File Transfer Protocol (FTP) servers “operating in ‘anonymous’ mode and associated with medical and dental facilities to access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass and blackmail business owners.”

The notification, issued March 22, cites research from 2015 indicating that more than 1 million FTP servers were configured to allow anonymous access. This anonymous extension lets a user “authenticate to the FTP server” with a common username and either bypass submitting a password or submitting a generic one.

In addition to purposes of intimidation, harassment and blackmail, cybercriminals can access some servers to store malicious tools and launch targeted cyberattacks. “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cybercriminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud,” the notice states.

FBI recommendations

The FBI recommends that dental and medical health care entities ask their information technology personnel to check networks for FTP servers running in anonymous mode and ensure that “sensitive PHI or PII is not stored on the server.”

Health care providers can contact their local FBI field office with questions concerning the notice.

Related Items

The National Cyber Security Alliance cites a surprising statistic: 60 percent of small businesses will close within six months of a cyberattack. And cybercriminals are more frequently targeting small businesses and organizations, which were once considered a lesser target. Now, cybercriminals exploit small businesses to gain access to bigger businesses through the distribution chain or payment portals.

HIPAA-covered entities that experienced a breach of protected health information in 2016 are required to notify the secretary of the U.S. Department of Health and Human Services, regardless of the size of the breach. An entity’s reporting obligations will depend on whether the breach incident affected fewer than 500 individuals or 500 or more individuals.

CDA has fielded calls recently from dental practices wishing to learn more about the risk analysis required of all entities covered by the Health Insurance Portability and Accountability Act. Coincidentally, in response to the rapid rise of ransomware attacks, the U.S. Department of Health and Human Services’ Office of Civil Rights in July issued new guidance for health care providers.