Healthcare organizations could be placing the protected health information of patients at risk by using anonymous FTP servers, according to a recent alert issued by the FBI.
Cybercriminals are taking advantage of the lack of protection on FTP servers to gain access to the PHI of patients. Anonymous FTP servers allow data stored on the server to be accessed by individuals without authentication. In anonymous mode, all that is required to gain access to data is a username. In some cases, a password is not even required, or when it is, a generic password can be used. While the username would need to be guessed, default usernames can be found online.
The risk of using anonymous FTP servers is considerable. If PHI is stored on FTP servers it could be easily accessed by members of the public. Any other sensitive data stored on the servers could also be accessed and stolen. Sensitive data could be sold on the black market or used to extort money from healthcare organizations. On many occasions over the past year, cybercriminals have stolen data from healthcare organizations and demanded money not to release that information publicly.
While there is a risk of data being exfiltrated, there is also a risk of programs and files moving in the opposite direction. A malicious actor could use access to an FTP server to upload malicious files or the FTPO server could be used to host illegal material. The legal risks to the healthcare provider if that were to happen would be considerable.
The FBI says “Cyber criminals could also use an FTP server in anonymous mode and configured to allow “write” access to store malicious tools or launch targeted cyberattacks.”
The FBI has cited research conducted by University of Michigan researchers that showed that globally there are more than 1 million anonymous FTP servers in use, each of which offers no protection for stored data.
The FBI says all medical and dental organizations should consult their IT departments and ensure FTP servers are checked to see if they are running in anonymous mode. If they are, it is essential that all sensitive data and PHI stored on the servers is removed. The only data that should be stored on anonymous FTP servers are files containing public information. If anonymous FTP access is not required, anonymous mode should be turned off and secure passwords set for user accounts.