Why providers need to act quickly on FBI warnings on servers

Last month, the FBI issued a warning regarding cyber criminals targeting FTP servers operating in anonymous mode—in other words, FTP servers configured to allow anonymous access.

In anonymous mode, a user could authenticate to the FTP server with a common username such as “anonymous” and then, they are not required to submit a password or email address. This can potentially leave these servers vulnerable to attacks as well as expose sensitive data stored on them.

The warning was specifically applied to FTP servers associated with medical and dental facilities that hold access to protected health information and personally identifiable information. The fear is that healthcare practices or patients could be blackmailed or intimidated based on a breach of confidential health data.

The FBI could have been prompted to issue the warning for multiple reasons:

• There may have been an uptick in reported vulnerabilities or attacks against smaller healthcare organizations.
• A pattern materialized during general monitoring, and the alert to small organizations is an attempt to thwart future issues.
• It’s simply a public service announcement in an effort to control what they predict could become a new threat for smaller healthcare practices.

Regardless of the real reason, this is not a new issue, as evidenced by the research from the University of Michigan that more than 1 million servers are currently configured to allow anonymous access, potentially exposing sensitive data.

This security issue directly impacts patient data, which can be leveraged by threat actors in a variety of ways including ransomware, blackmail and black market profit.

• Ransomware: As we see traditional criminals finding news ways to attack organizations, there’s been an increase in stolen data (not just identity theft). If a threat agent gets ahold of the healthcare provider’s sensitive information, they can hold that data hostage until a fee is paid.
• Black Market: Threat actors can sell stolen information (patient data, social security numbers, credit card information, etc.) on the black market for a profit.
• Blackmail: The Dark Web black market becomes problematic when sold information is then used for nefarious purposes. Take for example health records with mental health diagnoses, HIV status, or other health-related information people don’t want exposed for fear it could be used against them.

Because of the complexity, risk and regulations associated with the healthcare industry, many smaller networks and practices have experienced challenges staying current on technology and security efforts. Furthermore, the practice of purchasing potentially non-compliant software or plugging technology gaps can be a result of not understanding the software was faulty in the first place.

It’s safe to say that at-risk organizations don’t realize their patient data is vulnerable and, because of their small size, there are likely fewer compliance audits in comparison to the larger healthcare networks.

While the trends of using anonymous FTP servers should have been eradicated a decade ago, healthcare security and governance protocols remains a challenge for many organizations. Even though most organizations are moving in the direction of safer practices in protecting protected health information, this particular problem should be viewed like toxic waste—these issues need to be identified and then “cleaned up.”

The solution: The federal government should provide healthcare networks clear and practical guidance on potential risks and suggested technology to avoid vulnerabilities. In that same vein, software vendors should have something similar: a clear understanding of HIPAA regulations so they can write secure medical software.