Recently, the FBI issued a hacker-vulnerability warning to health care entities that may be storing protected health information (PHI) on FTP servers.
On March 22, the FBI issued an alert to health care organizations warning that hackers may target a specific vulnerability in file transfer protocol (FTP) Servers, which would allow them to access PHI. FTP is a standard network protocol used to transfer computer files on a network.
The specific vulnerability is a configuration in the server to allow anonymous access. This anonymous access allows any user to access the FTP server using a common username like “anonymous” or “ftp” and no password or by providing a generic password or email address.
Cyber criminals could use this access to launch cyber-attacks such as stealing data or storing malicious tools.
This is a common vulnerability in the cyber-world. Penetration testers at MainNerve have often cited in their reports that servers, routers, firewalls, and other similar devices contain default usernames and passwords, which are often left unchanged when implemented in a network. This is a significant vulnerability because any malicious hacker could discover the default information for a specific device and gain access to the network.
Additionally, the Office for Civil Rights (OCR) issued an alert in October 2016 notifying health care providers of the same issue. The FTP service available on network attached storage (NAS) devices is vulnerable and many have been infected with malware. These NAS devices can be plug-and-play devices, meaning you can purchase them and set them up without many steps. Thus, the defaults may still be in use.
The FBI suggests speaking with your local Information technology expert, whether on staff or contracted, and ensuring that all storage devices have the default access disabled.
To learn more about other technical requirements, sign up with HIPAAgps today and get started using our extensive HIPAA compliance tool.