The FBI’s recent Private Industry Notification warns medical and dental facilities of cybercriminals targeting file transfer protocol (FTP) servers operating in anonymous mode within their organizations. Healthcare providers are particularly susceptible to this type of attack, as hackers can steal protected health information (PHI) or personally identifiable information (PII) to intimidate, extort money, or ruin the reputation of business owners.
The notification included research conducted by the University of Michigan in 2015 titled “FTP: The Forgotten Cloud,” that found that over one million FTP servers were configured to allow anonymous access, putting sensitive data stored on the servers at risk of exposure. With this vulnerability cybercriminals can authenticate to a server using a common username such as “anonymous” or “ftp,” either without submitting a password at all or by using a generic password or email address.
The FBI statement warns organizations that, “In general, any misconfigured or unsecured server operating on a business network on which sensitive data are stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes, such as blackmail, identity theft, or financial fraud.”
This is why it is in the best interest of any healthcare organization to seek the expert guidance of a professional IT Management Service Provider who can check your networks for FTP servers running in anonymous mode. A team of IT professionals will be able to ensure that FTP servers needing to operate in anonymous mode for legitimate reasons be properly configured to not allow ‘write’ access. This means that hackers attempting to access your data will not be able to upload malicious programs or documents or launch targeted cyberattacks. They can also make certain that any sensitive data, such as PHI or PII, is stored on a separate server then any server allowing anonymous access.
In fact proper configuration of FTP servers is only a fraction of the benefits that a professional IT team could bring to your healthcare organization. For more information contact us.