Cyber criminals are constantly seeking new ways to gain access to personal and health information and, on March 22, 2017, the FBI issued a specific warning to health care providers regarding threats to File Transfer Protocol ("FTP") servers operating in anonymous mode.
FTP is a standard network protocol that is widely used to transfer data with a network host. Generally, users will access the FTP server with a user name and password. When an FTP server is operating in anonymous mode, however, anonymous users can gain access with a common user name that is not password protected or with a generic password or email address. This unsecured access may leave the FTP server vulnerable to attack by cyber criminals.
Cyber criminals who are able to access an FTP server that stores protected health information ("PHI") or personally identifiable information ("PII") may be able to compromise such information or may use such information for criminal purposes, such as blackmail, identity theft, or fraud. Health care providers may then be responsible for reporting a breach of PHI under the Health Information Portability and Accountability Act ("HIPAA") as well as under any applicable state laws. In addition, cyber criminals may use an FTP server in anonymous mode to store malicious tools or to launch a cyber attack.
In response to this threat, the FBI recommends that health care providers specifically request that their IT professionals check their networks for any FTP servers running in anonymous mode. If there is a legitimate business purpose for operating a FTP server in anonymous mode, health care providers should ensure they do not maintain PHI or PII on the server.
The FBI’s guidance may be read here: https://info.publicintelligence.net/FBI-PHI-FTP.pdf