The FBI issued a Private Industry Alert on March 22, 2017, to health and dental providers entitled “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information” specifically warning health and dental providers about the security of FTP (file-transfer-protocol) servers.
According to the Alert, “[T]he FBI is aware of criminal actors who are actively targeting FTP servers operating in ‘anonymous’ mode and associated with medical and dental facilities to access protected health information and personally identifiable information in order to intimidate, harass and blackmail business owners.”
The Alert cites a University of Michigan research paper that concludes that there are 13.8 million FTP servers attached to the Internet, and 1.1 million of them are anonymous, which means that no password is needed to access them. Accordingly, hackers are targeting these servers to gain access to health information and sell it or use it for ransom.
Whenever the FBI issues a Private Industry Alert, it is worth paying attention. In this case, the FBI recommends that health care and dental providers assess whether FTP servers are used, and check the security of the servers. Other security experts recommend disabling the use of FTP servers altogether. At any rate, health care and dental providers may wish to make the assessment of their use and security of FTP sites a high priority.