Securing Protected Health Information: FBI Warning

Burns & Levinson LLP

Burns & Levinson LLP

HIPAA and the HITECH are federal laws that require the protection and security of confidential, protected health information (PHI) and personally identifiable information that is not necessarily health related. The federal privacy and security requirements are familiar to the healthcare industry and its business associates which process, analyze and store PHI and other confidential information. Failure to protect PHI or other personally identifiable information adequately can subject healthcare providers, business associates and their subcontractors to significant federal penalties as well as liability under state law.

The FBI recently released a warning to private industry regarding the criminal targeting of File Transfer Protocol (FTP) servers operating in “anonymous” mode. FTP servers are vulnerable to cyberattack by criminals who seek to access PHI to intimidate, harass, and blackmail business owners. Criminals can use FTP servers in anonymous mode to steal data for schemes of identity theft or financial fraud, to store malicious tools or launch targeted cyberattacks.  Medical and dental facilities are particularly susceptible, but every entity handling PHI should take note.

Often a default setting, anonymous mode enables a user to access the FTP with a common username, either without using a password or by submitting a generic password or email address. According to research conducted by the University of Michigan, over 1 million FTP servers are configured to allow anonymous authentication.

The FBI recommends medical and dental facilities to check their networks for FTP servers running in anonymous mode and either disable anonymous authentication or otherwise ensure that legally protected information is not stored on the server.

Business associates of covered entities with vulnerable servers should also take steps to limit their own exposure to legal liability. Business associate agreements should be reviewed to insure that one party is not adversely affected by the other party’s inadequate security practices.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Burns & Levinson LLP | Attorney Advertising

Written by:

Burns & Levinson LLP

Burns & Levinson LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.