FTP: A convenient asset, or an unassuming enemy?
Recently, the FBI issued a data security warning to medical and dental organizations using insecure File Transfer Protocol (FTP) servers. The warning states that threat actors are targeting anonymous FTP servers to access protected health information (PHI) and personally identifiable information (PII).
FTP servers are essential for sharing files and data, but healthcare providers continue to utilize them in an insecure manner. Just last year, my team saw this in action within a large healthcare organization. They had internal devices using standard protocols like FTP and HTTP to transmit PHI and other sensitive data between departments, as well as externally to outside vendors—and all these communications were unsecured via an anonymous server.
What happens when FTP goes wrong?
In the case of the healthcare organization mentioned above, the data being transferred was supposed to be encrypted prior to uploading to their anonymous FTP site, and it wasn’t. Because anonymous servers don’t require credentials for access, this leaves all stored and in-transit data openly exposed.
Cyber criminals know that security and implementation flaws are common among anonymous FTP sites. When they find these flaws (typically from missing patches or misconfigurations), they exploit known vulnerabilities to see if they can gain access to other servers on the network. Unfortunately, a lack of proper network segmentation often results in a successful breach of sensitive data on other parts of the organization’s IT network.
Heed the data security warning and lock it down.
Don't let this data security warning fall on deaf ears. When it comes to health IT security—and any business’s IT security for that matter—defense in depth is incredibly important.