HIPAA and the HITECH are federal laws that require the protection and security of confidential, protected health information (PHI) and personally identifiable information that is not necessarily health related. The federal privacy and security requirements are familiar to the healthcare industry and its business associates which process, analyze and store PHI and other confidential information. Failure to protect PHI or other personally identifiable information adequately can subject healthcare providers, business associates and their subcontractors to significant federal penalties as well as liability under state law.

The FBI recently released a warning to private industry regarding the criminal targeting of File Transfer Protocol (FTP) servers operating in “anonymous” mode. FTP servers are vulnerable to cyber attack by criminals who seek to access PHI to intimidate, harass, and blackmail business owners. Criminals can use FTP servers in anonymous mode to steal data for schemes of identity theft or financial fraud, to store malicious tools or launch targeted cyber attacks.  Medical and dental facilities are particularly susceptible, but every entity handling PHI should take note.

Often a default setting, anonymous mode enables a user to access the FTP with a common username, either without using a password or by submitting a generic password or email address. According to research conducted by the University of Michigan, over 1 million FTP servers are configured to allow anonymous authentication.

The FBI recommends medical and dental facilities to check their networks for FTP servers running in anonymous mode and either disable anonymous authentication or otherwise ensure that legally protected information is not stored on the server.

Business associates of covered entities with vulnerable servers should also take steps to limit their own exposure to legal liability. Business associate agreements should be reviewed to insure that one party is not adversely affected by the other party’s inadequate security practices.