True Facts Tuesday - FBI FTP Warning

Fun Fact: Movie trailers were originally shown after the movie, which is why they were called “trailers”.

Not So Fun Fact: If you own a business, you're a target for hackers. 

I've discussed before how the size of a business doesn't matter - in fact it's arguable that smaller companies have become a more desirable target because they are generally easier targets. Yesterday the FBI issued a warning that hackers are targeting medical and dental offices using anonymous FTP servers. 

An FTP server is a server used to transfer files from one computer to the other. FTP is often used for healthcare practices to transfer patient data to their billing company. However it should never be placed on an FTP server with anonymous access. I would easily argue that there are MUCH BETTER ways of transferring this data these days.

The problem is that a lot of these processes have been in place for years and sometimes may not even be known. One possibility is that a practice has been through several IT companies and the information was not passed on. The processes of generating/collecting the files containing ePHI could be automated. Perhaps the practice has also changed billing companies and the new company has a different method of collecting data. Maybe no one realizes that the server/data is out there anymore. I have seen this... a lot!

The best way to verify any holes in your network is with annual penetration testing. This process would uncover any unsecured servers, services, or vulnerabilities that need to be addressed. This is a requirement for PCI compliance. There is nothing explicitly requiring it for HIPAA compliance but it is heavily recommended by the National Institute of Standards and Technology (NIST) to be included as part of the risk assessments required under the HIPAA Security rule.

If you house any ePHI or PII, and have never had a penetration test I would implore you to seek one. Even if you're not required to have it done as part of a regulation, it is a great security practice. As part of our undying attention to security we include an annual penetration test for every NeoCloud Consulting Gold managed services customer at no extra charge.

As always, if you have any questions about the FBI warning, penetration testing, or security in general please contact me!

Until next time!

--Jay

Jason Marrero