Cyber Criminals Target FTP Servers of Healthcare Providers


By: Agne Krutules

The FBI has issued an alert warning medical care providers that cybercriminals are actively targeting File Transfer Protocol (“FTP”) servers of medical facilities. FTP is a common protocol used to transfer data between network hosts. The alert says that hackers are operating in an “anonymous” mode when connecting to FTP servers and are using their access to try to access protected health information (“PHI”) and personally identifiable information (“PII”) to harass, extort, and blackmail healthcare providers.

Although “white hat hackers” sometimes perform similar functions for research purposes in order to expose vulnerabilities and help organizations better protect themselves, these criminal “black hat hackers” are seeking to infiltrate medical providers’ servers in order to store malicious tools and/or launch cyberattacks.

In 2015, the University of Michigan conducted a study, which revealed that more than 1 million FTP servers were configured to allow anonymous access, which enabled users to authenticate with a common username without even entering a password or simply by submitting a generic password or e-mail address. It appears that the cybercriminals are now trying to exploit this vulnerability by targeting medical providers that have their FTP servers configured in this manner. According to the FBI alert, “any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud.”

To guard against this threat, the FBI recommends that all businesses, particularly medical and dental healthcare providers since they appear to be the focus of most recent attacks, request their IT professionals to check networks for FTP servers running in anonymous mode. If the business has a need for the server to be configured to run anonymously, no PHI and PII should be stored on the server. If protected information must be stored on the server, anonymous mode should be disabled, at a minimum. Other safeguards would include limiting access to known IP addresses (i.e. creating a white list), ensuring that data is encrypted while in storage and in transit, and monitoring all ingoing and outgoing requests and transfers in order to identify suspicious activity.

For more information, please contact Agne Krutules at [email protected].