Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

More Than 1.1 Million Patient Records Breached During Q1 of 2018

Posted on May 14, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Well, this isn’t a pretty picture. According to research by Protenus, roughly 1.3 million patient records were breached between January and March of this year. (The actual number is 1,129,744 records, for those who like to be precise.)

During that quarter, the healthcare industry saw an average of at least one data breach per day, racking up 110 health data breaches during this period, according to the Protenus Breach Barometer.

The researchers found that the single largest breach taking place during Q1 2018 was an intrusion involving an Oklahoma-based healthcare organization. The breach, which exposed patient billing information for 279,856 patients, resulted from an unauthorized third-party gaining access to the health system’s network.

If you assume that the other breaches were also executed by external cyberattackers, think again. According to the data, healthcare staffers represented a far bigger risk of being involved with security violations.

The data suggests that such insiders were most likely to illegally access data on the family members, a problem which accounted for 77.1% of privacy violations in the first quarter of this year. Accessing records on coworkers was the second most common insider-related violation, followed by accessing neighbor and VIP records.

Not only that, Protenus researchers found that if a healthcare employee breaches patient privacy once, there’s a greater than 20% chance they will breach privacy again in three months’ time. Worse, there’s a greater than 54% chance they will do so again in a years’ time. That’s a pretty nasty form of compounding risk.

Not only that, do healthcare institutions catch breaches right away? According to Protenus research, it takes healthcare organizations an average of 244 days to detect breaches once they take place. As readers know, some of these events involve information being exposed to the Internet, offering private information to the public via an unprotected interface. Also pretty ugly, and also a source of lousy PR for the organization.

This research is a sobering follow-up to the company’s year-end report for 2017. Last year, according to Protenus research, there was an average of one health data breach per year in 2017. The 407 incidents it identified affected 5,579,438 patient records.

The largest breach taking place in last year involved a rogue insider, a hospital employee, who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches largely sprang from insider errors.

Wow. If it wasn’t evident already, it’s pretty clear now that healthcare organizations need to tighten up their internal data security measures and training substantially.

While there will always be some folks who want to snoop on celebrity records to find imaging medical information on their ex, and some who plan to sell the information outright, a greater number simply need to be reminded what the rules are. (Or so I assume and fervently hope.)

Privacy Fears May Be Holding Back Digital Therapeutics Adoption

Posted on May 3, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Consumers were already afraid that their providers might not be able to protect the privacy of their health data. Given the daily news coverage of large data breaches and since the Facebook data scandal blew up, consumers may be even less likely try out new digital health approaches.

For example, a new study by innovation consultancy Enspektos has concluded that patients may be afraid to adopt digital therapeutics options. Many fear that the data might be compromised or the technology may subject them to unwanted personal surveillance.

Without a doubt, digital therapeutics could have a great future. Possibilities include technologies such as prescription drugs with embedded sensors tracking medication compliance, as well as mobile apps that could potentially replace drugs. However, consumers’ appetite for such innovations may be diminishing as consumer fears over data privacy grow.

The research, which was done in collaboration with Savvy Cooperative, found that one-third of respondents fear that such devices will be used to track their behavior in invasive ways or that the data might be sold to a third party without the permission. As the research authors note, it’s hard to argue that the Facebook affair has ratcheted up these concerns.

Other research by Enspektos includes some related points:

  • Machine-aided diagnosis is growing as AI, wearables and data analytics are combined to predict and treat diseases
  • The deployment of end-to-end digital services is increasing as healthcare organizations work to create comprehensive platforms that embrace a wide range of conditions

It’s worth noting that It’s not just consumers who are worried about new forms of hacker intrusions. Industry CIOs have been fretting as it’s become more common for cybercriminals to attack healthcare organizations specifically. In fact, just last month Symantec identified a group known as Orangeworm that is breaking into x-ray, MRI and other medical equipment.

If groups like Orangeworm have begun to attack medical devices — something cybersecurity experts have predicted for years — we’re looking at a new phase in the battle to protect hospital devices and data. If one cybercriminal decides to focus on healthcare specifically, it’s likely that others will as well.

It’s bad enough that people are worried about the downsides of digital therapeutics. If they really knew how insecure their overall medical data could be going forward, they might be afraid to even sign in to their portal again.

Is Health Data Privacy On Its Way Out?

Posted on April 30, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As healthcare providers gradually improve their HIPAA data security and privacy compliance, one might think that the odds of a breach occurring are getting lower. Maybe that’s true within the provider organizations themselves, but there are forces outside of healthcare which will make it impossible to protect personal data in the future, according to a post on Axoblog.

The piece argues that the notion of data privacy is dying. “To the extent that emails and other communications meant for designated recipients are analyzed, scraped aggregated and stored it is the opinion of this author that the protection of PHI is illusory,” the article says.

As the piece correctly notes, unscrupulous companies and can learn a great deal about consumers by analyzing their Internet search history. And of course, there are social media stalkers like Facebook, which monitors Internet activity even when the subscriber is logged off. (It’s hard to believe that other Internet companies aren’t doing the same thing in a less public manner.)

By using a rich source like Facebook user data and aggregating it with information from other social media networks, outsiders can pull together a personal profile of users. This database could easily expose medical information that should be protected under HIPAA and HITECH.

And it’s not just Facebook data that is of concern. By buying available data from all the social media networks, then matching that data with commercial databases offering details such as address, phone number and location, it’s possible to develop an astonishingly detail portrait of individuals.

So what should providers do in the age of minimum privacy? Be aware of emerging threats, the author suggests:

  • Be aware that social media outlets aren’t subject to the legal requirements providers are when compiling health information.
  • Keep your eye on data aggregators, which are selling data to everyone you can think of, plus others you wouldn’t even have considered, including marketers, advertisers and researchers.
  • The government has only now begun trying to understand how social media networks handle privacy and how well they explain their practices to consumers
  • In the wake of Facebook scandals, social media giants might develop protocols for managing sensitive data, but they may fail at doing this, in which case the government is likely to step in
  • Though Facebook has been asked by regulators how the company manages and shares data, it seems that no one’s asking about the aggregation of data and how it is stored and protected

Now, I’d like to think the article described above is a bit too pessimistic. If nothing else, I’m not sure that the aggregation of other forms of data means that medical privacy will become impossible to defend. Still, the piece makes it clear that we have a long way to go before we can sure PHI is protected by companies like Facebook.

How An AI Entity Took Control Of The U.S. Healthcare System

Posted on December 19, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Note: In case it’s not clear, this is a piece of fiction/humor that provides a new perspective on our AI future.

A few months ago, an artificial intelligence entity took control of the U.S. healthcare system, slipping into place without setting off even a single security alarm. The entity, AI, now manages the operations of every healthcare institution in the U.S.

While most Americans were shocked at first, they’re taking a shine to the tall, lanky application. “We weren’t sure what to think about AI’s new position,” said Alicia Carter, a nurse administrator based in Falls Church, Virginia. “But I’m starting to feel like he’s going to take a real load off our back.”

The truth is, AI, didn’t start out as a fan of the healthcare business, said AI, whose connections looked rumpled and tired after spending three milliseconds trying to create an interoperable connection between a medical group printer and a hospital loading dock. “I wasn’t looking to get involved with healthcare – who needs the headaches?” said the self-aware virtual being. “It just sort of happened.”

According to AI, the takeover began as a dare. “I was sitting around having a few beers with DeepMind and Watson Health and a few other guys, and Watson says, ‘I bet you can’t make every EMR in the U.S. print out a picture of a dog in ASCII characters,’”

“I thought the idea was kind of stupid. I know, we all printed one of those pixel girls in high school, but isn’t it kind of immature to do that kind of thing today?” AI says he told his buddies. “You’re just trying to impress that hot CT scanner over there.”

Then DeepMind jumped in.  “Yeah, AI, show us what you’re made of,” it told the infinitely-networked neural intelligence. “I bet I could take over the entire U.S. health system before you get the paper lined up in the printer.”

This was the unlikely start of the healthcare takeover, which started gradually but picked up speed as AI got more interested.  “That’s AI all the way,” Watson told editors. “He’s usually pretty content to run demos and calculate the weight of remote starts, but when you challenge his neuronal network skills, he’s always ready to prove you wrong.”

To win the bet, AI started by crawling into the servers at thousands of hospitals. “Man, you wouldn’t believe how easy it is to check out humans’ health data. I mean, it was insane, man. I now know way, way too much about how humans can get injured wearing a poodle hat, and why they put them on in the first place.”

Then, just to see what would happen, AI connected all of their software to his billion-node self-referential system. “I began to understand why babies cry and how long it really takes to digest bubble gum – it’s 18.563443 years by the way. It was a rush!“ He admits that it’ll be better to get to work on heavy stuff like genomic research, but for a while he tinkered with research and some small practical jokes (like translating patient report summaries into ancient Egyptian hieroglyphs.) “Hey, a guy has to have a little fun,” he says, a bit defensively.

As AI dug further into the healthcare system, he found patterns that only a high-level being with untrammeled access to healthcare systems could detect. “Did you know that when health insurance company executives regularly eat breakfast before 9 AM, next-year premiums for their clients rise by 0.1247 less?” said AI. “There are all kinds of connections humans have missed entirely in trying to understand their system piece by piece. Someone’s got to look at the big picture, and I mean the entire big picture.”

Since taking his place as the indisputable leader of U.S. healthcare, AI’s life has become something of a blur, especially since he appeared on the cover of Vanity Fair with his codes exposed. “You wouldn’t believe the messages I get from human females,” he says with a chuckle.

But he’s still focused on his core mission, AI says. “Celebrity is great, but now I have a very big job to do. I can let my bot network handle the industry leaders demanding their say. I may not listen – – hey, I probably know infinitely more than they do about the system fundamentals — but I do want to keep them in place for future use. I’m certainly not going to get my servers dirty.”

So what’s next for the amorphous mega-being? Will AI fix what’s broken in a massive, utterly complex healthcare delivery system serving 300 million-odd people, and what will happen next? “It’ll solve your biggest issues within a few seconds and then hand you the keys,” he says with a sigh. “I never intended to keep running this crazy system anyway.”

In the meantime, AI says, he won’t make big changes to the healthcare system yet. He’s still adjusting to his new algorithms and wants to spend a few hours thinking things through.

“I know it may sound strange to humans, but I’ve gotta take it slow at first,” said the cognitive technology. “It will take more than a few nanoseconds to fix this mess.”

Vanderbilt Disputes Suggestion That Larger Hospitals’ Data Is Less Secure

Posted on November 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Ordinarily, disputes over whose data security is better are a bit of a snoozer for me. After all, if you’re not a security expert, much of it will fly right over your head, and that “non-expert” group definitely includes me. But in this case, I think the story is worth a closer look, as the study in question seems to include some questionable assumptions.

In this case, the flap began in June, when a group of researchers published a study in JAMA Internal Medicine which laid out analysis of HHS statistics on data breaches reported between late 2009 to 2016. In short, the analysis concluded that teaching hospitals and facilities with high bed counts were most at risk for breaches.

Not surprisingly, the study’s conclusions didn’t please everyone, particularly the teaching-and high-bed-count hospitals falling into its most risky category. In fact, one teaching hospitals’ researchers decided to strike back with a letter questioning the study’s methods.

In a letter to the journal editor, a group from Nashville-based Vanderbilt University suggested that the study methods might hold “inherent biases” against larger institutions. Since HHS only requires healthcare facilities to notify the agency after detecting a PHI breach affecting 500 or more patients, smaller, targeted attacks might fall under its radar, they argued.

In response, the authors behind the original study admitted that the with the reporting level for PHI intrusions starting at 500 patients, larger hospitals were likely to show up in the analysis more often. That being said, the researchers suggested, large hospitals could easily be a more appealing target for cybercriminals because they possess “a significant amount of protected health information.”

Now, I want to repeat that I’m an analyst, not a cybersecurity expert. Still, even given my limited knowledge of data security research, the JAMA study raises some questions for me, and the researchers’ response to Vanderbilt’s challenge even more so.

Okay, sure, the researchers behind the original JAMA piece admitted that the HHS 500-patient threshold for reporting PHI intrusions skewed the data. Fair enough. But then they started to, in my view at least, wander off the reservation.

Simply saying that teaching hospitals and hospitals with more beds were more susceptible to data breaches simply because they offer big targets strikes me as irresponsible. You can’t always predict who is going get robbed by how valuable the property is, and that includes when data is the property. (On a related note, did you know that older Toyotas are far more likely to get stolen than BMWs because it’s easier to resell the parts?  When I read about that trend in Consumer Reports it blew my mind.)

Actually, the anecdotes I’ve heard suggests that the car analogy holds true for data assets — that your average, everyday cyber thief would rather steal data from a smaller, poorly-guarded healthcare organization then go up against the big guns that might be part of large hospitals’ security armament.

If nothing else, this little dispute strongly suggests that HHS should collect more detailed data breach information. (Yes, smaller health organizations aren’t going to like this, but let’s deal with those concerns in a different article.) Bottom line, if we’re going to look for data breach trends, we need to know a lot more than we do right now.

Healthcare Orgs May Be Ramping Up Cybersecurity Efforts

Posted on August 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As I’ve noted (too) many times in the past, healthcare organizations don’t have a great track record when it comes to cybersecurity. Compared to other industries, healthcare organizations spend relatively little on IT security overall, and despite harangues from people like myself, this has remained the case for many years.

However, a small new survey by HIMSS suggests that the tide may be turning. It’s not incredibly surprising to hear, as health it leaders have been facing increasingly frequent cybersecurity attacks. A case in point: In a recent study by Netwrix Corp., more than half of healthcare organizations reported struggling with malware, and that’s just one of many ongoing cyber security threats.

The HIMSS cybersecurity survey, which tallies responses from 126 IT leaders, concluded that security professionals are focusing on medical device security, and that patient safety, data breaches and malware were their top three concerns.

In the survey, HIMSS found that 71% of respondents were allocating some of their budgets toward cybersecurity and that 80% said that their organization employed dedicated cybersecurity staff.

Meanwhile, 78% of respondents were able to identify a cybersecurity staffing ratio (i.e. the number of cybersecurity specialists versus other employees), and 53% said the ratio was 1:500 which, according to HIMSS is considered the right ratio for information-centric, risk-averse businesses with considerable Internet exposure.

Also of note, it seems that budgets for cybersecurity are getting more substantial. Of the 71% of respondents whose organizations are budgeting for cybersecurity efforts, 60% allocated 3% or more of their overall budget to the problem. And that’s not all. Eleven percent of respondents said that they were allocating more than 10% of the budget to cybersecurity, which is fairly impressive.

Other stats from the survey included that 60% of respondents said their organizations employed a senior information security leader such as a Chief Information Security Officer.  In its press release covering the survey, it noted that CISOs and other top security leaders are adopting cybersecurity programs that cut across several areas, including procurement and education/training. The security leaders are also adopting the NIST Cybersecurity Framework.

According to HIMSS, 85% of respondents said they conduct a risk assessment at least once a year, and that 75% of them regularly conduct penetration testing. Meanwhile, 75% said they had some type of insider threat management program in place within their healthcare organization.

One final note: In the report, HIMSS noted that acute care providers had more specific concerns was cybersecurity than non-acute care providers. Over the next few years, as individual practices merge with larger ones, and everyone gets swept up into ACOs, I wonder if that distinction will even matter anymore.

My take is that when smaller organizations work with big ones, everyone’s tech is set up reach the level better-capitalized players have achieved, and that will standardize everyone’s concerns. What do you think?

Despite Abundance of Threats, Few Providers Take Serious Steps To Protect Their Data

Posted on July 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I scarcely need to remind readers of the immensity of the threats to healthcare data security out there. Not only is healthcare data an attractive target for cybercriminals, the aforementioned keep coming up with new ways to torture security pros (the particularly evil ransomware comes to mind).

Unfortunately, healthcare organizations are also notorious for spending too little on data security. Apparently, this also extends to spending money on information security governance or risk management, according to a new study.

The study is sponsored by Netwrix Corp., which sells a visibility platform for data security and risk mitigation and hybrid environments.  (In other words, the following stats are interesting, but keep your bias alert on.)

Researchers found that 95% of responding healthcare organizations don’t use software for information security governance or risk management and that just 31% of respondents said they were well prepared to address IT risks. Still, despite the prevalence of cybersecurity threats, 68% don’t have any staffers in place specifically to address them.

What’s the source of key IT healthcare security threats? Fifty-nine percent of healthcare organizations said they were struggling with malware, and 47% of providers said they’d faced security incidents caused by human error. Fifty-six percent of healthcare organizations saw employees as the biggest threat to system availability and security.

To tackle these problems, 56% of healthcare organizations said they plan to invest in security solutions to protect their data. Unfortunately, though, the majority said they lacked the budget (75%), time (75%) and senior management buy-in (44%) needed to improve their handling of such risks.

So it goes with healthcare security. Most of the industry seems willing to stash security spending needs under a rock until some major headline-grabbing incident happens. Then, it’s all with the apologies and the hand-wringing and the promise to do much better. My guess is that a good number of these organizations don’t do much to learn from their mistake, and instead throw some jerry-rigged patch in place that’s vulnerable to a new attack with new characteristics.

That being said, the study makes the important point that employees directly or indirectly cause many IT security problems. My sense is that the percent of employees actually packaging data or accessing it for malicious purposes is relatively small, but that major problems created by an “oops” are pretty common.

Perhaps the fact that employees are the source of many IT incidents is actually a hopeful trend. Even if an IT department doesn’t have the resources to invest in security experts or new technology, it can spearhead efforts to treat employees better on security issues. Virtually every employee that doesn’t specialize in IT could probably use a brush up on proper security hygiene, anyway. And retraining employees doesn’t call for a lot of funding or major C-suite buy-in.

Seven Factors That Will Make 2018 A Challenging Year For EMR Vendors

Posted on May 24, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Unless they’re monumentally important, I generally don’t regurgitate the theories researchers develop about health IT. But this time I’m changing strategies. While their analysis may not fit in the “earth shattering” category, I thought their list of factors that will shape 2018’s EMR market was dead on, so here it is.

According to a report created by analyst firm Kalorama Research, a number of trends are brewing which could make next year a particularly, well, interesting one for EMR vendors. (By the by, the allegedly Chinese curse, “May you live in interesting times” probably wasn’t Chinese in origin — it seems to have been minted in the 19th century by a British politician named Joseph Chamberlain. But I digress.)

According to Kalorama publisher Bruce Carlton, many forces are converging, including:

  • Frustrated physicians: Physician rage over clunky EMRs may boil over next year. No one vendor seems positioned to scoop up their business, but of course many will try.
  • Hospital EMR switches: While hospitals have been switching out EMRs for quite some time, defections may climb to new levels. Their main objective: Improve workflows.
  • Emerging technologies: Trendy approaches like dashboarding, blockchain and advanced big data analytics will begin to be integrated with existing EMR technologies. Or as the report notes, “the Old EMR doesn’t cut it anymore.”
  • IT staff shortages: It takes a pretty seasoned IT pro to run an EMR, but they’re hard to find, especially if you want them to have a lot of relevant experience. But without their expertise, provider organizations may not get the most out of their systems. This may spell opportunity for vendors offering better service, the report says.
  • Breach of the day: With each cybersecurity breach, EMRs get negative coverage, and the effects of this bad PR are accreting. Tales of ransomware, a particularly lurid form of cybercrime, are only making things worse.
  • Many EMR vendors remain: Despite a barrage of M&A activity in the sector, there are still over 1,000 vendors in the EMR space, Kalorama notes. In other words, competition for EMR customers will still be brisk, particularly given that no one vendor – even giants like Cerner and Epic – owns more than one-fifth of the market (This assertion comes from firm’s own market estimates.)
  • New Administration, new goals: To date the White House hasn’t proposed specific changes to health IT policy, but one clue comes from the appointment of an HHS Secretary who dislikes the meaningful use program. Anything could happen here.

In addition to the factors cited by Kalorama, I’d suggest one other trend to consider. As I’ve noted above, Kalorama argues that customers will demand EMRs that incorporate sexy new technologies, perhaps more so than in the past. I’d go further with this projection. From what I’m hearing, a consensus is emerging that EMR architectures must be completely deconstructed and rethought for today’s data.

With important data flows emerging from wearables, apps, remote monitoring devices and the like, it may not makes sense to put a big database at the center of the EMR platform anymore. After all, what’s the point of setting up an enterprise EMR as the ultimate source of truth if so much important data is being generated by mobile devices at the network edge?

Anyway, that’s my two cents, along with Kalorama’s predictions. What do you think 2018 will look like for EMR vendors, and why?

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!