Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Cybersecurity Lapses Might Be Killing Patients

Posted on April 4, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Nobody would argue that data breaches are good for patients. After all, health data management is challenging enough without having to deal with outside attacks. But could they actually be killing patients? One researcher argues that this is indeed happening.

According to research by Dr. Sung Choi of Vanderbilt University’s Owen Graduate School of Management, hospital data breaches are linked to more than 2,100 patient deaths per year.

One key reason for this phenomenon is that data breaches create distractions for doctors which can extend far beyond the actual incident. This seems to be associated with an increase in patient mortality rates, he said. He also noted that it can be costly for hospitals to address images created by the data breach, which may divert resources better spent in patient care.

What’s more, breaches trigger a whirlwind of administrative activities, including remediation efforts, regulatory increase in litigation in the years that follow. This presents yet another distraction from focusing on care delivery.

To conduct his analysis, Dr. Choi used data from CMS and HHS, comparing patient care data at hospitals that have and have not experienced a data breach. He found that there were 305 hospital breaches between 2012 and 2016, exposing 14 million records.

One of the metrics Dr. Choi reviewed was the proportion of who died within 30 days of being heart attack patients who die within 30 days after being admitted to hospital. He found that this rate increased by 0.23% with one year after the breach, and by 0.36% two years after the breach. This adds up to an additional 2,160 additional patient deaths each year, he said.

What’s more, hospitals that experienced a health data breach took far longer to administer an ECG to newly-admitted patients, the data analysis concluded.

It’s worth noting that this phenomenon is not well documented as of yet. While data breaches are clearly correlated with some additional patient deaths, Dr. Choi seems to concede that he hasn’t found a direct causal relationship between breaches and mortality across the board.

Still, it stands to reason that cybersecurity problems would have some impact on patient care quality. Now that we’re armed with this data, we have even more compelling reasons to avoid breaches. Let’s hope that the hospital industry’s track record on health data security improves in the near future.

Cybersecurity Report Card:  Better Performance, But Not Great

Posted on March 29, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new research report from HIMSS has concluded that while healthcare organizations are improving their cybersecurity programs, there’s still a number of things they could do better.

The study drew on responses from 239 health information security professionals. Their responses were gathered from December 2017 to January 2018. While respondents came from a number of settings, the largest number (31.5%) were with hospitals, multi-hospital systems or integrated delivery networks.

One key point made by the study was that significant security incidents are projected to continue to grow in number, complexity and impact. That’s reflected by responses from survey participants, 75.7% of whom said that their organizations experienced a significant security incident in the past 12 months.

The top threat actors attacking these organizations included online scam artists deploying phishing and spear phishing attacks (37.6%), followed by negligent insiders (20.8 %) or hackers (20.1%). In many cases, the initial point of security compromise was by email. Time it took to discover the incident included less than 24 hours (47.1%), one to two days (13.2%) and 3 to 7 days (7.4%).

Despite these risks, and the effort required to protect their data, healthcare organizations with cybersecurity programs are improving their performance. They’re devoting more resources to those programs (55.8% of current IT budgets), responding to problems identified by regular risk assessments (with 83.1% adopting new and improved security measures in the wake of those assessments) and regularly conducting penetration testing and security awareness training.

On the other hand, HIMSS found that most healthcare organizations, cybersecurity programs still need improvement. For example, staffers face major obstacles in remediating and mitigating security incidents, particularly having too few cybersecurity personnel on board and a lack of financial resources. HIMSS also noted that educating and testing “human components” for security vulnerabilities is critical, but may not be included in many efforts.

In some cases, organizations don’t have formal insider threat management programs. While many respondents (44.9%) said they do have insider threat management programs and policies in place, another 27% said those programs were informal. And 24.2% said their organization had no insider threat management program at all.

In addition, risk assessments vary widely across the industry. Popular sources used to gather cyber threat intelligence include US CERT alerts and bulletins (60%) and HIMSS resources (53.8%), but many others are used as well.

The net of all of this seems to be that while healthcare organizations have gotten smarter where cybersecurity is concerned, they need to invest more in specialized personnel, improve staff training, remediation and risk assessments and stay alert. As the number of attacks continues to grow, nothing else will get the job done.

CES Really Scared Me. Will HIMSS Make Me Feel Any Better?

Posted on February 22, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Are Consumer Health Care Products Accurate & Safe Enough for Your Healthcare?

At CES, the monstrous electronics show, I saw lots of consumer devices advertised for personal fitness and healthcare. There was even a Digital Health Summit, with a wide range of industry experts.

Some companies were promoting their ability to send data to healthcare providers. That’s scary, since there are no standards governing many of these devices.

A clear message from CES is that the divisions between ‘technology’ and ‘devices’ are diminishing. Alexa, Google Home, and Siri, won’t be tied to stand-alone devices for long. They will be integrated into a wide range of consumer products across a home network, your car, portable devices, and the Internet. It’s not a big leap of the imagination to think that you will be telling Alexa, in your refrigerator, to reset the alarm clock in your bedroom, for an early meeting. And that Alexa will be telling you that you gained a pound, and send that data to your doctor.

Considering the recent news about Amazon getting into healthcare, with Warren Buffet and JP Morgan, it’s logical to think that Amazon will be delivering our healthcare along with our packages. Will you get a colonoscopy notification from Amazon because someone orders a 50th birthday card for you? (Will they only use lubricant if you have Prime? Ok, that might have been a little harsh.)

Loud and clear from CES is the consumerization of healthcare, and it’s scary.

Will data from your consumer products be accurate enough for a health care provider to form a professional opinion?

Will your devices be safe from hacking and interference?

Who will be liable if something bad happens to you because your data wasn’t accurate, or was delayed in transmission?

Should there be a government or industry-based organization setting standards and certifying devices?

ACCURACY

Valencell makes biometric sensor chips for companies to use in their consumer products. They displayed stylish brand-name smart watches that imbed their biometric-sensor chips.

Valencell’s President, Steven LeBoeuf, said that there are no standards for consumer heart monitors. His chips are voluntarily lab-tested and certified for accuracy. He said that some of their competitors’ products can confuse a person’s steps, as they are walking or running, as a heartbeat.

While that might not matter too much to a person casually checking their own vitals, what will happen if incorrect data is sent upstream to your healthcare provider?

This diagram, produced by iHealth, a company that makes ‘consumer-friendly, mobile personal healthcare products that connect to the cloud’, clearly shows their expectation that your data will be communicated to hospitals.

iHealth aptly describes this as a Systematic Framework. Think about how many vendors will be involved in the system. Device manufacturers, chip manufacturers, software designers, programmers, computer companies, communication networks, Internet service providers, cloud services, and more, all before data gets to the hospital.

What if there is a failure? What happens to you if your healthcare is depending on a consumer device? Who is responsible for the security and accuracy of the data through the system? Wanna bet that everyone will be pointing their finger at someone else?

SAFETY

What will protect you from your devices? There are an increasing numbers of stories of consumer products and autonomous cars – the Internet of Things (IoT) – being hacked.

In August, 2017, the FDA issued a warning that a pacemaker was vulnerable to hackers who could remotely kill the battery or modify the performance of the pacemaker. Killing the battery could kill the patient. Remember that this recall occurred because a pacemaker is a medical device governed by the FDA, which doesn’t govern consumer healthcare products.

The Equifax breach, the Spectre and Meltdown flaws in computer microchips, and hackers hijacking baby monitors and surveillance cameras, all show the importance of being able to apply software and firmware patches and updates.

It took a long time for the government to require car companies to recall vehicles for safety problems. How many people will be hurt, or die, before consumer health care products get regulated?

LIABILITY

At CES, AIG Insurance presented this graphic of survey results showing who is liable for a driverless vehicle crash.

Imagine personal injury attorneys salivating over consumer health care product failures. Imagine new types of insurance coverage – or new types of policy exceptions – related to managing healthcare based on consumer product data.

STANDARDS & REGULATIONS

What’s the difference between a medical device and a consumer health care product? What defines a heart monitor? How accurate is a scale? How will a consumer health care product receive security patches? How will consumers be notified their health care products aren’t safe?

Do we want the federal government involved? In 1966, the National Traffic and Motor Vehicle Safety Act required auto manufacturers to notify the government and consumers of safety defects, and recall vehicles. Could our dysfunctional Congress ever agree on a plan to regulate consumer health care products?

What about the industry policing itself? At his annual briefing at CES, electronics industry veteran Shelly Palmer made his case for a Self-Regulatory Organization (SRO) to create and enforce standards to protect consumers from risks associated with the Internet of Things.

The model for this could be PCI-DSS, the Payment Card Industry Data Security Standards, that govern organizations that accept and process credit cards. This standard is self-regulated by a council founded by the credit card companies, and is not overseen by federal or state agencies. It covers credit card processing from end-to-end, from certifying the swipe device on the store’s counter all the way through the merchant processors and banks.

According to its website, the council “provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.

If you are a healthcare professional, isn’t this the level of integrity and security you want for consumer products sending patient data to you?

Who would take on the responsibility, not to mention the liability, of policing consumer products sending data to healthcare organizations? The Consumer Technology Association (CTA), or the Health Information Management Systems Society (HIMSS)?

Will it take a disaster for us to find out?

Maybe I will find some answers at the HIMSS health IT conference. I sure hope so.

Nearly 6 Million Patient Records Breached In 2017

Posted on February 1, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Just how bad a year was 2017 for health data? According to one study, it was 5.6 million patient records bad.

According to health data security firm Protenus, which partnered with DataBreaches.net to conduct its research, last year saw an average of at least one health data breach per day. The researchers based their analysis on 477 health data breaches reported to the public last year.

While Protenus only had 407 such incidents, those alone affected 5,579,438 patient records. The gross number of exposed records fell dramatically from 2016, which saw 27.3 million records compromised by breaches. However, the large number of records exposed in 2016 stems from the fact that there were a few massive incidents that year.

According to researchers, the largest breach reported in 2017 stemmed from a rogue insider, a hospital employee who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches sprung from insider errors, hacking, and one other incident involving insider wrongdoing.

Insider wrongdoing seems to be a particular problem, accounting for 37% of the total number of breaches last year. These insider incidents affected 30% of compromised patient data, or more than 1.7 million records.

As bad as those stats may be, however, ransomware and malware seem to be even bigger threats. As the study notes, last year a tidal wave of hacking incidents involving malware and ransomware hit healthcare organizations.

Not surprisingly, last year’s wave of attacks seems to be part of a larger trend. According to a Malwarebytes report, ransomware attacks on businesses overall increased 90 percent last year, led by GlobeImposter and WannaCry incidents.

That being said, healthcare appears to be a particularly popular target for cybercriminals. In 2016, healthcare organizations reported 30 incidents of ransomware and malware attacks, and last year, 64 organizations reported attacks of this kind. While the increase in ransomware reports could be due to organizations being more careful about reporting such incidents, researchers warn that the volume of such attacks may be growing.

So what does this suggest about the threat landscape going forward?  In short, it doesn’t seem likely the situation will improve much over the next 12 months. The report suggests that last year’s trend of one breach per day should continue this year. Moreover, we may see a growth in the number of incidents reported to HHS, though again, this could be because the industry is getting better at breach detection.

If nothing else, one might hope that healthcare organizations get better at detecting attacks quickly. Researchers noted that of the 144 healthcare data breaches for which they have data, it took an average of 308 days for the organization to find out about the breach. Surely we can do better than this.

HHS HIPAA Breach Wall of Shame Updated

Posted on August 28, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HHS has recently updated the HHS Wall of Shame…I mean the HIPAA Breach Reporting Tool (HBRT). Whatever you want to call the tool, you can find the most updated version here. Here’s a short description from the press release about the updates to the breach notification tool:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today launched a revised web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved. The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents. The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations.

The new design is nice and it makes sense to finally archive some of the breaches on the list. How long should we condemn an organization that’s had a breach by having them on the list? Of course, it is still available on the archive.

Since the start of the HIPAA Breach notification tool (October 2009), there have been 1674 breach notifications (only includes breaches of 500 people or more). In just the last 24 months they’ve posted 364 breaches with nearly 28 million individuals affected. I’ll have to get my friends at Qlik to import the data to do more analysis of the data. Here’s a look at the data the tool provides:

The tool includes: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer).

I wish they included more details on what caused the breach and more practical ways to defend against the various breaches. That would make the list a lot more actionable. However, I also understand why that would be a hard task to accomplish.

Just looking over some of the recent breaches, I wasn’t shocked by the number of hacking incidents that are being reported. We’ve widely reported on these types of hacking incidents as well. However, I was pretty shocked by how many of the recent breaches were by email. Once again, I wish I had a lot more information about what actually happened with these email breaches. Looks like HHS collects it when someone files a breach. I guess I understand why they can’t share the individual answers, but it would be nice to have some summary reports of actions taken by those that were breached.

What do you think of HHS’ updates to this tool? Is it useful in helping them reach their goal of making the industry safer? Is there something else they could do with the tool to make it work better? We look forward to reading your thoughts in the comments.

Despite Abundance of Threats, Few Providers Take Serious Steps To Protect Their Data

Posted on July 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I scarcely need to remind readers of the immensity of the threats to healthcare data security out there. Not only is healthcare data an attractive target for cybercriminals, the aforementioned keep coming up with new ways to torture security pros (the particularly evil ransomware comes to mind).

Unfortunately, healthcare organizations are also notorious for spending too little on data security. Apparently, this also extends to spending money on information security governance or risk management, according to a new study.

The study is sponsored by Netwrix Corp., which sells a visibility platform for data security and risk mitigation and hybrid environments.  (In other words, the following stats are interesting, but keep your bias alert on.)

Researchers found that 95% of responding healthcare organizations don’t use software for information security governance or risk management and that just 31% of respondents said they were well prepared to address IT risks. Still, despite the prevalence of cybersecurity threats, 68% don’t have any staffers in place specifically to address them.

What’s the source of key IT healthcare security threats? Fifty-nine percent of healthcare organizations said they were struggling with malware, and 47% of providers said they’d faced security incidents caused by human error. Fifty-six percent of healthcare organizations saw employees as the biggest threat to system availability and security.

To tackle these problems, 56% of healthcare organizations said they plan to invest in security solutions to protect their data. Unfortunately, though, the majority said they lacked the budget (75%), time (75%) and senior management buy-in (44%) needed to improve their handling of such risks.

So it goes with healthcare security. Most of the industry seems willing to stash security spending needs under a rock until some major headline-grabbing incident happens. Then, it’s all with the apologies and the hand-wringing and the promise to do much better. My guess is that a good number of these organizations don’t do much to learn from their mistake, and instead throw some jerry-rigged patch in place that’s vulnerable to a new attack with new characteristics.

That being said, the study makes the important point that employees directly or indirectly cause many IT security problems. My sense is that the percent of employees actually packaging data or accessing it for malicious purposes is relatively small, but that major problems created by an “oops” are pretty common.

Perhaps the fact that employees are the source of many IT incidents is actually a hopeful trend. Even if an IT department doesn’t have the resources to invest in security experts or new technology, it can spearhead efforts to treat employees better on security issues. Virtually every employee that doesn’t specialize in IT could probably use a brush up on proper security hygiene, anyway. And retraining employees doesn’t call for a lot of funding or major C-suite buy-in.

The Petya Global Malware Incident Hitting Nuance, Merck, and Many Others

Posted on July 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The Petya Malware (or NotPetya or ExPetya) has really hit healthcare in a big way. The biggest impact on the healthcare IT world was the damage it caused to Nuance, but it also hit Merck and some other healthcare systems. After a shaky start to their communication strategy, Nuance seems to finally at least be updating their customers who saw a lot of downtime from when it first started on June 28 until now. This rogue Nuance employee account has been pretty interesting to watch as well. There’s a lesson there about corporate social media policies during a crisis.

Petya was originally classified as ransomware, but experts are now suggesting that it’s not ransomware since it has no way to recover from the damage it’s doing. It’s amazing to think how pernicious a piece of malware is that just destroys whatever it can access. That’s pretty scary as a CIO and it’s no surprise that Petya, WannaCry, and other malware/ransomware is making CIOs “cry.”

It’s been eye opening to see how many healthcare organizations have depended on Nuance’s services and quite frankly the vast number of services they offer healthcare. It’s been extremely damaging for many healthcare organizations and has them rethinking their cloud strategy and even leaving Nuance for competitors like MModal. I’m surprised MModal’s social team hasn’t at least tweeted something about their services still being available online and not affected by Petya.

I’ll be interested to see how this impacts Nuance’s business. Nuance is giving away free versions of their Dragon Medical voice recognition software to customers who can’t use Nuance’s transcription business. Long term I wonder if this will actually help Nuance convert more customers from transcription to voice recognition. In the past 5 days, Nuance’s stock price has droppped $1.54 per share. Considering the lack of effective alternatives and the near monopoly they have in many areas, I’ll be surprised if their business is severely damaged.

As I do with most ransomware and malware incidents, I try not to be too harsh on those experiencing these incidents. The reality is that it can and will happen to all of us. It’s just a question of when and how hard we’ll be hit. It’s the new reality of this hyper connected world. Adding to the intrigue of Petya is that it seems to have been targeted mostly at the Ukraine and companies like Nuance and Merck were just collateral damage. Yet, what damage it’s done.

Earlier today David Chou offered some suggestions on how to prevent ransomware attacks that are worth considering at every organization. The one that stands out most to me with these most recent attacks is proper backups. Here is my simple 3 keys to effective backups:

Layers – Given all the various forms of ransomware, malware, natural disasters, etc, it’s important that you incorporate layers of backups. A real time backup of your systems is great until it replicates the malware in real time to your backup server. Then you’re up a creek without a paddle. An off site backup is great until your off site location has an issue. You need to have layers of backup that take into account all of the ways your data could go bad, be compromised, etc.

Simple – This may seem like a contradiction to the first point, but it’s not. You can have layers of backups and still keep the approach simple and straightforward. Far too often I see organizations with complex backup schemes which are impossible to monitor and therefore stop working effectively. The KISS principle is a good one with backups. If you make it too complex then you’ll never realize that it’s actually failing on you. There’s nothing worse than a failed backup when you think it’s running fine.

Test – If you’ve never tested your backups by actually restoring them, then you’re playing russian roulette with your data. It’s well known that many backups complete without actually backing up the data properly. The only way to know if your backup really worked is to do a test restore of the data. Make sure you have regularly scheduled tests that actually restore your data to a backup server. Otherwise, don’t be surprised if and when your backup doesn’t restore properly when it’s really needed. Malware events are stressful enough. Knowing you have a good backup that can be restored can soften the blow.

Backups won’t solve all of your problems related to malware, but it’s one extremely important step in the process and a great place to start. Now I’m going to go and run some backups on my own systems and test the restore.

Cost of a Breach, Proper Medical Record Disposal, and Delayed Breach Notifications

Posted on June 22, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for a quick roundup of HIPAA related tweets from around the Twittersphere. Check out these tweets and we’ll add in a bit of our commentary.


Matt’s correct that it’s not all avoidable, but at $380 per record that’s expensive. Breaches are expensive everywhere, but especially in healthcare. When you look at how insecure various industries are, my guess is that healthcare would be near the top of the list as well. That’s a problem.


I’m with Danika Brinda as well. I have no idea why this is still happening. Are people really that uneducated and naive when it comes to disposal of paper medical records? Hire a company with a great reputation if you’re not sure how to do it properly yourself.


Happens all the time. The fine for the delay is more than the damage of the breach itself. There should be no reason organization’s delay in their efforts to notify patients of a breach. Doing so can be a very expensive prospect. Plus, it’s the right thing to do for the patients.

Why Small Medical Practices Are at Great Risk for a Cyber Attack

Posted on June 14, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The good people at ClinicSpectrum recently shared a look at why small practices are at risk for a cyber attack. They label it as why your EHR is at risk for a cyber attack, but I think their list is more specific to small practices as opposed to EHR. Take a look at their list:

Each of these issues should be considered by a small medical when it comes to why they are at risk for a cyber attack. However, the first one is one that I see often. Many small practices wonder, “Why would anyone want to hack my office?”

When it comes to that issue, medical practices need to understand how most hackers work. Most hackers aren’t trying to hack someone in particular. Instead, they’re just scouring the internet for easy opportunities. Sure, there are examples where a hacker goes after a specific target. However, the majority are just exploiting whatever vulnerabilities they can find.

This is why it’s a real problem when medical practices think they’re too small or not worth hacking. When you have this attitude, then you leave yourself vulnerable to opportunistic hackers that are just taking advantage of your laziness.

The best thing a medical practice can do to secure their systems is to care enough about having secure systems. You’ll never be 100% secure, but those organizations who act as if they don’t really care about security are almost guaranteed to be hacked. You can imagine how HHS will look at you if you take this approach and then get hacked.

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!