An alert from the FBI should remind the healthcare industry how serious security is, and how complex the process of protecting information can be.
The FBI is aware of criminal actors who are actively targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode and associated with medical and dental facilities to access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.
FTP is a commonly used protocol that allows computers to exchange files. As the FBI noted, researchers have found that many servers run FTP configured in a way to allow parties without accounts on the computer to have access to the service. Criminals search for servers at healthcare organizations that support FTP anonymous mode and then attempt to gain access to medical information.
It might seem odd for criminals to look for medical information when they could search for credit card numbers. However, there’s a good reason. According to the FBI, personal medical information is worth ten times as much on the black market.
Such information as names, birth dates, Social Security numbers, diagnostic codes, and insurance information are pure gold. Criminals can file fake payment requests with insurers or order drugs and medical equipment and then resell it. Furthermore, think about payment cycles and bureaucracy in medical billing. A credit card issuer is far more likely to quickly react and notice fraudulent activity before it has time to balloon out of control. When insurance, drug, and equipment companies finally realize something is wrong, the criminal is long gone.
In addition, health information has some other big advantages for criminals, as HealthData Management reported:
Protected Health Information (PHI) is now worth more on the black market than credit card data. This makes healthcare providers more lucrative targets than banks or retail institutions. Credit card data has a shelf life that lasts until the bank discovers a breach and freezes the affected credit cards. Health data, on the other hand, includes a larger wealth of information (insurer, employing company, Social Security number, birth date and more), making it harder to quickly contain the abuse of using the data improperly. Health data can also be used to commit insurance fraud, buy drugs or medical equipment or steal an identity.
Many care providers haven’t put the necessary emphasis on computer security the way corporations in other industries have. Weaknesses can be anywhere. For example, you can find FTP servers in computer printers, and data loaded onto FTP servers stay there until it’s explicitly deleted.
The potential costs in fines from the government, lawsuits from patients, and reputation damage are large. Executives and managers need to realize that security isn’t some optional activity that has no strategic importance.
Are you interested in finding a rewarding and lucrative healthcare career that fits your individual strengths and interests? Find out how education can help you adapt to the changing healthcare landscape. American Sentinel University is an innovative, accredited provider of healthcare management degrees, including an MBA Healthcare and Master of Science Business Intelligence and Analytics.