This week’s breach involved a medical services company’s FTP server which allowed “uncontrolled access to its patients’ protected health information”.
“This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”
The company ultimately “agreed to pay $3,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules”.
So-called File Transfer (or “FTP”) servers are a venerable approach to sharing data. FTP was one of the first digital publishing platforms, used widely for software distribution and file transfer since the early days of the internet. SSH FTP (or SFTP) adds encryption and thus makes it compliant for transferring sensitive information, including PHI data which is regulated by HIPAA. So long as the client and server encrypt the transferred files at rest.
The problem is, compliant is not the same as secure.
Once a file transfer server is up and running, it will reliably and consistently serve files. If access is incorrectly or incompletely configured, as appears to be the case here, every minute brings added exposure. This is why all access to shared files should be limited to a period of time by default, something file transfer servers were unfortunately not designed to support. This could have prevented the breach, despite the questionable configuration.
A second issue, is that FTP is all about TRANSFER. As long as it remains up and running, authorized clients will have unfettered access to download data and then do whatever they like with it – print it, publish it, transfer to others… worse, clients become compromised over time. People leave companies – and transfer their user credentials to their replacement, hopefully not a third-party service – or they may be compromised through phishing or malware attacks.
The longer the server is up, the longer your exposure lasts.
The good news is, FTPs days are numbered. Migration to the cloud is finally happening – and companies are discovering the mechanisms built-in to cloud file storage services are only intended for internal collaboration.
Solutions like e-Share’s Trusted Sharing offer fine-grained sharing options – like automatic expiration of shared material. This can, as shown above, be set at the organizational level. For many shares, one-time or 1 day is entirely adequate. For longer collaborations, the expiration should likely match the engagement level.
Sharing can also be limited to view or edit-online only, with no download, printing or copy/paste. You can optionally require participates to sign in with OpenID, enter an access code, accept terms of service – and more.
Register for a demo to learn how mandating share expiration is a critical first line of defense for all information – especially regulated data like PHI.