Medical data leakage rampant on P2P networks

The risk of patient information disclosures on peer-to-peer (P2P) networks is much higher than if a health care worker loses a laptop or removable storage device, according to new research.

Dartmouth College business professor Eric Johnson has written a report called “Data Hemorrhages in the Health Care Sector” and plans to present his findings later this month at the Financial Cryptography and Data Security conference, Johnson told SCMagazineUS.com.

P2P networks are internet-based file sharing networks that allow users to share music or other files -- LimeWire or BearShare are popular examples.

Over a two-week period, Dartmouth College researchers, in collaboration with P2P monitoring vendor Tiversa, searched file-sharing networks for key terms associated with the top ten publicly traded health care firms in the USA, and discovered numerous sensitive documents – for example, a spreadsheet from an AIDS clinic with 232 client names, including Social Security numbers, addresses and birthdates.

The researchers also discovered databases for a hospital system that contained detailed information on more than 20,000 patients, including Social Security numbers, contact details, and insurance records, along with diagnosis information.  

The researchers also found a 1718-page document from a medical testing laboratory containing patient Social Security numbers, insurance information, and treatment codes for thousands of patients. And in another place relating to a group of anesthesiologists, more than 350 megabytes of data comprising sensitive patient reports were found. 

There are numerous ways confidential data can inadvertently get on a P2P network, Johnson said. For example, users could share folders containing sensitive information because of a confusing client interface or because they have music and data in the same folder. Or they could potentially download malware that exposes files or install a vulnerable program that unintentionally shares files the user did not intend to.

Johnson said that health care organisations should be worried about the threats of P2P networks. Because even if they ban employee use of P2P, many times patient data winds up on the laptops of individual physicians or partners -- so the potential for any one of those users to participate in P2P goes up, Johnson said.

The root problem, though, is that health care organisations store confidential and highly sensitive data in unprotected and easily portable formats such as Microsoft Excel spreadsheets, Word documents, or PDFs, he said. Preventing users from using P2P networks is just a "Band-Aid" fix for a bigger problem, since there are many other ways data can be leaked from an organisation.

Health care firms must implement systems in which users can look up information on a patient but cannot download the data to a spreadsheet, he said. The $818 billion economic stimulus bill passed two weeks ago by US Congress provides money to computerise health records and also calls for stringent security and privacy controls.

“The bigger issue is moving toward a robust enterprise data system based on a universal medical record format,” Johnson said.

See original article on scmagazineus.com