P2P Networks: A Cause for Concern?
P2P networks pose substantial risks, a new Dartmouth College study illustrates. The study also sheds light on the dangers of storing patient information in spreadsheets and documents outside of electronic health records.
Dartmouth researchers conducted keyword searches on several P2P networks and discovered patient information in spreadsheets, PDFs or other document formats, says Professor M. Eric Johnson. Their report, "Will HITECH Heal Health Patient Data Hemorrhages?" will be posted soon.
Do the bad guys know that enough information to support medical identity theft exists on P2P networks? Yes indeed.
But do the bad guys know that enough information to support medical identity theft exists on P2P networks? Yes indeed, Johnson says.
In analyzing searches conducted on the networks, Dartmouth researchers confirmed that some users had conducted very specific searches that clearly were designed to find personal health information.
What steps should you take to guard against the risks of P2P networks, especially in light of higher penalties for HIPAA privacy and security rule violations under the HITECH Act?
Johnson says hospitals and other healthcare organizations should ban the use of P2P networks on their computers. The big risk, he says, is that if file-sharing software is improperly installed, it can expose all the data on a computer to the network.
Plus, he says organizations should take steps to make sure that if employees take laptops home, they don't let teenagers use them to access a P2P network and download music. If you think that's unlikely to happen, consider this: The professor told me of one federal official who confessed to him that precisely that scenario occurred in his household.
The Dartmouth report also concludes that healthcare organizations should consider such technologies as P2P monitoring, disk-level encryption, tokenization and data truncation to help address security issues raised by the file-sharing networks.
But Johnson says his study illustrates an even bigger risk than information leaking to P2P networks. The risky behavior he warns against is storing patient information on vulnerable spreadsheets and documents, rather than segregating it in electronic health records systems.
Many EHRs have some level of security protection built into the application, the professor says. Plus, it's much tougher to find identification information on thousands of patients by hacking into an EHR than it is to simply access identifiers stored in one long list in a spreadsheet or document.
And whether a spreadsheet is discovered on a stolen laptop or on a P2P network, the risk is the same.
"Moving sensitive material out of ad hoc databases, such as spreadsheets and documents, and into enterprise-class software (like EHRs) will likely reduce the types of inadvertent disclosures we observed," the Dartmouth report concludes
But how do you figure out where all your organization's clinical data resides?
Steve Scott of St. Charles Health System is using a data loss prevention application to seek out the information hidden in documents, spreadsheets and elsewhere, so it can be encrypted.
Maybe it's time, however, to consider crafting a policy that severely restricts, or bans, placing information that could be used for identity theft in applications other than core enterprise systems, including an EHR.