P2P Networks Pose Serious Risks: StudyResearchers find leaked healthcare information
Researcher at Dartmouth's Tuck School of Business conducted keyword searches on several P2P networks and discovered patient information in spreadsheets, PDFs or other document formats, says Professor M. Eric Johnson. Their report, "Will HITECH Heal Health Patient Data Hemorrhages?" will be posted next week.
The researchers also confirmed that some users of the P2P networks, which were designed to share music and videos, are conducting very specific searches designed to find personal health information. "The bees are flying around because there's honey in there," Johnson says.
Installing file-sharing software is "dangerous," and healthcare organizations need to enforce policies that ban the use of their computers to access P2P networks, Johnson stresses. That's because if the required file-sharing software is improperly installed, it can expose all the data on a computer to the network, he says.
One possible way that healthcare organizations are exposed to risk, Johnson says, is when staff members take home laptops that contain health information, and a teenager borrows the laptop and improperly installs file-sharing software to download music. "That exposes the whole hard drive," he says.
Based on his studies of health data on P2P networks last year, and a similar study in 2008, Johnson says the HITECH Act hasn't yet had a significant impact on the pervasiveness of health data on P2P networks. The amount of health information accessible on the networks in 2008 and 2009 was similar, the researchers found. "The same kind of data was still floating around," he says.
The HITECH Act, passed as part of the stimulus package in February 2009, created tougher penalties for violations of the HIPAA privacy and security rules. It also led to the creation of the HITECH Breach Notification Rule, which went into effect Sept. 23, 2009. Under the rule, major breaches must be reported to federal authorities, the media and the individuals affected within 60 days.
Johnson is hopeful that eventually, more healthcare organizations, in light of the Act's stiffer penalties, will take more steps to ensure security. That includes clamping down on use of P2P networks as well as stopping the practice of storing sensitive patient data in spreadsheets and documents, where it's less secure than in an electronic health record.
Role of EHRs
Many EHRs have some level of security protection built into the application, the professor says. Plus, it's much tougher to find identification information on thousands of patients by hacking into an EHR than it is to simply access identifiers stored in one long list in a spreadsheet or document.
When it comes to addressing security, "People tend to be far more casual when working in a spreadsheet or a document," he notes.
Whether a spreadsheet is discovered on a stolen laptop or on a P2P network, the risk is the same, he stresses.
And while encrypting patient information helps protect it, that step doesn't guarantee the information will be inaccessible by the bad guys, he argues. That's because, for example, disk-level encryption may only kick in when a computer is shut down, leaving data vulnerable for extended periods if the computer is linked to a P2P network or hacked.
"Some see encryption as a silver bullet, but it's not," he says. "It's one piece of the puzzle."
Johnson and his team of researchers conducted two studies last year based on keyword searches for health information on several P2P networks.
During a two-week study last July, researchers found almost 3,000 healthcare files on the networks, including spreadsheets and documents, and 15 percent of those contained personal information. About 8 percent contained enough information, including Social Security numbers, to commit identity theft, the professor says.
A second two-week study in late September, as the HITECH Breach Notification Rule was taking effect, focused only on searches for spreadsheets. That turned up almost 800 healthcare files, with 45 percent containing personal information and 2.5 percent posing significant risk of identity theft.
Five of the spreadsheets in the September study had information on more than 500 individuals, which meant they would have had to be reported as major breaches under the breach notification rule. Together, they contained information on more than 28,000 patients. Included were a case log on mental health patients and two large health insurance files.
Johnson called the five organizations to alert them to the situation. "It made for strange phone calls," he says. "A lot of them didn't even know what a peer-to-peer network was. There's a certain amount of denial that goes on with these things; it's not the kind of breach they're used to dealing with."
The Dartmouth report concludes: "There are indeed many measures that the healthcare sector should consider, beyond blocking P2P networks and preventing files from migrating to machines that participate in P2P. While none themselves is a single answer, efforts such as P2P monitoring, disk-level encryption, tokenization and data truncation all help.
"More importantly, moving sensitive material out of ad hoc databases, such as spreadsheets and documents, and into enterprise-class software (EHRs) will likely reduce the types of inadvertent disclosure we observed.
"As compared with earlier studies we conducted in the banking sector, we note that the extended enterprises of healthcare providers often include many technically unsophisticated partners who are more likely to leak information. Thus, tracking and stopping medical data hemorrhages is more complex and possibly harder to control given the fragmented nature of the U.S. healthcare system."