P2P networks a treasure trove of leaked health care data, study finds
Eight months after passage of HITECH Act, data leaks still a problem in health care industry
Computerworld - Nearly eight months after new rules were enacted requiring stronger protection of health care information, organizations are still leaking such data on file-sharing networks, a study by Dartmouth College's Tuck School of Business has found.
In a research paper to be presented at an IEEE security symposium Tuesday, a Dartmouth College professor Eric Johnson will describe how university researchers discovered thousands of documents containing sensitive patient information on popular peer-to-peer (P2P) networks.
One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.
While some of the documents appear to have been leaked before the Obama administration's Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted, many appear to be fairly recent. A previous study by Dartmouth in 2008 also unearthed files containing health-care data floating on P2P networks, such as Limewire, eDonkey and BearShare. Among the documents found in that study was one containing 350MB of patient data for a group of anesthesiologists and another on patients at an AIDS clinic in Chicago.
The fact that many organizations are still leaking such information on file-sharing networks is surprising, said Johnson, professor of operations management at Dartmouth and one of the paper's authors.
The HITECH Act, which went into effect last September, requires any organization handling health-care data to implement stronger controls for protecting it. The law also requires such organizations to publicly disclose data breaches involving patient health information within 60 days of the discovery of a breach. The law also significantly expands the number and kinds of organizations that are required to comply with the federal law on patient privacy known as HIPAA (the Health Insurance Portability and Accountability Act). The law also provides for stiff penalties for noncompliance with these requirements.
The fact that sensitive patient health information is freely available on P2P networks suggests that many organizations are still not paying enough attention to security, Johnson said.
How the data gets leaked
Data leaks on P2P networks typically occur when file-sharing software from P2P sites such as Limeware and eMonkey is improperly installed on a computer that contains sensitive data. Usually, the file-sharing software is installed on a computer to share music and video files. In many cases, however, users configure the software improperly, and all the data on the computer becomes visible and available to all other users on the P2P network.
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!