P2P Puts Medical Data At Risk

Study finds peer-to-peer file sharing exposes personal health data on home computers to security vulnerabilities.
Many home computer users don't realize it, but the next time they download a movie, a video or some old sentimental song, they may be giving an intruder the opportunity to search the PC's files for sensitive information, including their health records, a new study finds.

What kind of sensitive information? Well, according to Khaled El Emam, Canada research chair at the University of Ottawa, and the lead on a research paper on the inadvertent disclosure of personal information through peer-to-peer file sharing programs, the information found was "very personal and very rich in detail."

By using simple search terms like "patient file", "medical form", or "medical", researchers retrieved medical authorization forms, confidential corporate information, and private letters.

"For example, we found a letter that a mother wrote to her 16-year-old daughter's camp director giving him all the complete details of her daughters medical history, health conditions, health insurance card numbers, and her medications," El Emam said.

Researchers also found medical certificates attesting to a person's medical condition, and another document spelled out the details of a soldier's medical history and a description of an incident resulting in an injury to his leg. The team also found out that the soldier was preparing to be sent to Guantnamo Bay.

The study, published in a recent issue of the Journal of the American Medical Informatics Association, found that the volume of U.S. computer files containing sensitive personal health information was less than 1 percent.

"We don't have an exact number that represents what less than 1 percent is, but it's not unreasonable to conclude that it could be tens of thousands of home users," El Emam said.

The threats that come with peer-to-peer file sharing are nothing new. Essentially, when peer-to-peer networks identify shared files to millions of users, they also recognize the location of a user's computer. Once this occurs it's possible to target that computer's Internet Protocol (IP) address to gain access.

"We didn't crack any codes or break into any unauthorized computer systems. The information is in the public domain and easy to access," El Emam said. "Users are installing software that allows them to very easily share a lot of information so it should be no surprise that some people will actually look for that information and get it," El Emam explained.

There are around 250 different file sharing programs, most of them are free, and many are open source or from other parts of the world where, unlike in the U.S., they do not come under legislative or regulatory scrutiny, El Emam said.

As health care providers increasingly move to digitize medical records, and as medical employees increasingly take their work home, the risks of strangers tapping into home computers that store medical information increases.

"This is an important issue. As we digitize more health information it behooves individuals and health care providers to stop using tools like this whether at work or on their home computers. Putting these files anywhere near sensitive health information is a risk. Just avoid these file sharing programs completely," El Emam recommended.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading