Healthcare Workers Sharing Music and they could also be sharing Medical Records and Files
Posted Feb 21 2009 10:29pm
This is a good article about Peer to Peer sharing. Pretty much, most of us are aware of what P2P sharing is on the web, music and videos being the driving force here, and it was how the original Napster (not in it’s current form) got started.
With Peer to Peer software, you are in fact allowing another computer to access files on your hard drive of your computer, knocking down all firewalls for access. Most of the software companies do include preferences to allow one to decide which folders and areas can be shared, but unfortunately a misconfiguration by someone who is not computer savvy enough can lead to security leaks. Be default most have the user select a folder to share, but again configurations can be changed and if a document is placed in that folder, well it too is fair game.
Most larger institutes subscribe to services that go out and monitor the peer to peer services to check and see if anything of a personal nature or medical files have ended up there, which is not a bad thing to do so you are in the know. As stated here if one were logged on to a remote server and saved a document to their own PC from the server, it is now outside the realm of what can be protected on the server and if it ends up in that “shared” area of a personal PC, everyone on the network can access it.
This comes down to security measures of not allowing downloads of Word documents, Excel spreadsheets, etc. that are used for business from the remotely connected server. I agree with this as medical records when a remote connection is available has no reason to be on a personal PC, but people keep doing it, along with putting documents on USB sticks that are not encrypted. On a home network, it pretty likely that the network used at home is what is called a “peer to peer” network, thus there is not a server to configure permissions unless something like Windows Home Server is used.
I have walked into that situation, not recently, but a while back with a physicians office using peer to peer connections to download music. Not only do you have the security issues, but also the disruption of folks focusing on their music and video downloads instead of taking care of patients! The drive on one of the computers was completely full with video downloads that it could not function and use the electronic medical records files, much less even open the internet. Yes this is real life and what you find out there. Best rule of thumb of course it to lock it up and allow no access to the peer to peer network sites, as some are getting to be web based too. If you do not have a server, most modern day routers on a small office network can do the trick, but again, you need to configure the firewall on the router.
Most every day users have not a clue as to how these services operate and just know they want a “free” download of a song or video. Again though when using your computer to connect to a business network at home, and you subscribe to any of these services, you might want to think about either discontinuing or making sure the service is in fact turned off when working. There are options to turn the service off too, and again preferences and reading will tell you how to do it. Nobody can legally tell you how to use your home computer, but once a security breach is created over such a matter, everyone will want to know exactly what you are doing, so again, give this some real serious thought if you use your home computers to connect to a server for remote connections. If you take on remotely connecting to work on a home computer, use some common sense about the responsibility that goes along with it. BD
Using software written specifically for scanning Internet -based peer-to-peer (P2P) file sharing networks, Eric Johnson, an operations management professor at Dartmouth College's Tuck School of Business in Hanover, N.H., and colleagues recently found confidential medical files, involving thousands of people, including patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. (The same type of information could have been found without the special search software, although not as quickly because the researchers would have had to search individual computers on each of the P2P networks they visited.) Johnson's team found the data by trolling P2P networks such as Gnutella, FastTrack, Aries and e-donkey. (A visit to the eDonkey2000 Network indicates it is no longer available.) The leaked information came from the heath care organizations themselves, their employees working remotely, and from businesses that perform billing and other services for these organizations."Our goal was to see the kinds of information that was leaking out, and P2P was simply a window into those organizations," says Johnson, who will present his findings on Monday at the Financial Cryptography and Data Security '09 conference in Barbados.
In one case, Johnson and his team found two databases with detailed information on more than 20,000 hospital patients from the computer of a collection agency working for the hospital. Another search turned up a 1,718-page report with nearly 9,000 patient names, Social Security numbers, birth dates, insurers, group numbers and identification numbers. The researchers also found a pdf form for writing prescriptions that was blank, except for a doctor's signature at the bottom. "This document could be used for medical fraud by prescription drug dealers and abusers," Johnson noted in his report.