 networks littered with sensitive health care information inadvertently made available by employees of hospitals and other health care facilities, as well as their collection agencies and other business partners.)
HEMORRHAGING DATA: A team of Dartmouth researchers found peer-to-peer (P2P) networks littered with sensitive health care information inadvertently made available by employees of hospitals and other health care facilities, as well as their collection agencies and other business partners.
Image: ©ISTOCKPHOTO.COM/PALI RAO
-
The Best Science Writing Online 2012
Showcasing more than fifty of the most provocative, original, and significant online essays from 2011, The Best Science Writing Online 2012 will change the way...
Read More »
If Pres. Obama has his way, the medical records of every American will be digitized by 2014. The stimulus package (read the text here) includes $19 billion in funding to pay for the effort and calls for the appointment of a chief privacy officer to advise the U.S. Department of Health and Human Services on how best to protect this sensitive information. If a new study of how easily your medical records can be found online by others is any indication, the new chief privacy officer (to be appointed over the next 12 months) will have his work cut out for him because an increase in digital medical records would likely mean an increase in medical identity theft.
Using software written specifically for scanning Internet-based peer-to-peer (P2P) file sharing networks, Eric Johnson, an operations management professor at Dartmouth College's Tuck School of Business in Hanover, N.H., and colleagues recently found confidential medical files, involving thousands of people, including patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. (The same type of information could have been found without the special search software, although not as quickly because the researchers would have had to search individual computers on each of the P2P networks they visited.)
Johnson's team found the data by trolling P2P networks such as Gnutella, FastTrack, Aries and e-donkey. (A visit to the eDonkey2000 Network indicates it is no longer available.) The leaked information came from the heath care organizations themselves, their employees working remotely, and from businesses that perform billing and other services for these organizations. "Our goal was to see the kinds of information that was leaking out, and P2P was simply a window into those organizations," says Johnson, who will present his findings on Monday at the Financial Cryptography and Data Security '09 conference in Barbados.
In P2P people share information stored on their computers with other people on a particular network, a practice first made popular by the music-swapping service Napster. Often, P2P users must download software on their computers that allows others to search their computer for different files. Allowing other P2P users to access your computer, however, means dropping your defenses (including firewalls meant to keep out snoopers and hackers).
See what we're tweeting about
15 Comments
Add CommentThe Netherlands are progressing towards digital patient records. This results in an outcry among privacy fighters.
Reply | Report Abuse | Link to thise.g. http://cultofthedeadfish.blogspot.com/2008/11/confusion-over-dutch-digital-patient.html
Johnson points out that the shift to digital health care records will not be easy. "The (Obama) administration is moving toward a national electronic health care records system," he says, "but the transition is going to be painful. It's not until they understand how to secure these records that we'll be safe."
Reply | Report Abuse | Link to thisDefine 'safe'.
The trick is to balance risk and value. One could argue there is value in sharing electronic medical information today, in say, ER's, such as with the CCR or continuity of care record (just to name a standard as an example).
This is not new. Twenty years ago I worked for a Private Investigator who was getting medical files from many doctors offices. She paid from $30 to $300 for each file depending on how important the person was.
Reply | Report Abuse | Link to thisMost files were gathered for corporations. The Private Investigator was doing background checks that included medical records. Often she got the files for political purposes. ALL of this is legal according to the SLED agents where it was reported.
Your medical information has never been private when it comes to corporations and insurance companies.
Someone is pulling our collective leg. This is not even remotely how P2P networks operate. Sounds like someone wrote a story without doing the research...
Reply | Report Abuse | Link to thisI like my medical privacy when it comes to hospital record-sharing. But I'd also like to stay ALIVE in the hospital, enabling me to worry about it. Hospitals are desperate to get their doctors to simply wash their hands. But less than 50 percent of doctors comply with hospital hand-washing requirements -- even before performing surgery! The chances that your doctor has washed his hands is less than the 50-50 odds of flipping a coin, according to the National Quality Forum.
Reply | Report Abuse | Link to thisThe Methicillin-resistant staph aureus, MRSA, is the strain of a once-innocuous staph infection that has become invulnerable to first-line antibiotics and kills more people every year in the U.S. than the AIDS virus. In the majority of cases MRSA is contracted in hospitals. The hospitals are desperate to get doctors to wash their hands with soap and water so that a person having minor surgery won't get MRSA and die in the hospital. There's an excellent article on the subject -- telling how hospitals are using "spies," and secret surveillance cameras to catch non-compliant doctors -- at:
http://www.ethicsoup.com/2009/01/dont-kill-me-doctor-wash-your-hands.html
I like my medical privacy when it comes to hospital record-sharing. But I'd also like to stay ALIVE in the hospital, enabling me to worry about it. Hospitals are desperate to get their doctors to simply wash their hands. But less than 50 percent of doctors comply with hospital hand-washing requirements -- even before performing surgery! The chances that your doctor has washed his hands is less than the 50-50 odds of flipping a coin, according to the National Quality Forum.
Reply | Report Abuse | Link to thisThe Methicillin-resistant staph aureus, MRSA, is the strain of a once-innocuous staph infection that has become invulnerable to first-line antibiotics and kills more people every year in the U.S. than the AIDS virus. In the majority of cases MRSA is contracted in hospitals. The hospitals are desperate to get doctors to wash their hands with soap and water so that a person having minor surgery won't get MRSA and die in the hospital. There's an excellent article on the subject -- telling how hospitals are using "spies," and secret surveillance cameras to catch non-compliant doctors -- at:
http://www.ethicsoup.com/2009/01/dont-kill-me-doctor-wash-your-hands.html
I just re-read the article and I'm getting a little angry. Once more: this is NOT how P2P networks operate. Running eMule Gnutella or any of the others does NOT constitute an open door into your system. And directly contrary to what was stated in the article: If you are only looking to share music, then music is all you will share. Making files available on P2P is a deliberate act, not an accident. Medical privacy is very important, but running RIAA/MPAA propaganda as a news story does nothing to help the situation.
Reply | Report Abuse | Link to thisRegardless of how P2P works it seems obvious that the security of information around the hospital is in sad shape even before we "digitize" all the medical records.
Reply | Report Abuse | Link to thisAdd to this the universal requirement before any medical treatment is performed of signing that release form that is so general that it is hard to imagine how any information could be considered private or secure in the medical field.
Medical privacy in the hospital is about as elusive as modesty!
If these files are unprotected on a computer set up for P2P then they have some serious HIPAA violations already. It is possible to create secure areas of the hard drives on these computers. The US Military has had digital records for a number of years along side written records and they manage to maintain secruity just fine and comply with all HIPAA regulations.
Reply | Report Abuse | Link to thisOld Agent: The Health Insurance Portability and Accountability Act (HIPAA) was passed by congress in 1996 and was enacted to prevent things like what you describe
Reply | Report Abuse | Link to thisThank you for pointing that out. As the Former HIPPA Officer for my EMS Service it was not had to see the glaring lack of compliance here. Also I know something about securing data on computer systems. Even though a determed individual can get to any data if they try hard enough resonable efforts should protect data from casual downloading with P2P sofware.
Reply | Report Abuse | Link to thisThank you for pointing that out. As the former HIPPA Officer for my EMS Service it was not hard to see the glaring lack of compliance here. Simpll\y put, the clients data should have be secure from casual downloading. If the workers (and none metioned here were actually care providers such as nursing) had been following reasonable precautions the data would be secure. I do take exception to the title of this article, these were insurance and billing people, Not care providers.
Reply | Report Abuse | Link to thisWith regards to the administration's intent to put all our medical records on the Internet, I don't see this happening. The ACLU or some other citizens' rights organization will file suit. Roe V. Wade established a fundamental right to privacy between a doctor and a patient (it just happened to be an abortion case). Putting medical records on the Internet is just like making them public, no matter what security protocols are put in place. There will simply be way too many people with access for the information to ever be truly safe.
Reply | Report Abuse | Link to thisThe issue of privacy has been with us since the first Caesar encryption method.
Reply | Report Abuse | Link to thisEveryone knows that it is virtually impossible to keep secrets, if it is important enough for someone else to want to know them.
Wars are won and lost on this issue. (Notice I said ALMOST impossible.)
One of the authorities on internet hacking, for example, became a target for professional hackers, simply because they wanted to prove they could bring down the "great" expert's web site. She said she spent so many hours fending off attacks that she couldn't do anything else. And, in addition, she not successful. She finally was forced to admit defeat and hand the task over to a professional organization that specializes in "invulnerable" websites.
But the Federal Government can break into just about any computer. If they can't hack in they will simply break down your door and torture you until you open your files for them.
The issue of privacy has been with us since the first Caesar encryption method.
Reply | Report Abuse | Link to thisEveryone knows that it is virtually impossible to keep secrets, if it is important enough for someone else to want to know them.
Wars are won and lost on this issue. (Notice I said ALMOST impossible.)
One of the authorities on internet hacking, for example, became a target for professional hackers, simply because they wanted to prove they could bring down the "great" expert's web site. She said she spent so many hours fending off attacks that she couldn't do anything else. And, in addition, she not successful. She finally was forced to admit defeat and hand the task over to a professional organization that specializes in "invulnerable" websites.
But the Federal Government can break into just about any computer. If they can't hack in they will simply break down your door and torture you until you open your files for them.