Searching P2P networks, the researchers, for example, found a government application for employment that included detailed background information, including the applicant's Social Security number, full name, date and place of birth, and mother's maiden name. Ironically, the document also included a three-page intro highlighting the Electronics Communications Privacy Act measures undertaken by the government to protect the information in the document. Still, "it somehow ended up on to a P2P network," adds Johnson, who is also director of the Dartmouth's Glassmeyer/McNamee Center for Digital Strategies.
P2P users—there were an estimated 10 million of them in 2007, according to an earlier study by Johnson and colleagues—generally think that, because they're just looking to share music, the rest of the files on their computers are off-limits, says Alan Paller, director of research for the SANS Institute. "But there are no defenses once you let someone inside your computer."
Over a two-week period last year, Johnson and his team used special P2P network analysis software developed by Cranberry Township, Pa.–based Tiversa, Inc., to search for information related to or mentioning the top 10 publicly traded U.S. health care providers, including two in Tennessee: Nashville-based Hospital Corporation of America, and Community Health Systems in Franklin, the latter of which in 2007 bought health care giant Triad Hospitals. When their searches turned up a file containing medical information on a particular computer, the researchers were able to use Internet Protocol (IP) addresses to trace that computer back to a particular location. In some cases, these files were located on computers connecting to the network from work, in others the computers were connecting wirelessly from homes, hotels or Starbucks.
In one case, Johnson and his team found two databases with detailed information on more than 20,000 hospital patients from the computer of a collection agency working for the hospital. Another search turned up a 1,718-page report with nearly 9,000 patient names, Social Security numbers, birth dates, insurers, group numbers and identification numbers. The researchers also found a pdf form for writing prescriptions that was blank, except for a doctor's signature at the bottom. "This document could be used for medical fraud by prescription drug dealers and abusers," Johnson noted in his report.
Subscription Center
See what we're tweeting about
15 Comments
Add CommentThe Netherlands are progressing towards digital patient records. This results in an outcry among privacy fighters.
Reply | Report Abuse | Link to thise.g. http://cultofthedeadfish.blogspot.com/2008/11/confusion-over-dutch-digital-patient.html
Johnson points out that the shift to digital health care records will not be easy. "The (Obama) administration is moving toward a national electronic health care records system," he says, "but the transition is going to be painful. It's not until they understand how to secure these records that we'll be safe."
Reply | Report Abuse | Link to thisDefine 'safe'.
The trick is to balance risk and value. One could argue there is value in sharing electronic medical information today, in say, ER's, such as with the CCR or continuity of care record (just to name a standard as an example).
This is not new. Twenty years ago I worked for a Private Investigator who was getting medical files from many doctors offices. She paid from $30 to $300 for each file depending on how important the person was.
Reply | Report Abuse | Link to thisMost files were gathered for corporations. The Private Investigator was doing background checks that included medical records. Often she got the files for political purposes. ALL of this is legal according to the SLED agents where it was reported.
Your medical information has never been private when it comes to corporations and insurance companies.
Someone is pulling our collective leg. This is not even remotely how P2P networks operate. Sounds like someone wrote a story without doing the research...
Reply | Report Abuse | Link to thisI like my medical privacy when it comes to hospital record-sharing. But I'd also like to stay ALIVE in the hospital, enabling me to worry about it. Hospitals are desperate to get their doctors to simply wash their hands. But less than 50 percent of doctors comply with hospital hand-washing requirements -- even before performing surgery! The chances that your doctor has washed his hands is less than the 50-50 odds of flipping a coin, according to the National Quality Forum.
Reply | Report Abuse | Link to thisThe Methicillin-resistant staph aureus, MRSA, is the strain of a once-innocuous staph infection that has become invulnerable to first-line antibiotics and kills more people every year in the U.S. than the AIDS virus. In the majority of cases MRSA is contracted in hospitals. The hospitals are desperate to get doctors to wash their hands with soap and water so that a person having minor surgery won't get MRSA and die in the hospital. There's an excellent article on the subject -- telling how hospitals are using "spies," and secret surveillance cameras to catch non-compliant doctors -- at:
http://www.ethicsoup.com/2009/01/dont-kill-me-doctor-wash-your-hands.html
I like my medical privacy when it comes to hospital record-sharing. But I'd also like to stay ALIVE in the hospital, enabling me to worry about it. Hospitals are desperate to get their doctors to simply wash their hands. But less than 50 percent of doctors comply with hospital hand-washing requirements -- even before performing surgery! The chances that your doctor has washed his hands is less than the 50-50 odds of flipping a coin, according to the National Quality Forum.
Reply | Report Abuse | Link to thisThe Methicillin-resistant staph aureus, MRSA, is the strain of a once-innocuous staph infection that has become invulnerable to first-line antibiotics and kills more people every year in the U.S. than the AIDS virus. In the majority of cases MRSA is contracted in hospitals. The hospitals are desperate to get doctors to wash their hands with soap and water so that a person having minor surgery won't get MRSA and die in the hospital. There's an excellent article on the subject -- telling how hospitals are using "spies," and secret surveillance cameras to catch non-compliant doctors -- at:
http://www.ethicsoup.com/2009/01/dont-kill-me-doctor-wash-your-hands.html
I just re-read the article and I'm getting a little angry. Once more: this is NOT how P2P networks operate. Running eMule Gnutella or any of the others does NOT constitute an open door into your system. And directly contrary to what was stated in the article: If you are only looking to share music, then music is all you will share. Making files available on P2P is a deliberate act, not an accident. Medical privacy is very important, but running RIAA/MPAA propaganda as a news story does nothing to help the situation.
Reply | Report Abuse | Link to thisRegardless of how P2P works it seems obvious that the security of information around the hospital is in sad shape even before we "digitize" all the medical records.
Reply | Report Abuse | Link to thisAdd to this the universal requirement before any medical treatment is performed of signing that release form that is so general that it is hard to imagine how any information could be considered private or secure in the medical field.
Medical privacy in the hospital is about as elusive as modesty!
If these files are unprotected on a computer set up for P2P then they have some serious HIPAA violations already. It is possible to create secure areas of the hard drives on these computers. The US Military has had digital records for a number of years along side written records and they manage to maintain secruity just fine and comply with all HIPAA regulations.
Reply | Report Abuse | Link to thisOld Agent: The Health Insurance Portability and Accountability Act (HIPAA) was passed by congress in 1996 and was enacted to prevent things like what you describe
Reply | Report Abuse | Link to thisThank you for pointing that out. As the Former HIPPA Officer for my EMS Service it was not had to see the glaring lack of compliance here. Also I know something about securing data on computer systems. Even though a determed individual can get to any data if they try hard enough resonable efforts should protect data from casual downloading with P2P sofware.
Reply | Report Abuse | Link to thisThank you for pointing that out. As the former HIPPA Officer for my EMS Service it was not hard to see the glaring lack of compliance here. Simpll\y put, the clients data should have be secure from casual downloading. If the workers (and none metioned here were actually care providers such as nursing) had been following reasonable precautions the data would be secure. I do take exception to the title of this article, these were insurance and billing people, Not care providers.
Reply | Report Abuse | Link to thisWith regards to the administration's intent to put all our medical records on the Internet, I don't see this happening. The ACLU or some other citizens' rights organization will file suit. Roe V. Wade established a fundamental right to privacy between a doctor and a patient (it just happened to be an abortion case). Putting medical records on the Internet is just like making them public, no matter what security protocols are put in place. There will simply be way too many people with access for the information to ever be truly safe.
Reply | Report Abuse | Link to thisThe issue of privacy has been with us since the first Caesar encryption method.
Reply | Report Abuse | Link to thisEveryone knows that it is virtually impossible to keep secrets, if it is important enough for someone else to want to know them.
Wars are won and lost on this issue. (Notice I said ALMOST impossible.)
One of the authorities on internet hacking, for example, became a target for professional hackers, simply because they wanted to prove they could bring down the "great" expert's web site. She said she spent so many hours fending off attacks that she couldn't do anything else. And, in addition, she not successful. She finally was forced to admit defeat and hand the task over to a professional organization that specializes in "invulnerable" websites.
But the Federal Government can break into just about any computer. If they can't hack in they will simply break down your door and torture you until you open your files for them.
The issue of privacy has been with us since the first Caesar encryption method.
Reply | Report Abuse | Link to thisEveryone knows that it is virtually impossible to keep secrets, if it is important enough for someone else to want to know them.
Wars are won and lost on this issue. (Notice I said ALMOST impossible.)
One of the authorities on internet hacking, for example, became a target for professional hackers, simply because they wanted to prove they could bring down the "great" expert's web site. She said she spent so many hours fending off attacks that she couldn't do anything else. And, in addition, she not successful. She finally was forced to admit defeat and hand the task over to a professional organization that specializes in "invulnerable" websites.
But the Federal Government can break into just about any computer. If they can't hack in they will simply break down your door and torture you until you open your files for them.