File-sharing networks used to uncover thousands of medical records

File-sharing networks used to uncover thousands of medical records

By Bob Brewin 02/27/2009

Just days after President Obama signed a law giving billions of dollars to develop electronic health records, a university technology professor submitted a paper showing that he was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions ranging from AIDS to mental health problems.

Using peer-to-peer applications, which computer users download to share files, most commonly music and movies, M. Eric Johnson, director of the Center for Digital Strategies at Dartmouth College in Hanover, N.H., was able to access electronic medical records on computers that had the peer-to-peer programs stored on their hard drives. The medical files contained detailed personal data on physical and mental diagnoses, which a hacker could use to not only embarrass a patient but also to commit medical fraud.

One of the largest stashes of medical data Johnson discovered during two weeks of research he conducted in January was a database containing two spreadsheets from a hospital he declined to identify. The files contained records on 20,000 patients, which included names, Social Security numbers, insurance carriers and codes for diagnoses. The codes identified by name four patients infected with AIDS, the mental illnesses that 201 others were diagnosed as having and cancer findings for 326 patients. Data also included links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.

"Each of these constituents was exposed in this disclosure," Johnson wrote in a paper on the subject he presented at a conference on Feb. 23. "The exposure of sensitive patient health information may be most alarming to citizens."

http://www.nextgov.com/nextgov/ng_20090227_9147.php

One of the bad things about this computer age.

One shouldn't think that their communications are private, either. Its all out there. All your financial stuff. All your medical stuff. Everything.

What we really need are broad range privacy laws but business lobbyists will make sure that doesn't happen.

it's your own damn fault.

Any person who wants to spend a freaking second or two to designate a secure Sharing folder will not be "attacked". When you leave your entire system open, and your P2P program always running, then of course you're vulnerable.

I would bet this happened because people tend to download at work if they can... anyone stopping Hospital clerks from bringing in jump drives for downloading the newest Hannah Montana album?

This is not about P2P technology. This is about being smart with computers...

People left to their own devices will install software and use computers in an insecure manner.

And I must disagree to a point - it IS about security flaws in the software. If it is vulnerable unless people are "smart", then it is not safe - because -> people left to their own devices will install software and use computers in an insecure manner.

So bullshit on you.

I am an "associate", so do not have access to the Administrative passwords on our Internet based systems. It is pretty easy to set up a computer so that there are different user accounts. My account cannot install a program, visit the internet (other than camera manufacturer websites), access logs, etc.

I am saying that if we have better Internet Security in a photo lab, maybe the hospitals should work on hiring better internal IT people?


It seemed to me that your first comment was inappropriately "dissing" P2P technology. I take umbrage with that if you were. If you weren't, i apologize. Otherwise we're pretty much in agreement, i think.


:)

time and time again that they will disable or fail to enable safety features.

Not dissing p2p in general - just that it is a security breach when used improperly. People simply are not aware of the security issues when they open they machines up. The software needs to do a better job of securing its hoist.

having an internet connection can be a security breach for some people.

Do we really have to dumb absolutely everything down so that Americans can figure things out?

I had a woman call today and tell me she hadn't used her camera for a year because the last time she turned it on (on her first day of a 7-day trip to Ireland) the screen flashed "corrupted data" and wouldn't let her take a picture. She was looking to buy a new camera. If she had asked someone or looked in her manual under "troubleshooting" she would've known it was a memory card issue and Formatting the card would in a few seconds solve the problem. A year. She basically put the camera down and didn't get back to it because the camera wasn't foolproof. She actually would've had to read something to figure it out.

No software is going to be "foolproof". I think securing a computer can take very little effort. Even with P2P systems installed and running.

Sorry.

:shrug:

... but it's not limited to Americans that we have to dumb down things for.

Users are users, no matter what their nationality. (Or, as my scary.devil.monastery friends would say, lusers are lusers.)

Because fools are so ingenious.

it is not safe?

It is possible to have the records safe. Someone just did a poor job of implementing an electronic system.

I had put in a prescription for a medication, forgotten I had done so, found a bottle of the same medication from another pharmacy, ordered it. When I went there (pharmacy 2), they said it was already placed at (pharmacy 1).

Did I mention pharmacy 1 and pharmacy 2 are totally unrelated corporations/entities?

President's initiative. Electronic medical records can be made and kept as secure as any other electronic records. Do we stop keeping electronic financial records because criminals occasionally hack into a database somewhere? Do we stop keeping academic records because criminals occasionally hack into a database somewhere? Of course not.

And we force them to hire qualified IT people to do it.

What is so hard to understand about that?

Honestly, there are simple and free ways to keep a Secure system. Period. One does not need to be offline. One does not need to abandon P2P technology. You don't need to dig a hole and encase it in aluminum. You are more likely to have your identity stolen when people hack into your Bank's mainframe, or your insurance agents office, than if you were to leave your computer running accidently.


Fill out a user profile and Log off when you're done computing. Make sure you're the only one that knows the Admin password. Turn off ports not used. Turn off the Remote Login for your computer, etc, etc.

It's not rocket science folks. Having access to the internets doesn't mean you are automatically leaving yourself wide open to hacks.

:shrug:

Electronic records are a disaster waiting to happen if private insurance continues to exist.

is they're snooping into Dick and Georges, and Donald and Condi's.:evilgrin:

These files are on servers in places like India which have lax data security.