Annals of Security: File-Sharing Tools Imperil Personal Health Data

Physicians that use file sharing software can inadvertently expose their patients' health and financial information, according to a study in the Journal of the American Medical Informatics Association.

The study, by Khaled El Emam and colleagues at Children's Hospital of Eastern Ontario, is the first to quantify the risks associated with physician use of file-sharing applications, which are typically used to access and share music, videos and porn.

Over the course of one year, El Emam’s group used popular file sharing software including Limewire, BitTorrent and Kazaa to access and download more than 23 million files from computers in the US and Canada.

They found personal health and financial information in 2%, or tens of thousands, of the Canadian files and 5%, or hundreds of thousands of US files.

The information included medical authorizations containing patient insurance information, Social Security numbers, phone numbers, dates of birth, medical histories and current medication lists. Other files contained financial information like credit card numbers, passwords and PINs.

In addition, El Emam’s group found evidence that outsiders were actively searching for files containing personal health and financial data. "There is no obvious innocent reason why anyone would be looking for this kind of information," El Emam told Healthcare IT News.

These file sharing tools "are not completely intuitive and can thus lead to errors as to which files or folders are set-up for sharing. Without additional protection on the health records, like encryption or elevated access controls, it is entirely possible that a misconfigured file sharing tool could access the records," Robert Grapes, Cloakware’s chief technologist added.

The scientists advised that file-sharing tools can make health and financial documents vulnerable to fraud or theft, and that unless all office personnel understand how to operate the security settings on such software, it’s best not to use it on computers where such information is housed.

"A significant amount of information is leaking and I think it's important for the public to be aware of the risks of running those programs," El Emam told the Montrael Gazette.

Simon Morris, VP of marketing and products at BitTorrent said that inadvertent file sharing of the sort described by El Emam is impossible on BitTorrent because files are only shared when they are downloaded. Morris did concur such breaches were possible with other file-sharing software.

"The problem is that consumers in the past, have sometimes not understood what it means to 'share' a folder, and sometimes accidentally shared folders (or folders within folders) which contain all sorts of private information (tax returns, etc.)," Morris said.

The issues raised above are new to health care, but they have already affected other sectors. Federal government personnel have inadvertently exposed sensitive government and personal information by having file-sharing software on their work computers.

The information known to have been lost in this manner includes lists of people with HIV, FBI photos of a Mafia hit man, the names of people in the federal witness protection program and the safe-house location for Laura Bush, according to testimony provided last summer to the House Oversight and Government Reform Committee.

Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs, Practice Fusion