INSIGHT | July 6, 2010
Nearly eight months after new rules were enacted requiring stronger protection of health care information, organizations are still leaking such data on file-sharing networks, a study by Dartmouth College's Tuck School of Business has found. In a research paper to be presented at an IEEE security symposium Tuesday, a Dartmouth College professor Eric Johnson will describe how university researchers discovered thousands of documents containing sensitive patient information on popular peer-to-peer (P2P) networks. One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.
The Extended Enterprise (suppliers, third-parties, remote employees) of healthcare providers often include many technically unsophisticated partners who are more likely to expose information. Thus tracking and stopping medical data hemorrhages is more complex and possibly harder to control given the fragmented nature of the U.S. healthcare system. However, efforts to move sensitive information out of ad-hoc spreadsheets and into better-managed EHR, as well as, proactively monitoring internet-based networks for exposure will reduce the inadvertent disclosures documented in this paper.
Research Highlights
5 Major Breaches Detected in Two-Week Period: 28,000 Individuals Exposed | Under the recent Health Information Technology for Economic and Clinical Health (HITECH) legislation, affected individuals must be notified within 60 days after the discovery of a breach. If a breach effect more than 500 people, state media and government notifications are required.
Exposed Healthcare Data Fuels ID Theft and Medical Fraud | This research demonstrates that the healthcare sector threat continued as disclosed data was detected on file-sharing networks, despite the HITECH Act taking effect in September of 2009. The type of sensitive data being exposed onto file-sharing networks is where identity theft and medical fraud is occurring, at the cost of both individual consumers and healthcare organizations.
Demand is Very Real: File-Sharing Users Employing Highly-Targeted Searches | The collected search data exposes the prevalence of malicious medical-related searches on P2P networks. Users have developed targeted search terms for flushing out patient data files and research findings. When this information is combined with the numerous documents collected as part of our experiments we conclude that users are not only searching for sensitive files, but finding them.
To request a copy of this white paper or to download the Key Findings, please email us at info@tiversa.com
Prepared By:
M. Eric Johnson
Nicolas Willey
Center for Digital Strategies
Tuck School of Business
Dartmouth College
|
|
|
