Health information at risk with file-sharing programs

Peer-to-peer network users inadvertently may expose patient data on an open network.

By Pamela Lewis Dolan — Posted April 12, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Something as seemingly innocuous as sharing music files on online networks could be putting patient data at risk.

Research from the University of Ottawa in Canada, published in the March Journal of the American Medical Informatics Assn., found a significant risk of inadvertent exposure of personal health information for those who use peer-to-peer file-sharing networks, such as those used to share music. While such instances are uncommon, they result in tens of thousands of breached files, according to the study. The authors said the breach often comes from patients but physician offices also have been culpable.

Peer-to-peer file-sharing software opens up files to others in an online network, allowing other members to download files from computers in that network. The software generally has configurations that make only selected files available to others. But many times a misunderstanding of how a file-sharing program works or a misconfiguration of the program inadvertently opens up personal files to the network, according to the study's authors.

The authors said such misunderstandings have occurred by users using file-sharing sites on the same computers used to store patient data.

The file-sharing programs were designed so users could share music and multimedia files. Files are found by searching for file types, such as MP3s, and a search term, such as a song title or a musician's name. For this study, researchers performed an automated search across various peer-to-peer networks for non-multimedia files, including Word documents, Outlook e-mail files, PDF files, Access database files and Excel spreadsheets.

The query found that 0.4% of all Canadian IP addresses and 0.5% of all U.S. IP addresses exposed personal health information. Considering the millions of people who use file-sharing applications, this percentage represents tens of thousands of IP addresses exposing personal health information in Canada and the U.S., the study concluded.

Some of the data researchers exposed included several documents pertaining to an injury a U.S. soldier sustained before he began a post at Guantanamo Bay. Another was a teenager's medical form that included drug and medical history, a health insurance number and the teen's contact information. Other medical documents and medical leave requests also were found.

Lead author Khaled El Emam, PhD, an associate professor at the University of Ottawa, said much of the data found in researching the paper most likely would have come from patients. But there is evidence that physician practices also are exposing patient data in the same manner.

Researchers also found that identity thieves and scammers already are wise to the breach risk and are using query terms such as "medical form" or "tax return" to phish for private information. Financial information is at greater risk than health information, the study found, with 1.7% of all Canadian IP addresses and 4.7% of all U.S. IP addresses exposing financial information on peer-to-peer networks.

A study of the music-sharing program Kazaa was conducted by Hewlett-Packard's HP Labs in 2002. Similar to El Emam's study, it found that a misunderstanding of how the program worked resulted in the exposure of thousands of files containing personal information. The authors of that study suggested that to control this exposure of data, programmers need to design the software to allow the exchange of only multimedia files.

El Emam said many of the file-sharing programs developed in the United States have been made more secure in recent years because of tight security standards. He recommends that users, even those outside the United States, use only American-made products for this reason.

"There is still some discussion about how much they have moved in that direction [of security] and whether that is enough, but at least they are moving," El Emam said.

Edward Shortliffe, MD, PhD, president of the American Medical Informatics Assn., said physicians should take those protections one step further and not use -- or allow their staff to use -- peer-to-peer file-sharing services on computers used for patient care information.

"Although patients may not have the luxury of using different computers for handling personal health data and routine computing activities, physicians and provider organizations need to be more rigorous and attentive in segmenting such computer-based activities," Dr. Shortliffe said in an e-mail to American Medical News.

El Emam said users also can choose applications that allow peer-to-peer sharing, but not on an open network. All communication between peers on this type of network is secure.

The authors concluded that the problem needs to be resolved quickly.

"As more health information gets digitized, it is expected that the amount of health information available to individuals on their personal computers will increase," the study authors wrote.

Back to top

External links

"The inadvertent disclosure of personal health information through peer-to-peer file-sharing programs," abstract, Journal of the American Medical Informatics Assn., March (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn