The Security Scrutinizer with Howard Anderson

Avoiding P2P Network Risks

FTC Action Calls Attention to Vulnerabilities

If you'd like to avoid being subjected to a federally mandated biennial data security audit for the next 20 years, you might want to make sure no one in your organization is using peer-to-peer networks.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

The FTC recently announced settlement agreements with two businesses charged with exposing sensitive consumer information on P2P file-sharing networks (see: FTC Highlights P2P Network Risks). One of those businesses - a debt collection company - put 3,800 hospital patients' data at risk because the information was accessible via a file-sharing network.

The FTC claims the debt collector allowed P2P software to be installed on its corporate computer systems, violating the businesses' obligation to protect consumer privacy and the security, confidentiality and integrity of personal information. The file-sharing network provided unauthorized access to patient information, including Social Security numbers, health insurance numbers and medical diagnosis codes.

The debt collector, according to the FTC, did not have an appropriate information security plan, failed to assess risks to stored consumer information, did not adequately train employees, did not use reasonable measures to enforce compliance with internal security policies and failed to use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks.

As a result, the FTC imposed the 20 years' worth of audits and required the firm to establish and maintain a comprehensive information security program.

The Risks

P2P networks may seem harmless enough: They're used to play games and make online telephone calls. Peer-to-peer file-sharing software also enables network users to share music, videos and documents.

But in 2010, the FTC posted a notification that P2P networks also allow stored consumer data - including healthcare information - to be shared.

Two years ago, I blogged about a study led by Dartmouth College researcher M. Eric Johnson, whose team conducted keyword searches on several P2P networks and easily discovered patient information in spreadsheets, PDFs or other document formats. Why was this possible? It's the result of improperly installed file-sharing software that can expose all the data on a computer to a P2P network, Johnson said.

His advice? Ban the use of P2P networks on your organization's computers. Other key steps:

  • Make sure that when employees take laptops home, they don't let teenagers use them to access a P2P network and download music.
  • Consider such technologies as P2P monitoring, encryption, tokenization and data truncation to help address security issues raised by the file-sharing networks.
  • Avoid storing patient information on vulnerable spreadsheets and documents, rather than segregating it in more secure electronic health records systems.
  • Although making widespread use of encryption is also an important step, Johnson stresses that encryption may not adequately protect information from P2P threats. For example, disk-level encryption may only kick in when a computer is shut down, leaving data vulnerable for extended periods if the computer is linked to a P2P network or hacked.

    The bottom line? A good risk management strategy includes banning P2P networks in the workplace.



    About the Author

    Howard Anderson

    Howard Anderson

    Former News Editor, ISMG

    Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




    Around the Network

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.