Avoiding P2P Network Risks
FTC Action Calls Attention to VulnerabilitiesIf you'd like to avoid being subjected to a federally mandated biennial data security audit for the next 20 years, you might want to make sure no one in your organization is using peer-to-peer networks.
See Also: Introduction to Elastic Security: Modernizing security operations
The FTC recently announced settlement agreements with two businesses charged with exposing sensitive consumer information on P2P file-sharing networks (see: FTC Highlights P2P Network Risks). One of those businesses - a debt collection company - put 3,800 hospital patients' data at risk because the information was accessible via a file-sharing network.
The FTC claims the debt collector allowed P2P software to be installed on its corporate computer systems, violating the businesses' obligation to protect consumer privacy and the security, confidentiality and integrity of personal information. The file-sharing network provided unauthorized access to patient information, including Social Security numbers, health insurance numbers and medical diagnosis codes.
The debt collector, according to the FTC, did not have an appropriate information security plan, failed to assess risks to stored consumer information, did not adequately train employees, did not use reasonable measures to enforce compliance with internal security policies and failed to use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks.
As a result, the FTC imposed the 20 years' worth of audits and required the firm to establish and maintain a comprehensive information security program.
The Risks
P2P networks may seem harmless enough: They're used to play games and make online telephone calls. Peer-to-peer file-sharing software also enables network users to share music, videos and documents.
But in 2010, the FTC posted a notification that P2P networks also allow stored consumer data - including healthcare information - to be shared.
Two years ago, I blogged about a study led by Dartmouth College researcher M. Eric Johnson, whose team conducted keyword searches on several P2P networks and easily discovered patient information in spreadsheets, PDFs or other document formats. Why was this possible? It's the result of improperly installed file-sharing software that can expose all the data on a computer to a P2P network, Johnson said.
His advice? Ban the use of P2P networks on your organization's computers. Other key steps:
Although making widespread use of encryption is also an important step, Johnson stresses that encryption may not adequately protect information from P2P threats. For example, disk-level encryption may only kick in when a computer is shut down, leaving data vulnerable for extended periods if the computer is linked to a P2P network or hacked.
The bottom line? A good risk management strategy includes banning P2P networks in the workplace.