HIPAA Regulatory Alert: Popular PC applications can cause security leaks

Is instant messaging compromising your PHI?

A report issued by Palisades Systems Inc. in Ames, IA, and Clive, IA-based HIPAA Academy, says that health care organizations that allow peer-to-peer (P2P) and instant messenger applications to run on their computer networks risk compromising patient health information and causing HIPAA privacy violations.

"P2P applications open up a health care organization’s network to the outside world," says HIPAA Academy compliance manager Mark Glowacki. "Applications like P2P and instant messenger allow employees to communicate and share files covertly with outside parties. Because these applications can run without being detected by conventional security applications like firewalls, security violations are only discovered after the fact. With instant messaging, undocumented communications regarding a patient may occur without the health care organization’s knowledge, leading to an unintentional breach of HIPAA’s access requirements."

In addition to undetected file sharing, P2P and instant messenger can expose an organization to security threats targeted at these applications, such as worms, viruses, and spyware. Glowacki says that several P2P applications include spyware as a standard part of the installation, which may allow for unauthorized collection and distribution of confidential information. Free instant messaging applications can allow a hacker to take over the user’s computer through security vulnerabilities that are not actively patched.

Police department passwords found

According to the report, in September 2002, Aspen, CO, city government officials received an e-mail indicating that someone had downloaded police department passwords and sensitive city information from its network through a file-sharing program. The user was searching for a movie and came across the entire contents of the network administrator’s hard drive.

According to the report, although some cases of sharing confidential information are malicious, most involve users who are not savvy enough to restrict access only to appropriate files.

The authors say that instant messaging applications provide no control over the sharing of confidential materials. Employees using such applications related to patients open an institution to critical information leaks that can be a breach of HIPAA security requirements. "It would be easy for employees to illegally share critical protected health information with outside parties, either unintentionally or maliciously, without the detection or knowledge of the health care organization," the report declares. In addition, hackers can leverage well-documented instant messenger security vulnerabilities to take over computers.

"No organization with P2P or uncontrolled instant messenger programs running on its network can be HIPAA-compliant," says Palisade Systems president Doug Jacobson. "The applications open up too many security holes, and companies discover them too late."

For more information, go to www.palisadesys.com or www.hipaaacademy.net.