The trusted source for
healthcare information and
Is instant messaging compromising privacy?
A report issued by Palisades Systems in Ames, IA, and HIPAA Academy in Clive, IA, says health care organizations that allow peer-to-peer (P2P) and instant messenging applications to run on their computer networks risk compromising patient health information and causing violations of the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA).
"P2P applications open up a health care organization’s network to the outside world," says HIPAA Academy compliance manager Mark Glowacki. "Applications like P2P and AOL Instant Messenger allow employees to communicate and share files covertly with outside parties. Because these applications can run without being detected by conventional security applications like firewalls, security violations are only discovered after the fact. With instant messaging, undocumented communications regarding a patient may occur without the health care organization’s knowledge, leading to an unintentional breach of HIPAA’s access requirements."
In addition to undetected file sharing, P2P and instant messenging can expose an organization to security threats targeted at these applications, such as worms, viruses, and spyware. Glowacki says several P2P applications include spyware as a standard part of the installation, which may allow for unauthorized collection and distribution of confidential information. Free instant messaging applications can allow a hacker to take over the user’s computer through security vulnerabilities that are not sufficiently patched.
Police department passwords found
The report specifically references the file-sharing program KaZaA, saying that in September 2002, city government officials in Aspen, CO, received an e-mail indicating that someone had downloaded police department passwords and sensitive city information over KaZaA from its network. The user was searching for a movie and came across the entire contents of the network administrator’s hard drive.
The report says that while some cases of sharing confidential information are malicious, most involve users who are not tech-savvy enough to restrict access to appropriate files.
The authors say instant messaging applications provide no control over the sharing of confidential materials. Employees who use such applications to transmit patient information can open an institution to critical information leaks that can be a breach of HIPAA security requirements. "It would be easy for employees to illegally share critical protected health information with outside parties, either unintentionally or maliciously, without the detection or knowledge of the health care organization," the report declares. In addition, hackers can leverage well-documented instant messenging security vulnerabilities to take over computers.
"No organization with P2P or uncontrolled instant messenging programs running on its network can be HIPAA-compliant," says Palisades Systems president Doug Jacobson. "The applications open up too many security holes, and companies discover them too late."