P2P Leaks of Protected Health Information –HIPAA Covered Entities and Business Associates Should Have a P2P Software Policy Either Prohibiting the Use of P2P Software or Instructing Users on the Safe Use of P2P Software.

By Robert Hudock, on March 16th, 2010

Identity Theft and Consumer Protect Laws.

One of the most common (and high risk) user installed software found on the enterprise desktop computer is P2P[i] file-sharing software. This software can be detected with networking scanning software like Nessus.[ii]

Unlike, other software, P2P file-sharing software is very effective at circumventing an organization’s security perimeter. In most organizations measures in-place to prevent users from installing software are easily circumvented: (1) by installing and running the device from a USB key, (2) using the local Administrator account to install the software because the local Administrator account has not been set after the last re-image or the local administrator account password is known to users, or (3) IT installs the software at the request of a user. Recently, the Department of Health and Human Services (“HHS “)has been very proactive in getting the message out that portable media, laptops, and other similar devices that contain electronic protected health information (e-PHI) must be encrypted. However, despite numerous alleged disclosures of e-PHI on P2P networks, HHS is failing to inform patients, covered entities, and business associates of covered entities about the risks of peer-to-peer (P2P) file sharing and the inadvertent sharing of documents containing e-PHI.

Last Summer P2P programs reportedly inadvertently shared information about presidential motorcade routes, a Secret Service safe house for former first lady Laura Bush, and personal information of more than 220,000 soldiers and hospital patients.[iii]

In February of 2009, a researcher at Dartmouth College using four P2P networks — Gnutella, FastTrack, Aries and eDonkey —collected 3,328 files. The researcher located 161 unique files contained sensitive information that could be used to commit medical or financial identity theft. (See Johnson, M. Eric, Data Hemorrhages in the Health-Care Sector, Center for Digital Strategies, Tuck School of Business, Dartmouth College, Hanover NH 03755)(available at http://mba.tuck.dartmouth.edu/digital/Research/ResearchProjects/JohnsonHemorrhagesFC09Proceedingd.pdf)(see also http://www.wired.com/threatlevel/2009/03/p2p-networks-le/).

On March 5, 2010, a research paper entitled The Inadvertent Disclosure of Personal Health Information Through Peer-To-Peer File Sharing Programs confirmed the Dartmouth Study. This study found that:

Approximately 0.4% of Canadian IP addresses had PHI, as did 0.5% of US IP addresses. There was more disclosure of financial information, at 1.7% of Canadian IP addresses and 4.7% of US IP addresses. An analysis of search terms used in these file sharing networks showed that a small percentage of the terms would return PHI and PFI files (ie, there are people successfully searching for PFI and PHI on the peer-to-peer file sharing networks).

(See J Am Med Inform Assoc 2010;17:148e158. doi:10.1136/jamia.2009.000232)(article available at http://jamia.bmj.com/content/17/2/148.short). Additional examples and case studies of various types of disclosures are available within a web only appendix available at http://jamia.bmj.com/content/17/2/148/suppl/DC1.

Legislators have proposed at least one Bill HR 1319 (December 9, 2009) to limit the undisclosed sharing of files without a user’s consent. (HR 1319 is entitled “AN ACT To prevent the inadvertent disclosure of information on a computer through certain ‘‘peer-to-peer’’ file sharing programs without first providing notice and obtaining consent from an owner or authorized user of the computer” and is available at http://www.govtrack.us/congress/bill.xpd?bill=h111-1319). With the prospect of legislation requiring P2P software vendors to educate users, control network content, and require other family friendly features – steps are being taken by mainstream P2P file sharing companies to inform users how to properly configure their software. In addition, some companies have re-designed their products with default configurations that may in some circumstances share less information of a sensitive nature. (See http://www.limewire.com/legal/safety).

The FTC has been proactive about informing consumers and companies of the risks of P2P file-sharing to their personal information. In late February (2010) the FTC sent out warning letters to more than 100 companies highlighting concerns about personal information of consumers and/or employees being found on file-sharing networks. The FTC requested that aforementioned companies review internal security procedures and the security procedures of their third party service providers and/or business associates. The FTC also requested that companies identify affected individuals and assess whether to notify them of the possible risks to their personal information pursuant to applicable state and federal data security breach notification laws (See Widespread Data Breaches Uncovered by FTC Probe FTC Warns of Improper Release of Sensitive Consumer Data on P2P File-Sharing Networks, FTC Press Release dated February 22^nd, 2010, available at http://www.ftc.gov/opa/2010/02/p2palert.shtm).

The FTC also opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. Significantly, the failure to prevent sensitive information from being shared on P2P networks potentially violates the Gramm-Leach-Bliley Act (which includes provisions to protect consumers’ personal financial information held by financial institutions) and/or Section 5 of the FTC Act. Section 5 of the FTC Act prohibits “unfair methods of competition,” and was amended in 1938 to prohibit “unfair or deceptive acts or practices”. Recent enforcement actions by the FTC relating to privacy and data security are available at www.ftc.gov/privacy/privacyinitiatives/ promises_enf.html.

The FTC recommends that Companies:

Delete sensitive information you don’t need, and restrict where files with sensitive information can be saved;
Minimize or eliminate the use of P2P file sharing programs on computers used to store or access sensitive information;
Use appropriate file-naming conventions;
Monitor your network to detect unapproved P2P file sharing programs;
Block traffic associated with unapproved P2P file sharing programs at the network perimeter or network firewalls; and
Train employees and others who access your network about the security risks inherent.

(See P2P FIlesharing , available at http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus64.pdf ; see also Protecting PERSONAL INFORMATION FEDERAL TRADE COMMISSION A Guide for Business, available at http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf.)

Note, the FTC publication entitled Protecting PERSONAL INFORMATION FEDERAL TRADE COMMISSION A Guide for Business is well written and is available for republication.

To secure the personal information stored on one’s computer, the FTC recommends:

• Avoid Changes to Default Settings. Any changes you make to the P2P software’s default settings during installation could put data at risk. One could inadvertently share information on their hard drive: like your tax returns, email messages, medical records, photos, or other personal documents;

• System Maintenance. Some file-sharing programs may install malware that monitors a user’s computer use and then sends that data to third parties;

• Close your connection. In many instances, closing the file-sharing program window does not actually close your connection to the network. That allows file-sharing to continue and could increase your security risk; and

• Avoid Using an Administrator Account to run P2P Software. Administrator accounts permit installation of software. Avoiding the use of an account that would permit the installation of software can help protect against malware.

(See P2P File-Sharing: Evaluate the Risks)

An example of a P2P file sharing policy is available at http://www.k-state.edu/policies/ppm/3490.html.

Related Links

http://www.ftc.gov/infosecurity

http://www.OnGuardOnline.gov

http://www.sans.org/top20

http://www.us-cert.gov

Comparison of Feature of Populat P2P Clients

P2P file sharing clients allow users to share software, music, video and other files over the Internet. P2P clients may be capable of connecting to one or more P2P file-sharing networks (e.g. eDonkey, BitTorrent and Gnutella). (see http://en.wikipedia.org/wiki/Peer-to-peer)

Client Description X > 4 GB Unicode Compatible Query Routing Upnp Port Mapping Nat Traversal Nat Port Mapping Rudp TCP Push Proxy UDP Push Proxy Ultrapeer Gwebcache UDP Host Cache Thex TLS Other

Shareaza Shareaza connect 4 separate Peer-to-Peer networks: EDonkey2000, Gnutella, BitTorrent and Gnutella2. Yes No Yes Yes Yes No Yes Yes Yes Yes Yesf[] Yes No IRC support

LimeWire LimeWire uses the BitTorrent protocol and the Gnutella network to provide unparalleled searches and download speed. LimeWire has detailed information on security of peer-to-peer software. Yes Yes Yes Yes e[] Yes g[] Yes Yes Yes Yes Yes Yes Yes Yes DHT

gtk-gnutella The first decentralized file sharing network Yes Yes No Yes No No Yes Yes Yes No (Dropped) Yes Yes Yes IPv6, DHT

GnucDNA GnucDNA is a software library for building peer-to-peer applications that provides developers with a common layer to create their own Gnutella and/or Gnutella2 client or network. No No No No No No Yes No No b[] Yes No No No

giFT giFT is a modular daemon capable of abstracting the communication between the end user and specific filesharing protocols (peer-to-peer or otherwise). No No N/A N/A No No Yes No No b[] Yes No No No

BearShare BearShare seems a hybrid P2P client and premium distribution service. No No Yes Yes Yes Yes Yes N/A Yes Yes No Yes No

[i] Peer-to-peer file sharing software generally functions by enabling access to the Gnutella or other file-sharing networks. P2P networks are composed of many thousands of computers and the content of those computers are shared either by user action or inaction. Unlike, for example, ubiquitous ITunes store which allows users to legally purchase movies and music, a P2P network has no central server for the distribution of files. Users of P2P networks must actively filter out illegal or objectionable content either by configuring the P2P software with “family friendly features” or by notifying the host of the objectionable content.

Not all distributed file sharing protocols are necessarily bad, for example Bittorent, another popular file sharing protocol, is invaluable in distributing large files. The installation disks for the open source operating system Linux may be as large as 4 gigabytes multiple users downloading this large file could limit the bandwidth of a major university without protocols like Bittorent. This protocol makes many small data requests over different TCP connections to different machines, while classic downloading is made via a single TCP connection to a single machine. Many P2P file sharing software packages use a simple http connection for downloading data from a host computer once a host is located with the user’s desired content. Unlike other P2P software, someone must “seed” a Bittorent download with a small file called a “torrent” that is used as a pointer for the file but the host of the torrent does not serve as the primary source of the data being downloaded by the end user.

[ii] (See http://www.nessus.org/whitepapers/reliability_and_uniqueness_of_nessus.pdf.)

[iii] (See http://www.washingtonpost.com/wp-dyn/content/article/2009/07/29/AR2009072902273_pf.html; http://voices.washingtonpost.com/securityfix/2009/07/report_locations_of_all_us_nuc.html; http://www.computerworld.com/s/article/9136053/Details_on_presidential_motorcades_safe_house_for_First_Family_leak_via_P2P?taxonomyId=17; http://www.smh.com.au/technology/technology-news/topsecret-obama-safe-house-leaked-on-limewire-20090730-e267.html; http://www.nextgov.com/nextgov/ng_20090729_2566.php?oref=topnews; http://www.nextgov.com/nextgov/ng_20090729_3555.php?oref=topnews; http://www.reuters.com/article/technologyNews/idUSTRE56S4T420090729; http://www.internetnews.com/government/article.php/3832556/Data+of+Soldiers+Hospital+Patients+Found+on+P2P.htm.)