Hospital Workers Sharing Your Records?

The medical industry is drifting toward complete digitization. In fact, President Obama's goal is to have all medical records in a digital database by 2014. Whether or not this goal is realistic, digital medical records are the future.

According to a report by Scientific American, medical staff is at risk of inadvertently exposing patients' confidential information simply by using file sharing networks at work.

Using software written specifically for scanning Internet-based peer-to-peer (P2P) file sharing networks, Eric Johnson, an operations management professor at Dartmouth College's Tuck School of Business in Hanover, N.H., and colleagues recently found confidential medical files, involving thousands of people, including patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. (The same type of information could have been found without the special search software, although not as quickly because the researchers would have had to search individual computers on each of the P2P networks they visited.)

P2P users—there were an estimated 10 million of them in 2007, according to an earlier study by Johnson and colleagues—generally think that, because they're just looking to share music, the rest of the files on their computers are off-limits, says Alan Paller, director of research for the SANS Institute. "But there are no defenses once you let someone inside your computer."

Johnson points out that the shift to digital health care records will not be easy. "The (Obama) administration is moving toward a national electronic health care records system," he says, "but the transition is going to be painful. It's not until they understand how to secure these records that we'll be safe." (The new chief privacy officer will have to not only secure new digital medical records but also promote ways to protect existing data.) The nirvana is to store this information in high-end databases systems that are well-secured, rather than in spreadsheets, e-mail and Word documents that can be left on someone's PC, he says, adding: If this cannot be done soon, hospitals and other health care organizations will need to restrict employee access to patient data.