At this stage in the digital revolution, most of us are familiar with peer-to-peer file sharing networks. The most famous for its rise and fall was Napster, originally designed to enable digital music files to be transferred from one user to another. Many of these file sharing networks, such as Kazaa and Gnutella, still exist. What many people do not realize is that peer-to-peer networks can be used for sharing more than just MP3 music files. People can share any type of file, be it an image, Word document, PDF, etc, and therein lays the potential threat for the data networks of laboratories and pathology groups.
Many small companies have prohibited the installation of any new software on their employees’ computers in an effort to prohibit the installation of peer-to-peer software. This becomes somewhat more difficult as companies grow past small and become medium to large in size. In a company with hundreds or thousands of employees the IT department staff is often outnumbered by other employees and many of these employees need simple programs, downloadable online, such as Acrobat Reader and Shockwave, to view files. Often, companies let employees use their judgment in downloading programs.
This mistake can open vulnerabilities in the data networks of companies for a number of reasons. The threat is related to a new term entering the informatics lexicon, which is “digital wind.” Digital wind describes the phenomenon of how a shared file, whether shared intentionally or not, can quickly spread from one person’s computer to hundreds of others.
In a recent study on the phenomenon of “digital wind” conducted by Eric Johnson, a professor at Dartmouth College’s Tuck School of Business, Johnson noted that everything from loan applications and bank statements to tax returns can be accessed and shared on peer-to-peer networks. Many of these documents contain sensitive information, including Social Security numbers and credit card information. Those files end up in peer-to-peer networks because network users do not know how to properly set the parameters for which files on their computer can be shared and which cannot. Consequently, everything becomes shared.
Johnson found that, once a file is shared and picked up by the file sharing network, it disseminates quickly, often to people that aren’t even looking for it. Johnson cited an example in which a searcher was looking for Madonna’s performance in Wachovia Center, but found numerous bank statements and other documents from Wachovia Bank. Given improper access to computers in a laboratory, searchers might find lab test results or patient demographic and financial information, in addition to other proprietary and confidential documents.
Companies that lose proprietary information via peer-to-peer networks have little legal recourse to reclaim the information. They can punish the employee, but the damage cannot be undone.
Another vulnerability companies have when they allow peer-to-peer file sharing networks on company computers is exposure to lawsuits. If an employee has hundreds or thousands of illegal music files on his or her company computer, the company can be sued for the illegal storage of copyrighted files. In some cases, large awards in resulting lawsuits can financially damage or force small to medium-sized companies to declare bankruptcy.
The moral of the story for laboratories and other healthcare providers is to protect your company computers. Recognize the vulnerability that peer-to-peer file sharing software creates. Do not give employees, no matter how Web-savvy they are, the right to install software on their computers. It can open holes in the security of the data network and lead to stolen information. Because of the huge amounts of sensitive data about patients in laboratory information systems, this is a real threat and steps should be taken to close this window of vulnerability.
Sharing MP3s may mean sharing far more