HIPAA tech
HIPAA dvisory
HIPAAdvisory > HIPAAtech Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

P2P/IM

File Sharing, Instant Messaging Applications Jeopardize Healthcare Efforts to Comply With Privacy and Security Laws

May 28, 2003 -- Hospitals and healthcare organizations are working to meet the HIPAA security and privacy regulations. However, a report issued today found that the efforts of these organizations may be at risk by allowing peer-to-peer (P2P) and instant messenger (IM) applications to run on their networks. The report concludes that by failing to control P2P and instant messaging, hospitals and other healthcare organizations risk compromising patient health information and an increased exposure to lawsuits.

"P2P applications open up a healthcare organization's network to the outside world," said Mark Glowacki, HIPAA Compliance Manager of the HIPAA Academy. "Applications like P2P and IM allow employees to communicate and share files covertly with outside parties. Because these applications can run without being detected by conventional security appliances like firewalls, security violations are only discovered after the fact. With instant messaging, undocumented communications regarding a patient may occur without the healthcare organization's knowledge leading to an unintentional breach of HIPAA's access requirements."

In addition to undetected file sharing, P2P and IM can expose an organization to security threats targeted at these applications like viruses, worms, and spyware. Several P2P applications include spyware as a standard part of the installation, which may allow for unauthorized collection and distribution of confidential information. Free instant messaging applications can allow a hacker to take over the user's computer through security vulnerabilities that are not actively patched.

Doug Jacobson, Palisade Systems' president and chief technology officer says P2P or uncontrolled IM programs "...open up too many security holes, and companies discover them too late. In the Fall of 2002, a Colorado city government learned the types of exposures they faced after an individual downloaded police passwords and other sensitive city information. The files were taken from the hard drive of the city's network administrators. Hospitals running these applications will be confronting the same potential reality."

View the full report (PDF). [external link]

Public IM Could Spell IT Headaches [external link] by Drew Robb, Instant Messaging Planet, December 23, 2003
Free, consumer-grade public IM, at this point in its maturity level, isn't the most secure of communication tools. And what's making it a real nightmare for IT and security managers is that a lot of employees are downloading and installing their favorite IM software under IT's radar. Without IT to keep an eye it, there's no way to put the brakes on what could be a huge security problem. HIPAA calls into question the use of IM in the healthcare industry. Undocumented communications regarding a patient, for instance, could occur without management's knowledge -- leading to a breach of HIPAA's access requirements. Such lapses in security could invoke heavy fines, but companies may not know they exist until it's too late.

Go to TOP