OTTAWA – Doctors who use file sharing software could be putting their patients' medical information at risk, says a recent study.

The study, which was published in the Journal of the American Medical Informatics Association, is the first of its kind to empirically estimate the extent to which personal health information is disclosed through file-sharing applications, said Khaled El Emam, Canada research chair in electronic health information, and the study's lead author.

Researchers used popular file sharing software such as Limewire, BitTorrent and Kazaa to gain access to documents they downloaded from a representative sample of IP addresses. They were able to access the personal and identifying health and financial information of individuals in Canada and the United States.

"The flexibility of these file sharing tools is often the same reason that they are not completely intuitive and can thus lead to errors as to which files or folders are setup for sharing. Without additional protection on the health records, like encryption or elevated access controls, it is entirely possible that a mis-configured file sharing tool could gain full access to the records," said Robert Grapes, chief technologist of the Cloakware team in Irdeto.

El Emam said he and his colleagues found evidence of outsiders actively searching for files that contain private health and financial data. "There is no obvious innocent reason why anyone would be looking for this kind of information," he said.

Researchers advised not using file-sharing tools if they want to protect their sensitive information.

Although this is a simple answer, says Grapes, the reality is that most doctors are using their computers for more than just accessing patient records.

"Email, scheduling, bill payment, medical research, conference bookings and much more are normal activities for these computers, so it makes sense that some, not all, doctors will also install and use file sharing systems," he said.

But trying to use the file sharing software's own privacy safeguards requires considerable information technology expertise, said El Emam.

"Doctors must become familiar with their software applications, file-sharing in this case, and be in a confident position to defend any audit challenges as to the protection of medical health record information," agreed Grapes.

"File and folder encryption are reasonably simple approaches to bolster the protection of these records, but these security methods come with their own management and use challenges that also must be well understood," he said.

Only a small proportion of the IP addresses the researchers examined contained personal health information, but since tens of millions of people use peer-to-peer file sharing applications in North America, that percentage translates into tens of thousands of computers, they said.

Here is a sample of the private health information research team was able to find by entering simple search terms in file-sharing software:

• An authorization for medical care document that listed an individual's Ontario Health Insurance card number, birth date, phone number and details of other insurance plans;
• A teenage girl's medical authorization that included family name, phone numbers, date of birth, social security number and medical history, including current medications;
• Several documents created by individuals listing all their bank details, including account and PIN numbers, passwords and credit card numbers.

CHEO Research Institute's ethic board approved the research for this study. CHEO Research Institute coordinates the research activities of the Children's Hospital of Eastern Ontario.

Click here to read the full JAMIA article.