Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Data Hemorrhages in the Health-Care Sector

  • Conference paper
Financial Cryptography and Data Security (FC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5628))

Included in the following conference series:

Abstract

Confidential data hemorrhaging from health-care providers pose financial risks to firms and medical risks to patients. We examine the consequences of data hemorrhages including privacy violations, medical fraud, financial identity theft, and medical identity theft. We also examine the types and sources of data hemorrhages, focusing on inadvertent disclosures. Through an analysis of leaked files, we examine data hemorrhages stemming from inadvertent disclosures on internet-based file sharing networks. We characterize the security risk for a group of health-care organizations using a direct analysis of leaked files. These files contained highly sensitive medical and personal information that could be maliciously exploited by criminals seeking to commit medical and financial identity theft. We also present evidence of the threat by examining user-issued searches. Our analysis demonstrates both the substantial threat and vulnerability for the health-care sector and the unique complexity exhibited by the US health-care system.

Experiments described in this paper were conducted in collaboration with Tiversa who has developed a patent-pending technology that, in real-time, monitors global P2P file sharing networks. The author gratefully acknowledges the assistance of Nicholas Willey and the helpful comments of Lane R. Hatcher. This research was partially supported by the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001, under the auspices of the Institute for Information Infrastructure Protection (I3P). The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security, the I3P, or Dartmouth College.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. AHIMA – The American Health Information Management Association: The State of HIPAA Privacy and Security Compliance (2006), http://www.ahima.org/emerging_issues/2006StateofHIPAACompliance.pdf (last accessed on November 2008)

  2. Appari, A., Johnson, M.E.: Information Security and Privacy in Healthcare: Current State of Research. Forthcoming in International Journal of Internet and Enterprise Management (2009)

    Google Scholar 

  3. Ball, E., Chadwick, D.W., Mundy, D.: Patient Privacy in Electronic Prescription Transfer. IEEE Security & Privacy, 77–80 (March/ April 2003)

    Google Scholar 

  4. Bolin, J.N., Clark, L.S.: Avoiding Charges of Fraud and Abuse: Developing and Implementing an Effective Compliance Program. JONA 34(12), 546–550 (2004)

    Article  Google Scholar 

  5. Bosworth, M.H.: Kaiser Permanente Laptop Stolen: Personal Data on 38,000 Members Missing. Consumer Affairs, November 29 (2006), http://www.consumeraffairs.com/news04/2006/11/kaiser_laptop.html

  6. BW: Diagnosis: Identity Theft. Business Week, January 8 (2007)

    Google Scholar 

  7. Choi, Y.B., Capitan, K.E., Krause, J.S., Streeper, M.M.: Challenges associated with privacy in healthcare industry: Implementation of HIPAA and security rules. Journal of Medical Systems 30(1), 57–64 (2006)

    Article  Google Scholar 

  8. Claburn, T.: Minor Google Security Lapse Obscures Ongoing Online Data Risk. Information Week, January 22 (2007)

    Google Scholar 

  9. De Avila, J.: The Hidden Risk of File-Sharing. Wall Street Journal, November 7, D1 (2007)

    Google Scholar 

  10. Dixon, P.: Medical Identity Theft: The Information Crime that Can Kill You. The World Privacy Forum (2006)

    Google Scholar 

  11. FBI: 2006 Financial Crime Report, Federal Bureau of Investigation (Online) 02 28 (2007), http://www.fbi.gov/publications/financial/fcs_report2006/financial_crime_2006.htm (Cited: 02 04 2008)

  12. FTC: 2006 Identity Theft Report, Federal Trade Commission (November 2007), http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf (last accessed on June 18, 2008)

  13. Good, N.S., Krekelberg, A.: Usability and privacy: a study of Kazaa P2P file-sharing. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Ft. Lauderdale, Florida, April 05-10 (2003)

    Google Scholar 

  14. Hanson, G.: Illegal Aliens Bilk Sick U.S. system. Insight on the News, April 18 (1994)

    Google Scholar 

  15. Hendrick, B.: Insurance records of 71,000 Ga. families made public. Atlanta Journal-Constitution (April 8, 2008), http://www.ajc.com/metro/content/metro/stories/2008/04/08/breach_0409.html

  16. HHS: HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information. U.S. Department of Health & Human Services, News Release (July 17, 2008), http://www.hhs.gov/news/press/2008pres/07/20080717a.html

  17. Johnson, M.E., Dynes, S.: Inadvertent Disclosure: Information Leaks in the Extended Enterprise. In: Proceedings of the Sixth Workshop on the Economics of Information Security. Carnegie Mellon University, June 7-8 (2007)

    Google Scholar 

  18. Johnson, M.E.: Information Risk of Inadvertent Disclosure: An Analysis of File-Sharing Risk in the Financial Supply Chain. Journal of Management Information Systems 25(2), 97–123 (2008)

    Article  Google Scholar 

  19. Johnson, M.E., McGuire, D., Willey, N.D.: The Evolution of the Peer-to-Peer File Sharing Industry and the Security Risks for Users. In: Proceedings of HICSS-41, International Conference on System Sciences, January 7-10. IEEE Computer Society, Hawaii (2008)

    Google Scholar 

  20. Johnson, M.E., McGuire, D., Willey, N.D.: Why File Sharing Networks Are Dangerous. Communications of the ACM 52(2), 134–138 (2009)

    Article  Google Scholar 

  21. Lafferty, L.: Medical Identity Theft: The Future Threat of Health Care Fraud Is Now. Journal of Health Care Compliance 9(1), 11–20 (2007)

    Google Scholar 

  22. Levitz, J., Hechinger, J.: Laptops Prove Weakest Link in Data Security. Wall Street Journal (March 26, 2006)

    Google Scholar 

  23. Mennecke, T.: Slyck News – P2P Population Continues Climb, June 14 (2006), http://www.slyck.com/news.php?story=1220

  24. Messmer, E.: Health Care Organizations See Cyberattacks as Growing Threat. Network World, February 28 (2008)

    Google Scholar 

  25. Musco, T.D., Fyffe, K.H.: Health Insurers Anti-fraud Programs, Washington D.C. Health Insurance Association of America (1999)

    Google Scholar 

  26. Nakashima, E., Weiss, R.: Patients’ Data on Stolen Laptop. Washington Post, March 24, A1 (2008)

    Google Scholar 

  27. Olson, P.: AOL Shoots Itself in the Foot. Forbes, August 8 (2006)

    Google Scholar 

  28. PA: Pennsylvania Attorney General. Attorney General’s Insurance Fraud Section charges former SEPTA employee with using co-worker’s ID to obtain Viagra. Harrisburg: s.n., July 6 (2006)

    Google Scholar 

  29. Peterson, M.: When Good Drugs Go Gray; Booming Underground Market Raises Safety Concerns, The New York Times, December 14, p. 1 (2000)

    Google Scholar 

  30. Reavy, P.: What Baby? ID victim gets a jolt. Deseret News (Salt Lake City). May 2 (2006)

    Google Scholar 

  31. Robenstein, S.: Are Your Medical Records at Risk? Wall Street Journal (2008)

    Google Scholar 

  32. Russell, J.: Harvard fixing data security breaches: Loophole allowed viewing student prescription orders Boston Globe, January 22 (2005)

    Google Scholar 

  33. Tokars, L.: Memorial Hospital loses laptop containing sensitive employee data, WSBT, Febuary 7 (2008), http://www.wsbt.com/news/local/15408791.html

  34. Totty, M.: Security: How to Protect Your Private Information, Wall Street Journal, R1 (January 29, 2007)

    Google Scholar 

  35. Twedt, S.: UPMC patients’ personal data left on Web, Pittsburgh Post-Gazette, April 12 (2007)

    Google Scholar 

  36. USDC, United States of America vs. Fernando Ferrer, Jr. and Isis Machado, 06-60261, s.l., United States District Court Southern District of Florida, September 7 (2006)

    Google Scholar 

  37. USDJ, US Department of Justice. Six Indicted for Health Care Fraud Scheme in Southeast Texas, Houston, TX: s.n, Press Release (2007)

    Google Scholar 

  38. USA: United States Attorney, District of Nevada. Las Vegas Pharmacist Charged with Health Care Fraud and Unlawful Distribution of Controlled Substances, Las Vegas, United States Department of Justice, January 23 (2007)

    Google Scholar 

  39. Useem, J.: Fortune 500: The Big Get Bigger. Fortune Magazine, Wall Street Journal 155(8), 81 (2007)

    Google Scholar 

  40. Vijayan, J.: Personal data on 17,000 Pfizer employees exposed; P2P app blamed, Computer World. (2007), http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9024491

  41. Mike, W.: Medical ID Theft Leads to Lengthy Recovery. Pittsburgh Tribune-Review, 10–24 (2006)

    Google Scholar 

  42. WFTV, Medical Center Patient Records Posted On Internet, August 14 (2008), http://www.wftv.com/news/17188045/detail.html?taf=orlc

  43. Zhao, X., Johnson, M.E.: Information Governance: Flexibility and Control through Escalation and Incentives. In: Proceedings of the Seventh Workshop on the Economics of Information Security, June 26-27, 2008, Dartmouth College (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center for Digital Strategies Tuck School of Business, Dartmouth College, Hanover, NH, 03755, USA

    M. Eric Johnson

Authors
  1. M. Eric Johnson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. The Tor Project, Dedham, MA, USA

    Roger Dingledine

  2. Palo Alto Research Center, 3333 Coyote Hill Rd, 94304, Palo Alto, CA, USA

    Philippe Golle

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Johnson, M.E. (2009). Data Hemorrhages in the Health-Care Sector. In: Dingledine, R., Golle, P. (eds) Financial Cryptography and Data Security. FC 2009. Lecture Notes in Computer Science, vol 5628. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03549-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03549-4_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03548-7

  • Online ISBN: 978-3-642-03549-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation