Prof. discusses information security

By Tatiana Cooke

Published on Monday, May 18, 2009

• Print
• Report an Error
• Share

File sharing software can lead to breaches in digital security and give hackers access to health care information, Tuck School of Business professor Eric Johnson said in a lecture at Dartmouth-Hitchcock Medical Center on Friday.

Information leaks have tangible consequences, Johnson said in his address, "Data Hemorrhages in the Health-Care Sector."

"My first real personal issue was when my credit card was breached by the old Panda restaurant in town," he joked, referring to the Panda House restaurant, which closed in 2005 after patrons accused the establishment of credit card fraud.

As banks increase their online security, hackers are beginning to look for easier targets, Johnson said. These hackers are likely to focus on health care information, he said.

Inadvertent information leaks can often be more problematic breaches of security than those caused by a malicious hacker, he said.

Lost laptops and files that are accidentally published online often result in the release of confidential information to the general public, he said.

Johnson's current research focuses on information leaks caused by file sharing. The use of popular programs like Limewire is "a way that we inadvertently disclose information we don't think we're disclosing," Johnson said.

Through Limewire, Johnson and his graduate students uncovered digital copies of 45 birth certificates, 42 passports, 208 tax returns and 114 student financial aid forms, he said. Documents are often leaked because of a confusing interface design, a lack of awareness of what information is stored on a computer, poor organizational habits and general laziness about data security, he said.

Johnson's team also performed an experiment in which they shared files that included an e-mail with the information for a $25 gift card, he said. The files were exposed for about a week, and the file containing the e-mail was successfully downloaded 20 times, he said. Within a few days, all of the money on the card was spent.

"It's very much like putting a $20 bill down," Johnson said. "It quickly got picked up."

To prepare for a congressional hearing on information security, Johnson said he conducted a search for information related to Rep. Henry Waxman, D-Calif., chairman of the House Committee on Energy and Commerce. Johnson discovered a confidential letter that he presented to Waxman during the hearing.

"It's amazing to me how pervasive the problem is," Johnson said.

Information about many health organizations and their patients is often poorly protected, he said. In the course of his research, Johnson found patient records that contained very extensive information about 20,000 Renaissance Healthcare customers. The data, which included 13,489 social security numbers, had been leaked by a partner company called Checknet.

Many people may not believe that leaked health care information is as serious an issue as credit card fraud, Johnson said. Theft of medical information, though, has been on the rise in recent years, as thieves been able to make a profit from the information.

"It becomes interesting when there are ways to convert these data hemorrhages into cash," Johnson said.

Health care information can be used to create identities used by those who do not have health care to get coverage, Johnson said.

This is particularly common in southern California, where illegal aliens purchase the falsified identities, he said. Leaked information can also give people access to prescription drugs using someone else's identity.

Data leaks are particularly dangerous because once information is released, traces remain online, making it almost impossible to prevent it from spreading, he said.