P2P Breach Leads to Walter Reed Data Leak

An investigation launched Tuesday into the possible compromise of about 1,000 patient records at Walter Reed Army Medical Center serves as a stern reminder of how dangerous peer-to-peer (P2P) and other social networking applications can be, security experts warn.

The names, Social Security numbers and birth dates of the patients were among the personally identifiable information in a computer file that was shared without authorization, according to a statement made by the Washington, D.C. U.S. Army hospital.

The risk of data breaches will only increase as use of file-sharing software becomes prevalent in the workplace, according to Paul Zimski, vice president of product solutions for Scottsdale, Ariz.-based Lumension Security.

"What's alarming about this incident is that it's not something you can stop at the network level," Zimski said. "Even hard drive encryption doesn't really work because when you file share, default installers will share out your My Documents, as well as your settings and Windows files."

Security pros such as Zimski say that if internal policies and procedures, periodic security audits, or both automated and manual whitelisting of acceptable applications aren't deployed at different enterprises, intrusions from file sharing will not only be more frequent but more sophisticated.

For its part, Walter Reed said in its statement that the Health Insurance Portability and Accountability Act of 1996 "protects patients from unauthorized release of their health records." It added that the hospital has "a robust information assurance program that meets all program standards and requirements."

According to media reports early Tuesday, the military officer in charge of Walter Reed, Col. Patricia Horoho, circulated a memo asking managers to ensure that the staff was not "loading or downloading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected." The memo was reportedly posted on the Walter Reed Web site before being taken down.

Security experts say that in cases like these, relying on an "honor system" is not sound policy.

"I think this is absolutely a case where unacceptable software should have been listed and banned beforehand," Zimski said. "ISPs have been trying to deal with peer-to-peer incursions for a long time and what companies need to know is that these applications are real stealthy on the network and not easily defensible unless the enterprise-wide system is locked from the inside."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus