T-Space at The University of Toronto Libraries >
Journal of Medical Internet Research >
Volume 9 (2007) >
Please use this identifier to cite or link to this item:
|Title: ||An Evaluation of Personal Health Information Remnants in
Second-Hand Personal Computer Disk Drives|
|Authors: ||El Emam, Khaled|
|Keywords: ||Original Paper|
|Issue Date: ||30-Sep-2007|
|Publisher: ||Gunther Eysenbach; Centre for Global eHealth Innovation, Toronto, Canada|
|Citation: ||Khaled El Emam, Emilio Neri, Elizabeth Jonker. An Evaluation of Personal Health Information Remnants in
Second-Hand Personal Computer Disk Drives. J Med Internet Res 2007;9(3):e24 <URL: http://www.jmir.org/2007/3/e24/>|
|Abstract: ||[This item is a preserved copy and is not necessarily the most recent version. To view the current item, visit http://www.jmir.org/2007/3/e24/ ]
The public is concerned about the privacy of their health information, especially as more of it is collected, stored, and exchanged electronically. But we do not know the extent of leakage of personal health information (PHI) from data custodians. One form of data leakage is through computer equipment that is sold, donated, lost, or stolen from health care facilities or individuals who work at these facilities. Previous studies have shown that it is possible to get sensitive personal information (PI) from second-hand disk drives. However, there have been no studies investigating the leakage of PHI in this way.
The aim of the study was to determine the extent to which PHI can be obtained from second-hand computer disk drives.
A list of Canadian vendors selling second-hand computer equipment was constructed, and we systematically went through the shuffled list and attempted to purchase used disk drives from the vendors. Sixty functional disk drives were purchased and analyzed for data remnants containing PHI using computer forensic tools.
It was possible to recover PI from 65% (95% CI: 52%-76%) of the drives. In total, 10% (95% CI: 5%-20%) had PHI on people other than the owner(s) of the drive, and 8% (95% CI: 7%-24%) had PHI on the owner(s) of the drive. Some of the PHI included very sensitive mental health information on a large number of people.
There is a strong need for health care data custodians to either encrypt all computers that can hold PHI on their clients or patients, including those used by employees and subcontractors in their homes, or to ensure that their computers are destroyed rather than finding a second life in the used computer market.|
|Description: ||Reviewer: Abdel Malik, Philip|
Reviewer: Chhanabhai, Prajesh
|Rights: ||© Khaled El Emam, Emilio Neri, Elizabeth Jonker. Originally published in the Journal of Medical Internet Research (http://www.jmir.org, 30.09.2007). Except where otherwise noted, articles published in the Journal of Medical Internet Research are distributed under the terms of the Creative Commons Attribution License (http://www.creativecommons.org/licenses/by/2.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited, including full bibliographic details and the URL (see "please cite as" above), and this statement is included.|
|Appears in Collections:||Volume 9 (2007)|
Items in T-Space are protected by copyright, with all rights reserved, unless otherwise indicated.