Study reveals security weaknesses in file-sharing methods used in clinical trials

Feb 16, 2011

Patients who participate in clinical trials expect that their personal information will remain confidential, but a recent study led by Dr. Khaled El-Emam, Canada Research Chair in Electronic Health Information at the CHEO Research Institute, found that the security practices used to transfer and share sensitive files were inadequate.

The two-part study, entitled "How Strong Are Passwords Used to Protect Personal in ?", published today in the Journal of Medical Internet Research, showed that the majority of passwords used to protect files are poorly constructed and easily cracked using commercial password recovery tools. Study coordinator interviews indicated that shared in the context of clinical trials may put personal health information at risk.

"The patients in these trials expect that their personal information will be protected," said Dr. El-Emam. "This is critical for maintaining the trust of clinical trial participants, and the public in general."

In the course of the study, passwords for 14 out of 15 sensitive files transmitted by email were successfully decoded. Of these 14, 13 contained sensitive health information and other potentially identifying factors such as name of study site, dates of birth, initials, and gender. practices were also found to be insecure, with unencrypted being shared via email and posted on shared drives with common passwords.

"Cracking the passwords proved to be trivial," said Dr. El-Emam. "Choices included passwords as simple as car makers (e.g., "nissan"), and common number sequences (e.g., "123"). It was easy for the password recovery tools to guess them."

Poor security practices can be harmful to patients participating in clinical trials, who are at risk of being identified and possibly stigmatized by the disclosure of personal health information. There is also a potential for both medical and non-medical identity theft. In the context of international clinical trials, inadvertent disclosure of personal health information is considered a data breach in countries like the United States, which can lead to penalties in some states.

Dr. El-Emam believes that with some effort file sharing in clinical trials can be made secure: "There are protocols and tools that can be employed for secure file sharing. It may take more effort on the part of those who conduct clinical trials, but the alternative would not be acceptable."

Dr. El-Emam makes several recommendations, including enforcement of strong and encryption algorithms, encrypting all information sent via email including site queries, and minimizing password sharing.

Explore further: Twitter increasingly used to share urological meeting info

Provided by Children's Hospital of Eastern Ontario Research Institute

not rated yet
add to favorites email to friend print save as pdf

Related Stories

File-sharing software potential threat to health privacy

Mar 01, 2010

The personal health and financial information stored in thousands of North American home computers may be vulnerable to theft through file-sharing software, according to a research study published online today in the Journal of ...

Novel K-anonimity algorithm safeguards access to data

Nov 20, 2009

As electronic health records become more widely deployed, increasing amounts of health information are being collected. This data has many beneficial applications, such as research, public health, and health system planning. ...

New study looks at re-identification risks

Oct 14, 2009

A recent study led by Dr. Khaled El Emam, the Canada Research Chair in Electronic Health Information at the CHEO Research Institute, found that the information in hospital prescription records can quite easily re-identify ...

Privacy risks from geographic information

Apr 08, 2010

In today's world more geographic information is being collected about us, such as where we live, where the clinic we visited is located, and where we work. Web sites are also collecting more geographic information about their ...

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Recommended for you

Exploring 3-D printing to make organs for transplants

Jul 30, 2014

Printing whole new organs for transplants sounds like something out of a sci-fi movie, but the real-life budding technology could one day make actual kidneys, livers, hearts and other organs for patients ...

High frequency of potential entrapment gaps in hospital beds

Jul 30, 2014

A survey of beds within a large teaching hospital in Ireland has shown than many of them did not comply with dimensional standards put in place to minimise the risk of entrapment. The report, published online in the journal ...

Key element of CPR missing from guidelines

Jul 29, 2014

Removing the head tilt/chin lift component of rescue breaths from the latest cardiopulmonary resuscitation (CPR) guidelines could be a mistake, according to Queen's University professor Anthony Ho.

Burnout impacts transplant surgeons (w/ Video)

Jul 28, 2014

Despite saving thousands of lives yearly, nearly half of organ transplant surgeons report a low sense of personal accomplishment and 40% feel emotionally exhausted, according to a new national study on transplant surgeon ...

User comments : 0