Study reveals security weaknesses in file-sharing methods used in clinical trials

February 16, 2011

Patients who participate in clinical trials expect that their personal information will remain confidential, but a recent study led by Dr. Khaled El-Emam, Canada Research Chair in Electronic Health Information at the CHEO Research Institute, found that the security practices used to transfer and share sensitive files were inadequate.

The two-part study, entitled "How Strong Are Passwords Used to Protect Personal in ?", published today in the Journal of Medical Internet Research, showed that the majority of passwords used to protect files are poorly constructed and easily cracked using commercial password recovery tools. Study coordinator interviews indicated that shared in the context of clinical trials may put personal health information at risk.

"The patients in these trials expect that their personal information will be protected," said Dr. El-Emam. "This is critical for maintaining the trust of clinical trial participants, and the public in general."

In the course of the study, passwords for 14 out of 15 sensitive files transmitted by email were successfully decoded. Of these 14, 13 contained sensitive health information and other potentially identifying factors such as name of study site, dates of birth, initials, and gender. practices were also found to be insecure, with unencrypted being shared via email and posted on shared drives with common passwords.

"Cracking the passwords proved to be trivial," said Dr. El-Emam. "Choices included passwords as simple as car makers (e.g., "nissan"), and common number sequences (e.g., "123"). It was easy for the password recovery tools to guess them."

Poor security practices can be harmful to patients participating in clinical trials, who are at risk of being identified and possibly stigmatized by the disclosure of personal health information. There is also a potential for both medical and non-medical identity theft. In the context of international clinical trials, inadvertent disclosure of personal health information is considered a data breach in countries like the United States, which can lead to penalties in some states.

Dr. El-Emam believes that with some effort file sharing in clinical trials can be made secure: "There are protocols and tools that can be employed for secure file sharing. It may take more effort on the part of those who conduct clinical trials, but the alternative would not be acceptable."

Dr. El-Emam makes several recommendations, including enforcement of strong and encryption algorithms, encrypting all information sent via email including site queries, and minimizing password sharing.

Explore further: New study looks at re-identification risks

Related Stories

New study looks at re-identification risks

October 14, 2009

A recent study led by Dr. Khaled El Emam, the Canada Research Chair in Electronic Health Information at the CHEO Research Institute, found that the information in hospital prescription records can quite easily re-identify ...

Novel K-anonimity algorithm safeguards access to data

November 20, 2009

As electronic health records become more widely deployed, increasing amounts of health information are being collected. This data has many beneficial applications, such as research, public health, and health system planning. ...

Are you any good at creating passwords?

January 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

File-sharing software potential threat to health privacy

March 1, 2010

The personal health and financial information stored in thousands of North American home computers may be vulnerable to theft through file-sharing software, according to a research study published online today in the Journal ...

Privacy risks from geographic information

April 8, 2010

In today's world more geographic information is being collected about us, such as where we live, where the clinic we visited is located, and where we work. Web sites are also collecting more geographic information about their ...

Recommended for you

How the finch changes its tune

August 3, 2015

Like top musicians, songbirds train from a young age to weed out errors and trim variability from their songs, ultimately becoming consistent and reliable performers. But as with human musicians, even the best are not machines. ...

Machine Translates Thoughts into Speech in Real Time

December 21, 2009

(PhysOrg.com) -- By implanting an electrode into the brain of a person with locked-in syndrome, scientists have demonstrated how to wirelessly transmit neural signals to a speech synthesizer. The "thought-to-speech" process ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.