Study: Clinical trial privacy safeguards lacking

By Molly Merrill
10:35 AM

Security practices for transferring and sharing sensitive files for patients who are participating in clinical trials are inadequate, according to a recent study.

The two-part study, titled "How Strong Are Passwords Used to Protect Personal Health Information in Clinical Trials?," was led by Khaled El-Emam, Canada research chair in Electronic Health Information at the Children's Hospital of Eastern Ontario (CHEO) Research Institute.

The study, which was published in the Journal of Medical Internet Research, showed that the majority of passwords used to protect files are poorly constructed and easily cracked using commercial password recovery tools.

Study coordinator interviews indicated that electronic information shared in the context of clinical trials may put personal health information at risk.

"The patients in these trials expect that their personal information will be protected," said El-Emam. "This is critical for maintaining the trust of clinical trial participants, and the public in general."

In the course of the study, passwords for 14 out of 15 sensitive files transmitted by email were successfully decoded. Of these 14, 13 contained sensitive health information and other potentially identifying factors such as name of study site, dates of birth, initials and gender.

File sharing practices were also found to be insecure, with unencrypted patient information being shared via email and posted on shared drives with common passwords.

[See also: Docs' file sharing risky business for patient data.]

"Cracking the passwords proved to be trivial," said El-Emam. "Choices included passwords as simple as car makers (e.g., "nissan"), and common number sequences (e.g., "123"). It was easy for the password recovery tools to guess them."

Poor security practices can be harmful to patients participating in clinical trials, who are at risk of being identified and possibly stigmatized by the disclosure of personal health information, researchers said.
There is also a potential for both medical and non-medical identity theft. In the context of international clinical trials, inadvertent disclosure of personal health information is considered a data breach in the United States, which can lead to penalties in some states.

[See also: Report: More than 6M affected since breach notification rule.]

El-Emam believes that, with some effort, file sharing in clinical trials can be made secure. "There are protocols and tools that can be employed for secure file sharing," he says. "It may take more effort on the part of those who conduct clinical trials, but the alternative would not be acceptable."

He makes several recommendations, including enforcement of strong passwords and encryption algorithms, encrypting all information sent via email including site queries and minimizing password sharing.