Subscribe for email alerts

Email icon. Credit: Dean Norris, Pixabay

Never miss a post. Sign-up for the Science & Enterprise Daily Report

Donate to Science & Enterprise

S&E on Mastodon


Mastodon icon

Follow us on Mastodon

S&E on LinkedIn


LinkedIn icon

Follow us on LinkedIn

S&E on Flipboard



Flipboard

Follow us on Flipboard

Specials

Guest Posts

Please share Science & Enterprise

RSS
Follow by Email
Facebook
LinkedIn
«  
  »

Clinical Trial Record Security Deemed Inadequate

By Alan, on February 16th, 2011

Bank vault door (BillMcChesney/Flickr)A study of Canadian clinical trial practices shows serious vulnerabilities in the security of participants’ personal data when the data are shared among authorized stakeholders. The findings appear online in the 11 February issue of the Journal of Medical Internet Research.

The study, by Khaled El-Emam of Children’s Hospital of Eastern Ontario Research Institute in Ottawa, Ontario tested the robustness of passwords on 15 sensitive clinical trial records sent by e-mail. The password-protected records attached to the e-mails used Microsoft Office (Word, Excel) or WinZip compression formats, and transmitted to regular staff or consultants on the project.

With two off-the-shelf password recovery tools, El-Emam’s team was able to crack 14 of the 15 passwords on the documents. “Cracking the passwords proved to be trivial,” says El-Emam. The passwords, El-Emam adds, included terms “as simple as car makers (e.g., ‘nissan’), and common number sequences (e.g., ‘123’). It was easy for the password recovery tools to guess them.”

Of the 14 documents where the team cracked the passwords, 13 contained sensitive health information and other potentially identifying factors such as name of study site, dates of birth, initials, and gender.

El-Emam’s study also interviewed 20 clinical study coordinators in Toronto, Ottawa, and Montreal about their file-sharing practices and security precautions. The researchers found glaring vulnerabilities, such as workers who sent clinical trial records with personal health information by unencrypted e-mail.

The team also found records with personal health information on shared drives with common passwords. Putting these sensitive records on shared drives violates good security practices, since the common passwords are shared further by all stakeholders, whether or not they need access to those records. It is also not possible to maintain audit trails of modifications made to files on shared drives.

The journal article included several recommendations for strengthening the security of clinical trial records.

Read more: Institutions, Companies Form Psychiatric Trial Database

Photo: Bill McChesney/Flickr

*     *     *

Regulations   , , , ,  
«  
  »

2 comments to Clinical Trial Record Security Deemed Inadequate

«  
  »