Donate to Science & Enterprise

S&E on Mastodon

S&E on LinkedIn

S&E on Flipboard

Please share Science & Enterprise

Clinical Trial Record Security Deemed Inadequate

Bank vault door (BillMcChesney/Flickr)A study of Canadian clinical trial practices shows serious vulnerabilities in the security of participants’ personal data when the data are shared among authorized stakeholders. The findings appear online in the 11 February issue of the Journal of Medical Internet Research.

The study, by Khaled El-Emam of Children’s Hospital of Eastern Ontario Research Institute in Ottawa, Ontario tested the robustness of passwords on 15 sensitive clinical trial records sent by e-mail. The password-protected records attached to the e-mails used Microsoft Office (Word, Excel) or WinZip compression formats, and transmitted to regular staff or consultants on the project.

With two off-the-shelf password recovery tools, El-Emam’s team was able to crack 14 of the 15 passwords on the documents. “Cracking the passwords proved to be trivial,” says El-Emam. The passwords, El-Emam adds, included terms “as simple as car makers (e.g., ‘nissan’), and common number sequences (e.g., ‘123’). It was easy for the password recovery tools to guess them.”

Of the 14 documents where the team cracked the passwords, 13 contained sensitive health information and other potentially identifying factors such as name of study site, dates of birth, initials, and gender.

El-Emam’s study also interviewed 20 clinical study coordinators in Toronto, Ottawa, and Montreal about their file-sharing practices and security precautions. The researchers found glaring vulnerabilities, such as workers who sent clinical trial records with personal health information by unencrypted e-mail.

The team also found records with personal health information on shared drives with common passwords. Putting these sensitive records on shared drives violates good security practices, since the common passwords are shared further by all stakeholders, whether or not they need access to those records. It is also not possible to maintain audit trails of modifications made to files on shared drives.

The journal article included several recommendations for strengthening the security of clinical trial records.

Read more: Institutions, Companies Form Psychiatric Trial Database

Photo: Bill McChesney/Flickr

*     *     *

2 comments to Clinical Trial Record Security Deemed Inadequate