How Strong are Passwords Used to Protect Personal Health Information in Clinical Trials?

Background Findings and statements about how securely personal health information is managed in clinical research are mixed. Objective The objective of our study was to evaluate the security of practices used to transfer and share sensitive files in clinical trials. Methods Two studies were performed. First, 15 password-protected files that were transmitted by email during regulated Canadian clinical trials were obtained. Commercial password recovery tools were used on these files to try to crack their passwords. Second, interviews with 20 study coordinators were conducted to understand file-sharing practices in clinical trials for files containing personal health information. Results We were able to crack the passwords for 93% of the files (14/15). Among these, 13 files contained thousands of records with sensitive health information on trial participants. The passwords tended to be relatively weak, using common names of locations, animals, car brands, and obvious numeric sequences. Patient information is commonly shared by email in the context of query resolution. Files containing personal health information are shared by email and, by posting them on shared drives with common passwords, to facilitate collaboration. Conclusion If files containing sensitive patient information must be transferred by email, mechanisms to encrypt them and to ensure that password strength is high are necessary. More sophisticated collaboration tools are required to allow file sharing without password sharing. We provide recommendations to implement these practices.

[1]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[2]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[3]  Robert Pitchford,et al.  GP Practice computer security survey , 1995 .

[4]  Lisa A. Olson Electronic Record Challenges for Clinical Systems , 2001 .

[5]  Cinda Becker Technical difficulties. Recent health IT security breaches are unlikely to improve the public's perception about the safety of personal data. , 2006, Modern healthcare.

[6]  Joseph A. Cazier,et al.  Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times , 2006, Inf. Secur. J. A Glob. Perspect..

[7]  Julie Bunnell,et al.  Cognitive, associative and conventional passwords: Recall and guessing rates , 1997, Comput. Secur..

[8]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[9]  Kweku-Muata Osei-Bryson,et al.  How Internet Security Breaches Harm Market Value , 2010, IEEE Security & Privacy.

[10]  The Ninth Annual HIMSS Leadership Survey. Healthcare Information and Management Systems Society. , 1998, Healthcare informatics : the business magazine for information and communication systems.

[11]  Richard W. Grant,et al.  Prevalence of basic information technology use by U.S. physicians , 2006, Journal of General Internal Medicine.

[12]  Dana Lesemann Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes , 2010 .

[13]  Steven M. Bellovin,et al.  Laissez-faire file sharing: access control designed for individuals at the endpoints , 2009, NSPW '09.

[14]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[15]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[16]  Joy M Grossman,et al.  Physicians slow to adopt patient e-mail. , 2006, Data bulletin.

[17]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[18]  Daniel Z. Sands,et al.  Guidelines for the Clinical Use of Electronic Mail with Patients , 1998 .

[19]  Mark Burdon,et al.  If it's encrypted its secure! The viability of US state-based encryption exemptions , 2010, 2010 IEEE International Symposium on Technology and Society.

[20]  Rob Miller,et al.  Johnny 2: a user test of key continuity management with S/MIME and Outlook Express , 2005, SOUPS '05.

[21]  Cliff Stoll How secure are computers in the U.S.A.?: An analysis of a series of attacks on Milnet computers , 1988, Comput. Secur..

[22]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[23]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[24]  Mark Burdon,et al.  Encryption safe harbours and data breach notification laws , 2010, Comput. Law Secur. Rev..

[25]  Johnny Long,et al.  No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing , 2008 .

[26]  Khaled El Emam,et al.  The Use of Electronic Data Capture Tools in Clinical Trials: Web-Survey of 259 Canadian Trials , 2009, Journal of medical Internet research.

[27]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[28]  M. Elliott,et al.  Conducting Research Surveys Via E-Mail and The Web , 2001 .

[29]  Jack V Tu,et al.  The effect of privacy legislation on observational research , 2008, Canadian Medical Association Journal.

[30]  Laura A. Levit,et al.  Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: National Academies Press , 2009 .

[31]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[32]  Joseph A Cazier,et al.  How secure is your information system? An investigation into actual healthcare worker password practices. , 2006, Perspectives in health information management.

[33]  Joseph Goedert OCR shines a harsh light on data breaches. , 2010, Health data management.

[34]  Belden Menkus,et al.  Understanding password compromise , 1988, Comput. Secur..

[35]  John M. Carroll,et al.  The password predictor - a training aid for raising security awareness , 1988, Comput. Secur..

[36]  Sacha Brostoff,et al.  “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[37]  R. W. Hansen,et al.  The price of innovation: new estimates of drug development costs. , 2003, Journal of health economics.

[38]  Bruce L. Riddle,et al.  Passwords in use in a university timesharing environment , 1989, Comput. Secur..

[39]  K. El Emam,et al.  Evaluating Common De-Identification Heuristics for Personal Health Information , 2006, Journal of medical Internet research.

[40]  Mark W. Newman,et al.  Share and share alike: exploring the user interface affordances of file sharing , 2006, CHI.

[41]  K. Emam,et al.  Evaluating the Risk of Re-identification of Patients from Hospital Prescription Records. , 2009, The Canadian journal of hospital pharmacy.

[42]  Ron Henderson,et al.  Cost-effective computer security: cognitive and associative passwords , 1996, Proceedings Sixth Australian Conference on Computer-Human Interaction.

[43]  C. Chronaki,et al.  European citizens' use of E-health services: A study of seven countries , 2007, BMC public health.

[44]  Khaled El Emam,et al.  An Evaluation of Personal Health Information Remnants in Second-Hand Personal Computer Disk Drives , 2007, Journal of medical Internet research.

[45]  Karl Geiger Cloud computing in pharmaceutical R&D: business risks and mitigations. , 2010, Current opinion in drug discovery & development.

[46]  Eugene H. Spafford,et al.  Observing Reusable Password Choices , 1992 .

[47]  A. Bower The Diffusion and Value of Healthcare Information Technology , 2005 .

[48]  F. T. Grampp,et al.  The UNIX system UNIX operating system security , 1984, AT&T Bell Laboratories Technical Journal.

[49]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[50]  A GordonLawrence,et al.  The economic cost of publicly announced information security breaches , 2003 .

[51]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[52]  James E Andrews,et al.  Current state of information technology use in a US primary care practice-based research network. , 2004, Informatics in primary care.

[53]  Paul H. Rubin,et al.  An Economic Analysis of Notification Requirements for Data Security Breaches , 2005 .

[54]  Moshe Zviran,et al.  User authentication by cognitive passwords: an empirical assessment , 1990, Proceedings of the 5th Jerusalem Conference on Information Technology, 1990. 'Next Decade in Information Technology'.

[55]  Roger Taylor,et al.  The State and Pattern of Health Information Technology Adoption , 2005 .

[56]  Aaron Emigh The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond , 2006, J. Digit. Forensic Pract..

[57]  Pam Dixon Medical Identity Theft: the Information Crime That Can Kill You , 2006 .

[58]  V. Goel,et al.  The privacy paradox: laying Orwell's ghost to rest. , 2001, CMAJ : Canadian Medical Association journal = journal de l'Association medicale canadienne.

[59]  N. Menachemi,et al.  Physicians’ Use of Email With Patients: Factors Influencing Electronic Communication and Adherence to Best Practices , 2006, Journal of medical Internet research.

[60]  Diana K. Smetters,et al.  Ad-hoc Guesting: When Exceptions Are the Rule , 2008, UPSEC.

[61]  J. Powell,et al.  Primary care Health related virtual communities and electronic support groups : systematic review of the effects of online peer to peer interactions , 2004 .

[62]  Diana K. Smetters,et al.  User experiences with sharing and access control , 2006, CHI EA '06.

[63]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[64]  Dennis A. Schmidt E-mail Communication with Patients in the Wake of the HIPAA Final Security Rule , 2003 .

[65]  Bradford W Hesse,et al.  Use of the Internet to Communicate with Health Care Providers in the United States: Estimates from the 2003 and 2005 Health Information National Trends Surveys (HINTS) , 2007, Journal of medical Internet research.

[66]  Khaled El Emam,et al.  Privacy Interests in Prescription Data, Part 2: Patient Privacy , 2009, IEEE Security & Privacy.