Passwords used to protect personal health information in Canadian clinical trials are often too easy to crack, according to a report in the Journal of Medical Internet Research (JMIR).
The report highlights an experiment conducted by researchers from the Children's Hospital of Eastern Ontario who used freely available commercial password recovery tools to access information contained in 15 password-protected files transmitted by email during regulated Canadian clinical trials.
With an estimated 41 per cent of Canadian trials making use of electronic data capture (EDC), they aimed to find out just how secure sensitive patient information was.
The results were shocking, with the team able to crack passwords for 93 per cent of the files, among them those containing thousands of records with sensitive health information on trial participants such as gender, date of birth, home address and telephone number, and the nature of the trial.
The team claimed: “the passwords tended to be relatively weak, using common names of locations, animals, car brands, and obvious numeric sequences”
Notes posted on monitors
The report also highlights reported cases where study coordinators took home information saved on memory sticks, or emailed information to public accounts they could access from home, leaving the data unencrypted and vulnerable.
Other cases include incidents of passwords being shared to avoid individuals having to re-log in every time they wanted to work on a shared computer. But perhaps most shockingly, the researchers found examples of passwords being written on notes and posted on monitor screens were common.
As a result of their findings, the research team presented a number of recommendations to Canadian clinical trial coordinators about how better to secure their information.
Those recommendations involved some technically complex solutions, such as using external file encryption tools with strong encryption algorithms to ensure the whole file is encrypted rather than simply certain parts of it.
The report went on to highlight the need for policies to be put in place to ensure stronger passwords are used, along with general guidelines on email security and information management security.
But most important among these warnings, claim the researchers, is that of password sharing:“It does not matter how strong a password is; if many individuals know that password then it is not a secure password.”