How strong are passwords used to protect personal health information in clinical trials?

Journal of Medical Internet Research

Volumn 13, Issue 1, 2011, Pages

  Emam, Khaled El ^a,b   Moreau, Katherine ^a   Jonker, Elizabeth ^a  

^a CHILDREN S HOSPITAL OF EASTERN ONTARIO   (Canada)

^b UNIVERSITY OF OTTAWA   (Canada)

Author keywords

Passwords; Privacy; Security

Indexed keywords

ARTICLE; CLINICAL TRIAL (TOPIC); COMPUTER SECURITY; CONSUMER HEALTH INFORMATION; E-MAIL; HUMAN; INFORMATION RETRIEVAL; METHODOLOGY; PRIVACY;

CLINICAL TRIALS AS TOPIC; COMPUTER SECURITY; CONSUMER HEALTH INFORMATION; ELECTRONIC MAIL; HUMANS; INFORMATION STORAGE AND RETRIEVAL; PRIVACY;

EID: 79953076040     PISSN: None     EISSN: 14388871     Source Type: Journal    
DOI: 10.2196/jmir.1335     Document Type: Article

References (62)

1. El Emam K, Jonker E, Sampson M, Krleza-Jerić K, Neisa A. The use of electronic data capture tools in clinical trials: Web-survey of 259 Canadian trials. J Med Internet Res 2009;11(1):e8 [FREE Full text] [doi: 10.2196/jmir.1120] [Medline: 19275984]
2. Irving R. 2002 Report on Information Technology in Canadian Hospitals. Thornhill, Ontario: Canadian Healthcare Technology; 2003.
3. Healthcare Information and Management Systems Society Foundation. Healthcare CIO Results. Chicago, IL: HIMSS Foundation; 2004.
4. Andrews JE, Pearce KA, Sydney C, Ireson C, Love M. Current state of information technology use in a US primary care practice-based research network. Inform Prim Care 2004; 12(1):11-18. [Medline: 15140348] (Pubitemid 38647404)
5. Bower AG. The Diffusion and Value of Healthcare Information Technology. Santa Monica, CA: Rand Corp.; 2005.
6. Fonkych K, Taylor R. The State and Pattern of Health Information Technology Adoption. Santa Monica, CA: Rand Corp.; 2005.
7. El Emam K, Jonker E, Sams S, Neri E, Neisa A, Gao T, et al. Pan-Canadian De-Identification Guidelines for Personal Health Information. Ottawa, Ontario: Office of the Privacy Commissioner of Canada; 2007.
8. El Emam K, Dankar FK, Vaillancourt R, Roffey T, Lysyk M. Evaluating the risk of re-identification of patients from hospital prescription records. Can J Hosp Pharm 2009;62(4):307-319 [FREE Full text] [WebCite Cache]
9. El Emam K, Kosseim P. Privacy interests in prescription records, part 2: patient privacy. IEEE Security & Privacy Magazine 2009;7(2):75-78. [doi: 10.1109/MSP.2009.47]
10. El Emam K, Jabbouri S, Sams S, Drouet Y, Power M. Evaluating common de-identification heuristics for personal health information. J Med Internet Res 2006; 8(4):e28 [FREE Full text] [doi: 10.2196/jmir.8.4.e28] [Medline: 17213047] (Pubitemid 47450199)
11. Upshur RE, Morin B, Goel V. The privacy paradox: laying Orwell's ghost to rest. CMAJ 2001 Aug 7; 165(3):307-309. [Medline: 11517649] (Pubitemid 32881234)
12. Gershon AS, Tu JV. The effect of privacy legislation on observational research. CMAJ 2008 Mar 25; 178(7):871-873. [doi: 10.1503/cmaj.061353] [Medline: 18362384] (Pubitemid 351482295)
13. Cavoukian A. Office of the Privacy Commissioner of Ontario. 2007. Order HO-004 URL: http://www.ipc.on.ca/images/Findings/up-3ho-004.pdf [accessed 2007-04-20] [WebCite Cache ID 5OFOzaj1O]
14. El Emam K. Data Anonymization Practices in Clinical Research: A Descriptive Study. Ottawa, Ontario: Health Canada, Access to Information and Privacy Division; 2006.
15. Johnson ML, Bellovin SM, Reeder RW, Schechter SE. Laissez-faire file sharing: access control designed for individuals at the endpoints. In: NSPW '09 Proceedings of the 2009 Workshop on New Security Paradigms. New York NY: ACM Press; 2009.
16. Dalal B, Nelson L, Smetters D, Good N, Elliot A. Ad-hoc guesting: when exceptions are the rule. 2008 Presented at: Usability, Psychology, and Security 2008; Apr 14, 2008; San Francisco, CA URL: http://www.usenix.org/events/upsec08/ tech/full-papers/dalal/dalal-html/dalal.html [WebCite Cache]
17. Voida S, Edwards WK, Newman MW, Grinter RE, Ducheneaut N. Share and share alike: exploring the user interface affordances of file sharing. In: Proceedings of ACM CHI 2006 Conference on Human Factors in Computing Systems. New York, NY: ACM Press; 2006:221-230. (Pubitemid 44032105)
18. Whalen T, Smetters D, Churchill EF. User experiences with sharing and access control. In: Proceedings of the CHI '06 Extended Abstracts on Human Factors in Computing Systems. New York, NY: ACM Press; 2006:1517-1522.
19. Osterman Research. Proofpoint. 2010. Outbound Email and Data Loss Prevention in Today's Enterprise URL: http://www.proofpoint.com/downloads/ Proofpoint-Outbound-Email-and-Data-Loss-Prevention-2010.pdf [accessed 2010-12-13] [WebCite Cache ID 5ux9tNwBx]
20. Wheeler D. Applied Clinical Trials Online. 2010. Rethinking Document Sharing: The Benefits of Peer-to-Peer Networking Over Email, Fax, and Hosted Solutions URL: http://appliedclinicaltrialsonline.findpharma.com/ appliedclinicaltrials/CRO%2FSponsor/Rethinking-Document-Sharing/ArticleStandard/ Article/detail/660941 [accessed 2010-10-02] [WebCite Cache ID 5tBqD8vNb]
21. Shapiro M. Applied Clinical Trials Online. 2009. Poll Finds Ironic Inefficiency: Uncovering the Risky Communication Methods of Clinical Trials Professionals, While Discovering a Potential Web-Based Replacement URL: http://appliedclinicaltrialsonline.findpharma.com/appliedclinicaltrials/article/ articleDetail.jsp?id=586857 [accessed 2010-10-02] [WebCite Cache ID 5tBqPCPWN]
22. Applied Clinical Trials Online. 2009. Document Management Inefficiencies Cost Sites Time and Money Says Intralinks' Survey URL: http:// appliedclinicaltrialsonline.findpharma.com/appliedclinicaltrials/News/ Document-Management-Inefficiencies-Cost-Sites-Time/ArticleStandard/Article/ detail/601186?contextCategoryId=44911&ref=25 [WebCite Cache ID 5tBqd7lO7]
23. Schmidt DA. SANS Institute InfoSec Reading Room. 2003. E-mail Communication With Patients in the Wake of the HIPAA Final Security Rule URL: http://www.sans.org/reading-room/whitepapers/legal/e-mail-communication- patients-wake-hipaa-final-security-rule-1057 [accessed 2010-12-13] [WebCite Cache ID 5uxAd8Ign]
24. HIMSS Foundation. Healthcare Information and Management Systems Society. 2009. 2009 HIMSS Security Survey URL: http://www.himss.org/content/files/ HIMSS2009SecuritySurveyReport.pdf [accessed 2010-12-13] [WebCite Cache ID 5uxApn1kW]
25. Commonwealth of Massachusetts. Mass.gov. 201 CMR 17. 00: Standards For the Protection of Personal Information of Residents of the Commonwealth URL: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf [accessed 2011-01-14] [WebCite Cache ID 5vjwvZkj3]
26. Worthen B. Wall Street Journal. 2008. New data privacy laws set for firms URL: http://online.wsj.com/article/SB122411532152538495.html [accessed 2010-10-03] [WebCite Cache ID 5tCoEs06a]
27. Cottis P. Redbridge Primary care Trust (NHS). 2008. Transferring Personal Information Policy and Procedures URL: http://www.redbridge.nhs.uk/files/ documents/1030-transferring%20personal%20information%20policy%20080215.pdf [accessed 2010-12-13] [WebCite Cache ID 5uxBTsEuk]
28. Research Computing. Partners Healthcare. 2010. Email Encryption URL: http://rc.partners.org/emailencryption/ [accessed 2010-10-03] [WebCite Cache ID 5tCnUoOn3]
29. Chalmers L. University of Edinburgh, Community Health Sciences. 2007. Guidance to Research and the Data Protection Act URL: http://www.chs.med.ed.ac. uk/cphs/researchTraining/DPResearch.pdf [accessed 2010-12-22] [WebCite Cache ID 5vAdm66WW]
30. US Department of Health and Human Services, Food and Drug Administration, Office of the Commissioner. FDA. 2007. Guidance for Industry: Computerized Systems Used in Clinical Investigations URL: http://www.fda.gov/Cder/Guidance/ 7359fnl.pdf [accessed 2009-01-11] [WebCite Cache ID 5dkOZy0uG]
31. Good Automated Manufacturing Practice Forum. The Good Automated Manufacturing Practice (GAMP) Guide for Validation of Automated Systems in Pharmaceutical Manufacture. Tampa, FL: International Society for Pharmaceutical Engineering; 2002.
32. US Department of Health and Human Services, Food and Drug Administration, Center for Drug Evaluation and Research, Center for Biologic Evaluation and Research, Center for Devices and Radiological Health, Center for Food Safety and Applied Nutrition, Center for Veterinary Medicine, Office of Regulatory Affairs. FDA. 2003. Guidance for Industry: Part 11, Electronic Records; Electronic Signatures - Scope and Application URL: http://www.fda.gov/cder/ guidance/5667fnl.pdf [accessed 2009-01-11] [WebCite Cache ID 5dkOj5uYQ]
33. US Department of Health and Human Services, Food and Drug Administration. 21 CFR Part 11: electronic records; electronic signatures; final rule. Federal Register 1997; 62(54):13430-13466 [FREE Full text] [WebCite Cache]
34. US Department of Health and Human Services, Food and Drug Administration, Center for Biologic Evaluation and Research, Center for Drug Evaluation and Research, Center for Devices and Radiological Health, Center for Food Safety and Applied Nutrition, Center for Veterinary Medicine, Office of Regulatory Affairs. FDA. 1999. Guidance For Industry: Computerized Systems Used in Clinical Trials URL: http://www.fda.gov/ora/compliance-ref/bimo/ffinalcct.pdf [accessed 2011-01-14] [WebCite Cache ID 5vjx3KTzB]
35. International Pharmaceutical Privacy Consortium. IPPC. 2006. Transmission Security Practices of Pharma Sponsors of Clinical Research URL: http://www.pharmaprivacy.org/download/Clinical-Research-Transmission-Security. pdf [accessed 2010-12-23] [WebCite Cache ID 5vCIzGZd7]
36. US Department of Health and Human Services, Food and Drug Administration. FDA. 2010. FDA to Conduct Inspections Focusing on 21 CFR 11 (Part 11) Requirements Relating to Human Drugs URL: http://www.fda.gov/AboutFDA/ CentersOffices/CDER/ucm204012.htm [accessed 2010-10-01] [WebCite Cache ID 5t9ze5Jnr]
37. DiMasi JA, Hansen RW, Grabowski HG. The price of innovation: new estimates of drug development costs. J Health Econ 2003 Mar;22(2):151-185. [doi: 10.1016/S0167-6296(02)00126-1] [Medline: 12606142] (Pubitemid 36279392)
38. Schonlau M, Fricker RD, Elliott MN. Conducting Research Surveys Via E-mail and the Web. Santa Monica, CA: RAND; 2002.
39. Miles MB, Huberman AM. In: Huberman AM, editor. Qualitative Data Analysis: An Expanded Sourcebook. 2nd edition. Thousand Oaks, CA: Sage Publications; 1994.
40. Cazier JA, Medlin BD. Password security: an empirical investigation into e-commerce passwords and their crack times. Information Security Journal 2006;15(6):45-55. [doi: 10.1080/10658980601051318]
41. Microsoft. 2003. Microsoft Office 2003 Editions Security Whitepaper URL: http://office.microsoft.com/download/afile.aspx?AssetID=AM102424861033 [accessed 2010-12-17] [WebCite Cache ID 5v3FVk3pw]
42. Microsoft. 2007. 2007 Office System Document: 2007 Microsoft Office System Document Encryption URL: http://www.microsoft.com/downloads/en/details. aspx?FamilyID=0444ea0e-3f62-4da0-8551-52349b70272e&displaylang=en [WebCite Cache]
43. Wu H. International Association for Cryptologic Research. 2005. The Misuse of RC4 in Microsoft Word and Excel URL: http://eprint.iacr.org/2005/007. pdf [accessed 2011-01-14] [WebCite Cache ID 5vjxZJxof]
44. Cazier JA, Medlin BD. How secure is your information system? An investigation into actual healthcare worker password practices. Perspect Health Inf Manag 2006;3:8. [Medline: 18066366]
45. CBCnews.ca. 2010 Aug 04. Hundreds of Ont. Patient Health Files Stolen URL: http://www.cbc.ca/canada/toronto/story/2010/08/04/usb-medical-files- stolen684.html?ref=rss&loomia-si=t0:a16:g2:r5:c0.0440057:b36264812 [WebCite Cache ID 5rkr1UjXO]
46. Microsoft Corporation. Microsoft. 2010. Password Policy URL: http://office.microsoft.com/en-ca/excel-help/password-policy-HA010355926.aspx [accessed 2010-09-29] [WebCite Cache ID 5t76jss0L]
47. Bisker S, Tracy M, Jansen W. National Institute of Standards and Technology. 2002. Guidelines on Electronic Mail Security URL: http://www.21cfrpart11.com/files/library/security/guidelines-on-email-sec.pdf [accessed 2010-12-16] [WebCite Cache ID 5v1jynapa]
48. Whitten A, Tygar J. Why Johnny can't encrypt: a usability case study of PGP 5. In: Proceedings. 1999 Presented at: 8th USENIX Security Symposium; Aug 23-26, 1999; Washington, DC.
49. Sheng S, Broderick L, Koranda CA, Hyland JJ. Why Johnny still can't encrypt: evaluating the usability of email encryption software. In: CyLab Usable Privacy and Security Laboratory, Carnegie Mellon University. 2006 Presented at: Symposium On Usable Privacy and Security; Jul 12-14, 2006; Pittsburgh, PA URL: http://cups.cs.cmu.edu/soups/2006/posters/sheng-poster-abstract.pdf [WebCite Cache]
50. Garfinkel SL, Miller RC. Johnny 2: a user test of key continuity management with S/MIME and Outlook Express. In: CyLab Usable Privacy and Security Laboratory, Carnegie Mellon University. 2005 Presented at: Symposium On Usable Privacy and Security; Jul 6-8, 2005; Pittsburgh, PA URL: http://cups.cs.cmu.edu/soups/2005/2005proceedings/p13-garfinkel.pdf [WebCite Cache]
51. Firstbrook P, Ouellet E. Gartner. 2010. Magic Quadrant for Secure E-mail Gateways URL: http://synctech.com.vn/Casestudy/ Gartner%20Magic%20Quadrant%20for%20Secure%20Email%20Gateways-2010.pdf [accessed 2011-01-14] [WebCite Cache ID 5vjxoiPus]
52. WinZip Computing. WinZip.com. How Do You Encrypt Files in a Zip File with WinZip? 2010 URL: http://kb.winzip.com/kb/entry/78/ [accessed 2010-09-28] [WebCite Cache ID 5t5VpbDwr]
53. WinZip Computing. WinZip.com. 2010. Password Policy For Encryption URL: http://kb.winzip.com/kb/entry/260/ [accessed 2010-09-28] [WebCite Cache ID 5t5VlTV7O]
54. Shinder D. TechRepublic. 2007. Safeguard Your Office 2007 Files With Encryption, Document Protection, and Digital Signatures URL: http://articles.techrepublic.com.com/5100-10878-11-6176764.html [accessed 2010-09-29] [WebCite Cache ID 5t779mb5Y]
55. Axantum Software. Axantum.com. 2011. AxCrypt Software Download URL: http://www.axantum.com/AxCrypt/Downloads. html [accessed 2011-01-14] [WebCite Cache ID 5vjxrk6Cb]
56. Federal Information Processing Standards. National Institute of Standards and Technology, Information Technology Laboratory. 1985. Standard for Password Usage URL: http://www.itl.nist.gov/fipspubs/fip112.htm [accessed 2011-01-14] [WebCite Cache ID 5vjxt0qFA]
57. HITRUST Alliance. HITRUSTAlliance.net. 2010. Common Security Framework URL: http://www.hitrustalliance.net/commonsecurityframework/ [accessed 2011-01-14] [WebCite Cache ID 5vjxtZiZ8]
58. Olson L. Electronic record challenges for clinical systems. Drug Inf J 2001;35:721-730. (Pubitemid 32825939)
59. Burdon M, Low R, Reid J. If it's encrypted its secure! The viability of US state-based encryption exemptions. In: Proceedings of the 2010 IEEE International Symposium on Technology and Society. Los Alamitos, CA: IEEE; 2010.
60. Burdon M, Reid J, Low R. Encryption safe harbours and data breach notification laws. Computer Law & Security Review 2010;26(5):520-534. [doi: 10.1016/j.clsr.2010.07.002]
61. Berg GG, Freeman MS, Schneider KN. Analyzing the TJ Maxx data security fiasco: lessons for auditors. CPA Journal 2008;78(8):34-37 [FREE Full text] [WebCite Cache]
62. Pereira J. Breaking the code: how credit card data went out wireless door. Wall Street Journal 2007 May 04.