How Strong are Passwords Used to Protect Personal Health Information in Clinical Trials?

Background Findings and statements about how securely personal health information is managed in clinical research are mixed. Objective The objective of our study was to evaluate the security of practices used to transfer and share sensitive files in clinical trials. Methods Two studies were performed. First, 15 password-protected files that were transmitted by email during regulated Canadian clinical trials were obtained. Commercial password recovery tools were used on these files to try to crack their passwords. Second, interviews with 20 study coordinators were conducted to understand file-sharing practices in clinical trials for files containing personal health information. Results We were able to crack the passwords for 93% of the files (14/15). Among these, 13 files contained thousands of records with sensitive health information on trial participants. The passwords tended to be relatively weak, using common names of locations, animals, car brands, and obvious numeric sequences. Patient information is commonly shared by email in the context of query resolution. Files containing personal health information are shared by email and, by posting them on shared drives with common passwords, to facilitate collaboration. Conclusion If files containing sensitive patient information must be transferred by email, mechanisms to encrypt them and to ensure that password strength is high are necessary. More sophisticated collaboration tools are required to allow file sharing without password sharing. We provide recommendations to implement these practices.


Data Breach Notification Laws and the Encryption Exemption
The inadvertent disclosure or loss of unencrypted PHI would be considered a data breach. Most states in the US have breach notification laws [18]. These require a data custodian to report a data breach to the individuals affected, state attorneys general, the media, consumer reporting agencies, and/or some other government agency.
There are penalties for a failure to comply with the state breach notification laws, which vary from state to state. They often permit enforcement by state attorneys general. Some states, such as Arizona, Arkansas, Connecticut and Florida, allow civil penalties. At the extreme end of penalties, some states (e.g., Arkansas and Connecticut) allow for the termination of the right to conduct business in the state. There already have been some penalties and costly settlements for failure to report a breach [19,20].
Many jurisdictions provide a safe harbor for encrypted data in that no notification is required [21,22]. Title XIII of the American Recovery and Reinvestment Act (the HITECH Act), has the additional requirement that the encryption must meet accepted national standards [23]. Guidance for the California breach notification law by the Office of Privacy Protection does specify standards for encryption, but these are not binding [24]. Therefore, the sharing of PHI that is not encrypted would subject data custodians in clinical trials to the breach notification requirements. These can be costly and damaging to the reputation of the sites and sponsors. For instance, individuals lose trust in the organizations that collect data from them if there is a breach [25][26][27] and listed corporations suffer a loss in their share price after the announcement of a security breach [26,[28][29][30][31]. After a breach, there are also costs associated with investigations, the notification itself, litigation, redress and compensation [32,33]. Recently, regulators and courts in the US and the UK have started imposing fines on organizations after particularly egregious breaches, repeat offenses, or to set examples [34][35][36][37][38][39][40].

Participant Expectations When PHI is Sent by Email
Providers and patients do use insecure email to exchange PHI. The proportion of US Internet users who reported communicating with their health care provider was 10% [41], a European survey found that 4% have approached their family doctor over the Internet, and about 7% of email users in the US exchange emails with physicians or health professionals [42]. The proportion of physicians who report communicating by email with their patients varies from 3.6% to 24% [43][44][45]. About a quarter of patients correspond via email with family members [46]. PHI may also be exchanged electronically among patient peers [47].
Professional associations recommend obtaining an explicit patient waiver for using unencrypted email for patient -provider communication [48][49][50][51]. Under those conditions the patient has consented to the elevated risk of an adversary getting hold of their PHI. In the context of clinical trials, however, the participants do not waive their expectation that their PHI will be transmitted, stored, and handled in a secure manner.

Password Strength
A common way for encrypting files when they are shared, say through email, is to use a password. It is known that strong passwords are difficult to remember [52,53]. Therefore, users choose memorable passwords that are also easy to crack through dictionary attacks [54, 55], use words that are familiar to them in their passwords [56], are easy for their spouses and partners to guess [52], and generally select the weakest passwords that they can get away with [57]. It has been argued that security advice, including advice on the choice of strong passwords, offers poor cost-benefit tradeoffs for users and is therefore rejected [58]. Consequently, many passwords are quite weak [57, 59-69]. For example, a recent hack exposed 32,603,387 passwords from the RockYou.com site, which provides services and applications to social networking sites like Facebook and MySpace [70]. An analysis of these passwords [71] revealed the top 20 password shown in Table 1. The top 20 passwords, all poor choices, represent around 2.5% of all passwords. Our own analysis of this data further reveals that 13,589,529 used only lower case characters, 488,499 used only upper case characters, 5,193,330 used only digits (not mixing character types makes it easier to break the password), 1,405,280 were five characters or less (it is generally recommended to have at least eight characters in a password), and 9,893,677 were six characters or less. When we used our password dictionaries [72,73] on the RockYou.com password list in a brute force attack, we found that approximately 18%-19% of the individuals had passwords in the dictionary. Healthcare professionals are not immune from creating poor passwords [74].   [71], which removed dangling spaces from the passwords and did not account for different capitalizations (e.g., "Michael" and "michael" were treated as the same password).

Getting Access to Encrypted Files with Weak Passwords
If the passwords used were weak, and consequently easily recoverable, then encryption would not provide meaningful protection if an adversary is able to obtain those files, and then decrypt them. There are a number of ways in which this could happen.
It is possible for an adversary to intercept the files in transit. This could happen, for example, if an email is inadvertently sent to the wrong person or group. Also, some frequently used free hosted email services, such as Yahoo mail and Hotmail, do not encrypt communications between the user and the mail server, making it quite easy to intercept messages and get the files being transmitted (for example, through unprotected public wireless networks). Email messages may also be relayed through multiple servers before they reach their destination. For example, a clinical trial site may use a commercial ISP to store and forward incoming email in case its own servers go down. In principle, any of those relays can examine the payload of the messages.
An adversary can also get access to the files once they arrive in the recipient's mailbox in a number of different ways: through inadvertent disclosure of the email file when machines are sold, donated or given to another employee [75], by getting user email account passwords through phishing schemes or other types of attack [76][77][78], if hardware with email files is stolen from practice offices [79], from peer-to-peer file sharing networks installed on the recipient's machine [80][81][82][83], or by law enforcement if the recipient is using a hosted email service (with servers potentially located in another country) [84,85].
There is evidence that the secret questions used to recover or account change passwords, often used on hosted web-based email providers, are quite easy to guess by friends and spouses, acquaintances or by statistical guessing [86][87][88], making it possible for an adversary to reset the password and get access to the email. Furthermore, subpoenas of email in civil and criminal cases are quite common [89], and requests for data from service providers by governments are numerous (for example, Google received at least 4,287 data requests from the US government in the first six months of 2010) [90]. Some judges have ruled that government agencies are allowed to search through hosted web-based email accounts without notifying the account's owner [91].
Even if the passwords were not weak, adversaries can use other methods to obtain the encryption password, for example, through keyloggers or other crimeware that may be installed on the recipient's machine [92][93][94], or by using password recovery tools as we did on the current study.

Dangers of Sharing Passwords
Even strong passwords protecting encrypted files by themselves may not eliminate the risks from transferring PHI electronically. The practices for managing these passwords must also be strong, say, by not revealing or sharing them. For instance, it is known that members of the public will reveal their passwords for a chocolate bar, an Easter egg, or a cheap pen [95][96][97][98][99][100][101][102].
Generally individuals will adopt behaviors to get their work done more expeditiously and efficiently, bypassing security policies and tools that hinder that objective [65,103]. Therefore, if sharing passwords overcomes an obstacle to getting the work done, then it would not be surprising that the passwords will be shared.