Trusting Medical Researchers with PHI
The subject of medical research and personal information protection can quickly become a quagmire. Even raising the subject risks one being tagged as a Grinch-like character who surely must drown kittens and tell those young cancer-stricken children appearing in telethons that there’s no Santa Claus. The win-win scenario is de-identified information with good security around the linking data that connects the raw health information with individual identities. But can researchers really be trusted to protect personal health information?
The question arises as a result of a paper published in the Journal of Medical Internet Research from Khaled El-Eman, Katherine Moreau and Elizabeth Jonker: How Strong are Passwords Used to Protect Personal Health Information in Clinical Trials?
Before delving into the subject further, a useful document to consider is a 2009 report commissioned by the Office of the Privacy Commissioner of Canada: Use of Data from the Electronic Health Record for Health Research – current governance challenges and potential approaches by Donald Willison of the Faculty of Medicine at McMaster University. In his paper, Professor Willison explores the intersection of privacy and medical research.
The Executive Summary of Professor Willison’s paper certainly raises enough issues with respect to information management and governance:
With shifts in how research is being conducted – moving from discrete studies to registries and biobanks that will serve as research platforms, and the wide range of possible uses – the conventional approach to consent is inadequate.
The proliferation of health information holdings along with heterogeneous data management policies raises concerns over the long-term secure management of health information. It also highlights the need for oversight over these collections. (Emphasis added)
As well, there will be increasing pressures from researchers for more direct access to patients for purposes of contacting them to participate in research. The current two-stage mechanism of initial contact with patients does not work well, yet it’s alternative – direct contacting of patients by researchers with no reasonable expectation of access to their personal health information – raises major privacy concerns and may contravene current privacy laws.
Together, these issues call for more than change at the margins or for an attempt to bar access to data. Instead, they call for a fundamental re-consideration of how information is used for research and the role of research vis-à-vis clinical care, public health, and quality improvement. We need to consider what a coherent information management system would look like if we were to begin de novo, knowing what we now know.
While Dr. Willison provides a very “big picture” look at privacy and health research, Dr. El-Eman’s paper provides a useful “down in the weeds” snapshot of what researchers actually do.
The “Strong Passwords” paper describes two studies. One involved password-protected files, transmitted by email during regulated Canadian clinical trials, and using commercial cracking software to find out the passwords protecting the data. The second study involved interviewing study coordinators to understand sharing practices in clinical trials for files containing personal health information.
Granted it’s a small sample but results are still disturbing. El-Eman and his colleagues were able to crack the passwords for 93% of the files – the vast majority of the files containing thousands of records with sensitive health information on trial participants. The passwords were relatively weak, using common names of locations, animals, car brands, and obvious numeric sequences.
From the interviews, it appear patient information is commonly shared by email in the context of query resolution. Files containing personal health information are shared by email and, by posting them on shared drives with common passwords, to facilitate collaboration.
By analogy, one can’t help but feel that “the spirit is willing but the flesh is weak” i.e. researchers do employ security mechanisms but not very well. El-Eman concludes that improved encryption; stronger passwords and better collaboration tools are required. This is a not unreasonable conclusion. Given the reliance on technology to store, organize and analyze the raw data, best practices do evolve to address the rapidly changing threat landscape. It seems researchers haven’t kept up or have been required to keep up.
There’s lots of laudable guidance that exists for researchers as to what they are to do to protect privacy. The CIHR Best Practices for Protecting Privacy in Health Research is an example. But, while useful, this guidance is high level and just how good are the practical measures used by researchers? Willison’s governance warnings and Dr. El-Eman’s paper highlights the difference between theory and practice.
People assume that research ethics boards are qualified or capable of auditing or ensuring privacy protections. While there are exceptions to every rule, that isn’t necessarily the case. El-Eman’s paper serves as a vivid reminder that health researchers are just as vulnerable to security breaches as the rest of us. Willison’s report raises larger questions and, given the continuing development of EHR platforms, it might be a good topic for a larger discussion at the next meeting of Privacy Commissioners. Perhaps we should think of “oversight” as something requiring a more “hands on” approach.