How generalizable are the conclusions from this study ?

We have been asked about the generalizability of the clinical trials file sharing study here: http://www.jmir.org/2011/1/e18/

We must remember that this was a small study, although it did highlight some important issues. Below we will consider a number of points about how much we can generalize the findings:

• The analysis of passwords was performed in 2007-2008 (the interviews were conducted in 2010). It is plausible that because of education and other improvements in practices, individuals working on clinical trials do not send files containing personal health information by email any more, or are now using more sophisticated encryption methods. Actually, this issue has been of great concern to us because we wanted to ensure that we represent reality as accurately as possible and do not unfairly project historical practices to today. However, anecdotally, as we discussed and presented these results over the last few months, the reaction we kept getting is of agreement that this is consistent with current practices. In particular, we often enough hear that data is transmitted without encryption, let alone weak passwords. Therefore, we are reluctant to say that these results are old and do not reflect what is happening today.
• Because of the nature of this kind of analysis (revealing weak practices), we believe that only those individuals who thought they had decent practices in place agreed to participate and subject themselves to this kind of scrutiny. Therefore, it can be argued that we are describing the "good" end of the spectrum where passwords are being used at all.
• Modern EDC systems will likely make emailing patient files unnecessary. However, even when EDC systems are in use, not all individuals who need data have accounts on the EDC systems. Therefore, just because an EDC system is in use, that does not mean that file sharing is done in a secure way. And of course, not all trials are using EDC systems.
• We did not try to recruit from a random sample of all trials. Therefore, our sampling frame may have been biased towards trials that do not have good security practices.

We also do acknowledge that there is a lot of variability and there will be trials with very strong security practices.

The author(s) retain all copyright to this knowledgebase article. Please include a citation to the web page if you reuse this material. More information is available at our lab web site: http://www.ehealthinformation.ca/.