Genomics Cybersecurity Issues
In 2011, former Apple CEO and pancreatic cancer victim Steve Jobs paid about $100,000 to Illumina, one of the world’s leading genomics firms, to sequence his DNA in an effort to further the fight against cancer. A mere three years later, the same company offered a complete DNA sequence for only $1,000. In 2017, sequencing costs less than $200, and the price includes a laundry list of data analytics results that are both fascinating and incredibly insightful.
Such a dramatic price drop in such a short period of time has resulted in a massive influx of genomics requests. Consumer-facing companies such as 23andMe and Ancestry.com now offer services to genotype customer DNA samples (through Illumina or another genomics corporation), research ancestries based on that sample, and even discover disease risks such as heart disease or diabetes.
The incredibly fast growth rate of the genomics industry means that highly sensitive genetic information is now being stored en masse on cloud servers. And where there is sensitive data stored on servers, well-trained IT personnel with degrees in cybersecurity come in handy.
Because the Health Insurance Portability and Accountability Act (HIPAA) does not cover anonymized data, the firms involved in genetic testing and genealogical research are free to institute their own rules governing protections. Additionally, although customers are told that their de-identified genetic information can be shared with third parties, they are also encouraged to share their information on a voluntarily wider scale.
The reasons for voluntarily sharing genetic information include facilitating easier genealogical breakthroughs (distant relatives might discover each other where previously they would never have known they were related) and furthering scientific research on genetics (diseases and predispositions toward diseases).
Anonymized, or de-identified genetic sequences and shared genomic information both have many benefits, but they also present some serious security risks or, at least, potential future security risks, according to genetic testing authority Adam Tanner in his 2016 article, “The Promise & Perils Of Sharing DNA” on Undark.org. The following are a few of the risks Tanner exposes:
- Because of the nature of DNA, even de-identified genetic sequences may be re-identifiable in the future. Essentially, someone may figure out a way to use an unidentified DNA sequence to produce the name of the person to whom that DNA belongs.
- Genetic information can potentially be used for identity theft purposes, and this possibility will very likely increase as technology improves.
- People who have been identified as prone to certain diseases or conditions could be targeted by marketing firms or singled out as a risk by insurers and potential employers. The popular 1997 speculative fiction film Gattaca explores just such a possibility.
- Even people who never submit to genetic testing could be compromised by blood relatives who have their DNA sequenced.
Scarier scenarios include theft of genetic information by foreign powers of terrorist organizations. “Government officials are also concerned about the possible use of massive data sets of American health information to create tailored biological attacks,” explains reporter Eamon Javers in his CNBC article, “US Official: American DNA Info At Risk For Theft By Foreign Powers.”
A Challenge For Cybersecurity
As more genetic information is stored and shared on the cloud or over networks, the challenge to cybersecurity personnel will be to make sure that DNA sequencing can be used only by those with authorized access.
The two practical applications where genetic data set security must be vigilantly maintained are outsourcing and collaboration, according to Haixu Tang, et al., in their BMC Medical Genomics technical paper, “Protecting Genomic Data Analytics In The Cloud: State Of The Art And Opportunities.”
In his paper, Tang also describes the details of a competition designed to test the effectiveness of current cybersecurity methods. The results of the competition revealed that certain types of analytical tasks are already well protected, while the more complex tasks performed on encrypted data need more work. Computer scientists, cryptographers, and penetration testers will have to work together with biomedical professionals to improve privacy-enhancing technologies (PET) before genetic information will truly be as safe as possible while online.
DNA cryptography requires that information be stored on multiple clouds. Using a single cloud server is too risky because it’s much easier for hackers to hack into one server than multiple servers simultaneously. Security researchers R. Thilagavathy and A. Murugan illustrate the process of DNA cryptography in their Indian Journal of Science and Technology paper, “Cloud Computing: A Survey On Security Issues And DNA, ID-Base Cryptography.”
According to Thilagavathy and Murugan, critical DNA sequencing data should be processed in two phases. When original DNA data is uploaded, a binary code rule is applied to it through a process called data embedding. Next, a process called data extracting involves a cipher text conversion that applies a base pair rule (because the nucleotides in a strand of DNA are always paired, hence the double helix shape) to the DNA information and indexes each nucleotide pair in a DNA reference sequence.
The process is spread out over four cloud service providers for added security. DNA cryptography, to include data embedding and data extracting, provides a secure, effective environment for government agencies, schools, and other researchers to benefit from genomics without jeopardizing sensitive data.
Maryville University’s online cybersecurity degree offers advanced training in cybersecurity, network and wireless security, ethical hacking, and digital forensics. All skills are learned and practiced in Maryville University’s virtual training lab.
Graduates may qualify for high-paying positions such as networking consultant, information security manager, security analyst, or network architect in some of the world’s largest tech companies. Contact Maryville University for more information.