Author: Megan Williams
Date published: July 17, 2024
The potential of personalized medicine is immense, ranging from cancer research to treating autoimmune diseases. Its advancement relies heavily on understanding genetic variability in local populations, and crowdsourcing efforts to collect sequencing data have been helpful in multiple real-world applications.
But there is a potential dark side when it comes to genetic privacy. State legislatures have raised concerns about people being blocked from insurance or jobs because of their genes. Answering these challenges usually means building a "wall" around an individual's genetic information to prevent access or exploitation without that person's consent.
While admirable on its face, this goal is difficult to achieve. Genetic data is often stored in the cloud, due to the high-volume, low-cost data processing capabilities as compared to on-premise options. But this raises questions around the security of these cloud solutions. This makes advanced security solutions important for any entity needing to address genetic testing privacy concerns while exploring the potential of genomic research.
Genetic privacy is like other forms of patient data privacy. Genome data is personally identifiable information, just like iris scans, fingerprints, or social security numbers—and it carries the same potential for violations of privacy. There exists potential risks when de-identified (or anonymized health) data, including genomics data is combined with other public data sources.
According to the National Institutes of Health (NIH), National Library of Medicine, National Center for Biotechnology Information,1 “It should be recognized that de-identification is not, by any means, the only privacy concern that needs to be addressed when sharing clinical trial data. In fact, there must be a level of governance in place to ensure that the data will not be analyzed or used to discriminate against or stigmatize the participants or certain groups (e.g., religious or ethnic) associated with the study. This is because discrimination and stigmatization can occur even if the data are de-identified.”
This dynamic makes current and future use of genomic data in the cloud subject to ethical and privacy concerns. Acquiring, processing, storing and transmitting genetic data brings with it a risk of abuse 2 because of its personal nature.
As the availability of genomic datasets3 continues to grow at a rapid pace, technology leaders are tasked with understanding their genomic privacy threat landscape, especially when leveraging the benefits of cloud solutions.2 This includes identifying and responding to the challenges in building privacy-protecting solutions. Public genomic data is subject to various privacy attacks, including:
Data linkage, where external data such as demographics and social interactions are used to identify a target
DNA phenotyping, in which observable phenotypes, such as facial features, are reconstructed to identify someone
Kinship techniques, where the genetic predisposition of relatives is leveraged
Inference from summary statistics, in which publicly available statistics are leveraged to infer the phenotype
According to Verizon's 2023 Healthcare Data Breach Investigations Report (DBIR), personal and medical information are the types of data most often compromised during attacks on the healthcare sector. The majority of breaches carried out by threat actors in the Healthcare sector are 66% external and 35% internal. It's important to act fast to detect unusual data access patterns. Additionally, over the last three years there has been an increase in ransomware attacks. Read the full Data Breach Investigations Report (DBIR) for more insights. It is Verizon's annual report that, combined with 80+ industry leading cyber security partners, provides in-depth analysis on recent cyber threats and data breaches.
This, it is perhaps not a surprise that the U.S. government's National Cybersecurity Center of Excellence is concerned about the security of genomic data. The real-world breach consequences experts are worried about genetic information being used for range from identity theft purposes to even the highly speculative creation of biological weapons, such as a "precision poison" used to target specific populations.
Responsibilities for addressing these threats to genetic privacy can vary by stakeholder.
According to Genome.gov, researchers in genomic science and precision medicine are bound by the Common Rule (which applies to most federally funded human subjects research) and the Health Insurance Portability and Accountability Act (HIPAA) Privacy rule.
They also have a duty to obtain authorization from participants to collect, use or disclose identifiable health information for certain types of research. Researchers should make an effort to understand the situations in which a research participant is protected and those in which it might not be (e.g., when de-identified data is being used or when protecting public health).
The Genetic Information Nondiscrimination Act (GINA) was passed to restrict access of employers and entities that issue health insurance to prohibit genetic discrimination. This type of information could be used to discriminate against individuals who are applying for long-term care, life and disability insurance.
Genetic privacy becomes especially complex in the public space. Law enforcement agencies use genetic and genomic information during crime investigations or sometimes in the exoneration of individuals who have been falsely convicted of a criminal act.
Additionally, direct-to-consumer (DTC) genetic testing continues to increase in popularity. Companies in this field use individual DNA to provide information around a person's ancestry or even genetic risk for certain health conditions. Today, regulation is still limited. Many companies have robust informed consent and privacy policies, but there is no federal law prohibiting these companies from providing information to third parties.
As more of the public begins to exchange and access the results of genetic data and research through consumer-facing genetic testing and genealogical services, a privacy protection gap in direct-to-consumer (DTC) applications has emerged. Current privacy regulations do not always address the DTC space, and there is currently no entity that maintains oversight of the data sharing process.
Because of the sensitivity of genetic information, there is a significant benefit to exploring proactive security solutions. This includes regular cyber security training. This is particularly important given that 74% of breaches involved the "human element," according to 2023's DBIR.
Those responsible for the security of genomic data have multiple techniques available for preserving the privacy of individuals and groups, including encryption techniques, access control, differential privacy and secure multi-party computation (SMC) protocols.
Organizations responsible for addressing genetic testing privacy concerns should also familiarize themselves with options available in cloud and network infrastructure security. This can help to bolster compliance across an organization, enforce security policies as new regulations in genetic privacy emerge and protect against attacks.
To learn more about how your efforts to address genetic testing privacy concerns can align with a broader healthcare security strategy, we invite you to explore emerging options from Verizon in a new digital age of healthcare data security.
The author of this content is a paid contributor for Verizon.
1 Committee on Strategies for Responsible Sharing of Clinical Trial Data; Board on Health Sciences Policy; Institute of Medicine. Washington (DC): National Academies Press (US); 2015 Apr 20.
2 Hekel, R., Budis, J., Kucharik, M. et al. Privacy-preserving storage of sequenced genomic data. BMC Genomics 22, 712 (2021). https://doi.org/10.1186/s12864-021-07996-2
3 Bonomi, L., Huang, Y. & Ohno-Machado, L. Privacy challenges and research opportunities for genomic data sharing. Nat Genet 52, 646–654 (2020). Published 29 June 2020.