In a world where more than 26 million people have taken an at-home DNA test, healthcare companies are soon going to have to face a new frontier of patient expectations for security. As patients increasingly want genetic screening to be part of preventative care, healthcare systems are responding by offering DNA sequencing—but nearly all are unprepared for the demands of bio-cybersecurity. As DNA sequencing becomes more common, healthcare providers, payers, vendors, and pharmaceutical companies need to ensure that patient genetic data is secure.
While genetic databases have been put to good use improving medicine and even tracking down serial killers, consumers are gradually becoming aware of why genetic data needs to be better protected. Stories of misuse are revealing how ill-prepared healthcare companies are for genetic sequencing. Between the national security threats of biological warfare and authoritarian states conducting massive surveillance programs (as is currently happening in northwest China), healthcare cybersecurity professionals need to think about how to protect their patients’ genetic information.
Most security breaches involving DNA to date has been testing companies experiencing the garden variety theft of emails and passwords. The risks begin to multiply though when DNA data itself is taken into consideration. Healthcare systems could experience a breach of genetic data from ransomware and be forced to purchase back patient data. Hackers might also use stolen genetic data to blackmail individuals who have compromising information embedded in their DNA. As consumer’s genetic identification becomes increasingly tied to standard forms of identification (e.g. driver’s license, birth certificate, passport, etc.), the opportunity for identity theft using stolen genetic data could become more prevalent. These are not far-fetched futuristic prognostications. Any of these scenarios could appear in the news tomorrow.
The shift to cloud services across healthcare has been a boon to the industry in terms of improving interoperability and accessibility – but it has also opened up greater bio-cybersecurity threats. Healthcare vendors and providers cited cybersecurity, privacy and security as their top concern according to the 2019 HIMSS U.S. Leadership and Workforce Survey. And for good reason: the average healthcare organization spends $1.4 million to recover from a cyberattack, so the cost of inaction is significant.
When researchers from the University of Washington looked at the sort of open-source programs currently used by many DNA test companies, they found the DNA data process pipeline to be extremely vulnerable to hacking. This inherent vulnerability has given rise to a number of start-ups focused on offering secure genetic testing. For many, the future of protecting genetic data lies in blockchain.
The company Nebula Genomics created by George Church, a professor of genetics at Harvard, utilizes blockchain technology and multi-party access control to encrypt data with multiple keys and ensure data is anonymized. The anonymization methods currently used by DNA testing companies like 23 and Me do not protect against genomic re-identification and rely entirely on the company’s discretion regarding the dispersal of that data (if the consumers opts in). Whereas, blockchain is encrypted, resilient to hacking and can be shared out on a time-limited basis with the ability to choose what parts of your genome to provide. It also enables patients to securely sell their DNA to researchers.
Blockchain technology has the potential to not only upend the DNA testing market estimated to be worth over $22 billion in five years, but also creates an imperative for healthcare systems to ensure electronic health records and other patient information are secure.
And some healthcare companies are already experimenting with the technology. Humana, Optum and others have formed an alliance to pilot the use of blockchain to managing provider directories, while healthcare start-ups are using the technology to reinvent how patient data is disseminated. Doc.ai, for example, enables patients to securely sell their medical data to researchers using blockchain and smart contracts.
The trend towards patients owning their genetic and medical data marks a major shift in technology and will also change the economic model of how patient data is sourced. While there’s a long history of paying test subjects, medical researchers paying patients directly for their genetic and medical data will transform the value of those records, turning them into a currency. Having genetic data and medical records hacked may not seem so terrible now, but when it leads to a loss of income for the end-consumer, healthcare doesn’t have long to adopt a more secure technology like blockchain.