How Secure Is Your DNA?

A closer look at cybersecurity protections for genomic data

If you had asked me a few years ago about my opinion on the security of my personal information, my response would have centered around my Social Security number or my credit card information. Like many of my federal colleagues, I have been impacted by several major data breaches involving government and commercial databases. Needless to say, it was not a fun experience and caused my mind to wander with worry, which kept me up at night wondering: Will this breach hurt my credit rating now? How will this impact me later when I retire? I enrolled in the offered free credit monitoring tools and do my own credit checks, but I still do not completely have that warm fuzzy feeling of being protected. However, as bad as my experience has been with those breaches, I shudder to think of the concerns of people who have had their personal health information compromised!

Our society is increasingly generating and relying on personal data in many aspects of everyday life. A more recent category of data at risk is genomic data, an individual’s genetic information. Due to technical advances in genetic sequencing, what was once a multimillion-dollar, decade-long effort to sequence a human genome now takes less than a week to complete and is a thousand-dollar endeavor. This data is being used by researchers, corporations and, amazingly enough, everyday people, just living life.

I remember hearing my friend, who was adopted, share with me that she submitted her sample to a direct-to-consumer DNA testing provider to learn about her health information and family heritage. Sounds simple, right? Nope, not at all. Hearing my good friend talk about what she went through to find out what types of illnesses she may experience during her lifetime triggered me to think about a few things. My process to get this information involves a conversation with people I know and trust. Her process required her to have another data type in a database, vulnerable to an unknown number of breaches. Yet there are no monitoring tools that can minimize the feelings that still haunt me from my own breach experiences. 

Credit cards, Social Security numbers, health information, genomic information. Data put into the world of information storage is always at a risk. It all needs to be protected … but I wondered if the same cybersecurity methods apply to each type of data. 

Given my profession, I am fortunate to have an understanding of cybersecurity principles that many laypeople do not. Throughout my career in multiple federal government agencies, I have worked in information technology organizations and been able to be part of teams and task forces responsible for identifying cybersecurity risks and mitigating those issues. 

Currently, in my role as a principal investigator at the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE), I am leading a project that is exploring an important question: Is genomic data distinct from other data types? How should cybersecurity protection be tailored to genomic data?

In August 2021, at the request of Congress, the NCCoE embarked on an effort to answer these questions. We created an interdisciplinary team that included NIST employees, subject matter experts from MITRE and members from both the University of Alabama in Huntsville and the HudsonAlpha Institute for Biotechnology, also in Huntsville. This team is examining the question of what is unique about genomic data, discovering the most common and pressing cybersecurity concerns specific to this data, and identifying and providing guidance around security and privacy practices to help protect it.

As a first step, we hosted the NCCoE Virtual Workshop on the Cybersecurity of Genomic Data on Jan. 26, 2022, during which we heard from 18 subject matter experts from around the world who discussed the unique challenges of securing genomic data. The speakers represented the U.S. government, public and private universities, industry and professional organizations. Speakers covered their experiences from the time data is created on sequencers through to when it is stored, shared and analyzed. We also heard from privacy experts.

Here are a few things I heard that confirmed my earlier suspicions and thoughts.

• Genomic data is indeed different from other types of data. Unlike my credit card, it can never be changed, and it can be used to disclose additional information about me like the diseases I have now or will likely have in the future.
• Health advances, including targeted health treatments and earlier disease detections, which I want to benefit me and my family, rely on this genomic data research.
• There are real risks with genomic data if it falls into the wrong hands, such as the ability to discriminate against me or my children, create biological weapons or thwart businesses that rely on genomic data.
• Both cybersecurity and privacy are factors when discussing securing genomic data.
• Challenges and vulnerabilities are not isolated to one aspect of genomic data handling. For example, once data is created using a genomic sequencer device, it is vulnerable and needs safeguards to ensure protection. 

I encourage you to look at the workshop materials posted on our website, find the topics that interest you, and then write to our project’s email address genomic_cybersecurity_nccoe [at] nist.gov (genomic_cybersecurity_nccoe[at]nist[dot]gov) and let us know your thoughts on what you found and what would you like to hear more about.

We have a shared interest in providing the right cybersecurity for genomic data. Our future generations are counting on us to get this right!