DNA: Goldmine for Hackers?
The team performs penetration testing on a gene sequencing machine at Colorado State University.
Students explore security risks around genetic data collection
Genetic data is some of the most valuable personal information we have. But protections and assurances around its collection and storage lag behind those built into consumer products, like Social Security numbers.
Shifting that dynamic to favor user security is a problem that students in the Technology, Cybersecurity and Policy Program are exploring as part of a graduate capstone project funded by GeneInfoSec. The goal is to research and document potential security vulnerabilities in this area, starting with the genetic sequencing machines used to collect and process this data through the interconnected ecosystem of labs and servers where it is stored and accessed.
Their work could eventually help protect those who have willingly shared their DNA to better understand their ancestry and those who need genetic testing to help with treatment of rare diseases or cancer.
鈥淭his project is a very good opportunity for us to apply the skills we have learned during the program and also contribute comprehensively,鈥 master鈥檚 student Arya Thaker said. 鈥淭his is absolutely the kind of work I鈥攐r any student pursuing cybersecurity鈥攚ould love to do as a career.鈥
Thaker and his team visited sequencing centers all along the Front Range, including at Colorado State University, CU Anschutz Medical Campus and industry providers. At each stop, they conducted interviews and gathered data to understand existing security measures and problems that may not have been considered at all.
What they find will be collected into a comprehensive report鈥攁 sort of 鈥渟tate of the union鈥 of interest to many parties working in this area.
The need for heightened security
Sharing of personal genetic information has become common. According to MIT Technology Review, consumers purchased the same number of at-home DNA tests in 2018 as in all previous years since 2012 combined.
If that trend continues, companies like 23andMe could house the genetic information of more than 100 million people within two years. That total doesn鈥檛 include those who shared data for medical reasons.
It also means there鈥檚 more incentive for bad actors to try to access the data. Genetic information can be used to identify personal traits like height and ethnicity or diseases you are predisposed to. It can even be used to simulate your face or voice.
Securing that information is vital, since it could be used to tailor a disease to attack only certain portions of the population or to find and hack into people鈥檚 bank accounts.
TCP students looking at those possibilities found that potential protections required consideration of health privacy standards in addition to traditional cybersecurity concerns, which start with hardware in each lab space.
From left, Ashish Yadav, Cory Cranford, Arya Thaker and Garrett Schumacher.
鈥楽etting the tone鈥
Garrett Schumacher is a co-founder of GeneInfoSec and a staff member with TCP. He is co-advising students on the project and said that in the near future, you won鈥檛 be able to get medical treatment until you get your DNA tested. That means the pool of people potentially at risk will only increase over time.
鈥淚f you have a financial data breach, you can change numbers and accounts鈥攜ou can react to that,鈥 he said. 鈥淏ut your DNA? You can鈥檛 change that.鈥
The work has implications for industry, as well. Genetic data from those with rare diseases is valuable in a medical research setting and could be stolen by competitors. Concealing genetic information can also secure animal breeding programs and hide private knowledge about breeding stocks.
Schumacher said the project was a great example of the interdisciplinary work going on in the TCP Program.
鈥淭he findings these students come up with need to be understood by policymakers, IT specialists, electrical engineers and biologists, to name just a few interested parties,鈥 he said. 鈥淭he students understand that and are among the first working on this problem through that lens. We are really setting the tone for this work going forward.鈥