Privacy

A Traditional Take

Patient privacy and medical record confidentiality are not new ideas in the medical industry. In the US, laws like the Health Insurance Portability and Accountability Act (HIPAA), protect patient privacy. Furthermore, the World Health Organization (WHO) recommends:

Giving people opportunity to see or hear all information about them that will be referred to other professionals
Not transmitting information via common phone, fax, email, or by postcard
Advises against storing information on computers with a common password
Only providing information to patients or relatives that have been granted access to the information
Allowing only individuals briefed in confidentiality to handle data

A Modern View

As genomic sequencing has become more affordable, both partial and full genomic sequencing have become more popular. Services, like 23andMe.com, have emerged that not only provide sequencing results, but also provide genetic analysis and predictions as well as a mechanism for genetic-based social interaction.

23andMe has removed the clinics that have traditionally served as middle men between patients and results. These clinics serve both as mediators of results, ready to explain them and discuss their significance and associated risks, and as guardians of sensitive data, controlling its distribution. However, 23andMe makes sensitive genetic information and results available on the web, where it is only protected by a simple account name and password. The underlying nature of login-protected websites makes them susceptible to social engineering attacks and technical hacking, reducing the security of customer’s genetic data. The company’s privacy policy, while fairly robust, maintains that protecting personal information is a shared responsibility. This makes users, who may not understand the importance of security or their responsibility, responsible for safeguarding passwords and secret questions, a traditionally shaky domain.

Furthermore, privacy in social networks has been notoriously liberal, and sites like Facebook.com are routinely under fire for privacy violations. Genetic data is inherently more sensitive that wall posts or photos, and 23andMe will undoubtedly receive attention and pressure as social features continue to ramp. There are also unintended interactions and consequences with any social network, and 23andMe must be committed to user privacy in favor of network virility.

Behind the Scenes

CREDIT: ALVARO ARTEAGA/ALVAREJO.COM

As costs of sequencing have decreased, but the amount of analysis performed on genomic information has also rapidly increased with the amount of new data. To avoid rising costs, an increasing percentage of both processing and storage has been offloaded to distributed cloud services. The savings and gains are substantial (almost 6 times for data storage); for example, Penn State used cloud service providers to perform analysis on one tenth of the human genome at a cost of $10 in about an hour. This is approximately four times faster than it takes to perform this analysis on site.

Storing genomic data in the cloud also has its advantages. Online storage means that public genome archives like GenBank need to be only stored in one centralized location, rather than replicated on private servers across the globe.

However, cloud services also have their draw backs. Shared machines and virtual instances are inherently less secure than dedicated servers on isolated networks; hackers and security experts have already demonstrated these flaws. Furthermore, cloud providers tend to believe that it is the client’s responsibility to secure their data and programs; these providers do not consider security a top priority, favoring features, performance, and low cost. Sensitive genomic data stored at these shared data storage facilities are certainly less secure than data stored on isolated and/or strongly firewalled servers. These stored data facilities may not meet strict HIPAA standards for privacy and also leave data open to more individuals including those unaware of the importance of confidentiality.

While there is a strong argument for moving computation and storage to the cloud, the technicians that moving these instances need to be aware of the sensitivity of the data and the new risks associated with shared distributed systems. The provider’s commitment to privacy must be evaluated, and genome sequencing companies must be sure that cloud-based systems conform to privacy laws like HIPAA.

References and further reading:

http://www.who.int/genomics/publications/en/ethical_issuesin_medgenetics%20report.pdf

http://www.sciencemag.org/content/331/6018/666.full

http://www.rationalsurvivability.com/blog/?p=3082

http://www.ca.com/~/media/Files/IndustryResearch/security-of-cloud-computing-providers-final-april-2011.pdf

http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853?page=0,0