Published: May 1, 2020 By

The team performs penetration testing on a gene sequencing machine at Colorado State University.
The team performs penetration testing on a gene sequencing machine at Colorado State University.

Students explore security risks around genetic data collection

Genetic data is some of the most valuable personal information we have. But protections and assurances around its collection and storage lag behind those built into consumer products, like Social Security numbers.

Shifting that dynamic to favor user security is a problem that students in the Technology, Cybersecurity and Policy Program are exploring as part of a graduate capstone project funded by GeneInfoSec. The goal is to research and document potential security vulnerabilities in this area, starting with the genetic sequencing machines used to collect and process this data through the interconnected ecosystem of labs and servers where it is stored and accessed.

Their work could eventually help protect those who have willingly shared their DNA to better understand their ancestry and those who need genetic testing to help with treatment of rare diseases or cancer.

“This project is a very good opportunity for us to apply the skills we have learned during the program and also contribute comprehensively,” master’s student Arya Thaker said. “This is absolutely the kind of work I—or any student pursuing cybersecurity—would love to do as a career.”

Thaker and his team visited sequencing centers all along the Front Range, including at Colorado State University, Anschutz Medical Campus and industry providers. At each stop, they conducted interviews and gathered data to understand existing security measures and problems that may not have been considered at all.

What they find will be collected into a comprehensive report—a sort of “state of the union” of interest to many parties working in this area.

The need for heightened security

Sharing of personal genetic information has become common. According to MIT Technology Review, consumers purchased the same number of at-home DNA tests in 2018 as in all previous years since 2012 combined.

If that trend continues, companies like 23andMe could house the genetic information of more than 100 million people within two years. That total doesn’t include those who shared data for medical reasons.

It also means there’s more incentive for bad actors to try to access the data. Genetic information can be used to identify personal traits like height and ethnicity or diseases you are predisposed to. It can even be used to simulate your face or voice.

Securing that information is vital, since it could be used to tailor a disease to attack only certain portions of the population or to find and hack into people’s bank accounts.

TCP students looking at those possibilities found that potential protections required consideration of health privacy standards in addition to traditional cybersecurity concerns, which start with hardware in each lab space.

From left, Ashish Yadav, Cory Cranford, Arya Thaker and Garrett Schumacher.
From left, Ashish Yadav, Cory Cranford, Arya Thaker and Garrett Schumacher.

‘Setting the tone’

Garrett Schumacher is a co-founder of GeneInfoSec and a staff member with TCP. He is co-advising students on the project and said that in the near future, you won’t be able to get medical treatment until you get your DNA tested. That means the pool of people potentially at risk will only increase over time.

“If you have a financial data breach, you can change numbers and accounts—you can react to that,” he said. “But your DNA? You can’t change that.”

The work has implications for industry, as well. Genetic data from those with rare diseases is valuable in a medical research setting and could be stolen by competitors. Concealing genetic information can also secure animal breeding programs and hide private knowledge about breeding stocks.

Schumacher said the project was a great example of the interdisciplinary work going on in the TCP Program.

“The findings these students come up with need to be understood by policymakers, IT specialists, electrical engineers and biologists, to name just a few interested parties,” he said. “The students understand that and are among the first working on this problem through that lens. We are really setting the tone for this work going forward.”