NIST report identifies major privacy vulnerabilities in handling of genomic data

A new report from the National Institute of Standards and Technology (NIST) on the cybersecurity of genomic data finds significant privacy vulnerabilities in the way the data is generated, stored and shared.

The paper argues that a NIST privacy framework focused on the sensitive and unique nature of genomic data should be established to help organizations that aggregate data identify regulatory gaps in privacy protection and help create more secure systems.

NIST found significant flaws in the system for generating genomic data, including weaknesses in the secure sharing of data; Inadequate monitoring; Addressing vulnerabilities; Lack of guidance for organizations handling sensitive genomic data; Lack of guidance on national security and privacy threats to data collection, retention, and aggregation Supervision.

The report authors recommend using a federated type of encryption to solve the problem, arguing that this could virtually eliminate the risk of loss of confidentiality or integrity of genomic data shared between organizations and address limitations.

Such a system would aggregate encrypted data across multiple datasets and prevent the raw data from being compromised by ensuring that even authorized users can only obtain results without access to the plain text raw data.

The authors acknowledge that current technology cannot fully support the kind of systems currently used in oncology and precision medicine research, but recommend that the U.S. government launch a demonstration project to gauge whether the technology can be used more broadly.

The paper was published after a hack of genetic testing company 23andMe in October affected 6.9 million people, including more than 1 million Ashkenazi Jewish users. According to reports, hackers charge customers as little as $1 per genetic map.

A major difficulty in addressing privacy threats embedded in genomic data systems stems from the need to share it across the broad research community. However, the report says the consequences of breaches are severe.

The report states that cyberattacks aimed at stealing genomic data may be carried out through threats of financial gain, discrimination based on disease risk, and by revealing hidden ancestry or phenotypes, including health, emotional stability, mental abilities, appearance, and physical abilities. ) and cause loss of privacy and harm individuals.

At the same time, the report said, the sharing of genomic data is critical to the U.S. research community, government and private industry as they seek to develop drugs and overall maintain the U.S.’s biotech competitive advantage.

The scale of genomic data sharing needed to support research is enormous, the report said, noting that in 2021, the NIH received nearly 40,000 data access requests for access to its 3 million genotype microarray datasets and more than 500,000 Whole genome sequence.

The report states that leaks of genomic data threaten not only individuals, but their entire families.