The software has since been patched, but the weakness could have left individuals’ genomic data vulnerable.
Researchers at a national laboratory discovered a weakness in one commonly used open source software for genomic analyses, according to a new report.
Sandia National Laboratories experts notified the developers of their discovery, and the vulnerability has been patched in the latest release of the software.
Experts told Inside Digital Health™ that genomics work can be beset by cybersecurity issues — and the burden to bolster safeguards is on healthcare systems.
“The process of using genomic information to customize treatment requires genome sequencing and comparison to a standardized human genome sequence,” said Ravi Iyer, Ph.D., of the University of Illinois at Urbana-Champaign. “This process often requires the data to sometimes travel over insecure channels which presents problems from a security point of view. In order to fully embrace genomic medicine we must ensure the security and privacy of all genomic data.”
Iyer and other Illinois researchers simulated the process of genomic mapping using a Sandia platform, looking for weaknesses. Both teams continue to test other industry software for lapses in security.
One program commonly used in personalized medicine is the Burrows-Wheeler Aligner, or BWA. The first step in using the tool is sequencing their entire genome, followed by comparing that sequence to the standardized human genome. The end goal is to guide the most ideal medical treatment.
When BWA pulled in standardized genomic data from various government servers, the data traveled across insecure channels, the investigators learned. This left open an opportunity for a cyberattack, in which a hacker could intercept the data. A number of possibilities open from there, including a nightmare scenario posited by the researchers: malware altering a patient’s data, resulting in incorrect prescription drugs.
When they discovered the problem, the team alerted the developers as well as public agencies such as the U.S. Computer Emergency Readiness Team in order to more widely disseminate information about the issue.
Iyer said that cybersecurity and privacy problems for genomic data in particular differs from concerns in the sphere of finance, the electrical grid, or infrastructure.
“In particular genomic data are unchanged over an individual’s lifetime, meaning that unlike the loss of personal financial data or passwords loss of genomic data is unrecoverable,” he said. “The technologies that have made these advances in genomic medicine require high performance computing, large amounts of data storage and complex and complicated computational pipelines. The safety, security and privacy protections in these systems warrants vigilant and continuous monitoring and additional studies to determine best practices."
Corey Hudson, Ph.D., a bioinformatics researcher at Sandia, recommended several “cyberhygiene” tips:
And unlike the electrical grid or infrastructure, where it is common practice to analyze open source software for vulnerabilities, genomics security has so far left that potential untapped.
“Our goal is to make systems safer for people who use them by helping to develop best practices,” Hudson said.
The report, titled “Taking local control of genomics machines through BWA,” was published in Genomic Cybersecurity.
Get the best insights in digital health directly to your inbox.