Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Taking Measure

Just a Standard Blog

How Secure Is Your DNA?

Illustration shows a pattern of repeating DNA strands with a shadowy figure in a trenchcoat and hat lurking behind.
Credit: B. Hayes/NIST

A closer look at cybersecurity protections for genomic data

If you had asked me a few years ago about my opinion on the security of my personal information, my response would have centered around my Social Security number or my credit card information. Like many of my federal colleagues, I have been impacted by several major data breaches involving government and commercial databases. Needless to say, it was not a fun experience and caused my mind to wander with worry, which kept me up at night wondering: Will this breach hurt my credit rating now? How will this impact me later when I retire? I enrolled in the offered free credit monitoring tools and do my own credit checks, but I still do not completely have that warm fuzzy feeling of being protected. However, as bad as my experience has been with those breaches, I shudder to think of the concerns of people who have had their personal health information compromised!

Our society is increasingly generating and relying on personal data in many aspects of everyday life. A more recent category of data at risk is genomic data, an individual’s genetic information. Due to technical advances in genetic sequencing, what was once a multimillion-dollar, decade-long effort to sequence a human genome now takes less than a week to complete and is a thousand-dollar endeavor. This data is being used by researchers, corporations and, amazingly enough, everyday people, just living life.

I remember hearing my friend, who was adopted, share with me that she submitted her sample to a direct-to-consumer DNA testing provider to learn about her health information and family heritage. Sounds simple, right? Nope, not at all. Hearing my good friend talk about what she went through to find out what types of illnesses she may experience during her lifetime triggered me to think about a few things. My process to get this information involves a conversation with people I know and trust. Her process required her to have another data type in a database, vulnerable to an unknown number of breaches. Yet there are no monitoring tools that can minimize the feelings that still haunt me from my own breach experiences. 

There are real risks with genomic data if it falls into the wrong hands, such as the ability to discriminate against me or my children, create biological weapons or thwart businesses that rely on genomic data.

Credit cards, Social Security numbers, health information, genomic information. Data put into the world of information storage is always at a risk. It all needs to be protected … but I wondered if the same cybersecurity methods apply to each type of data. 

Given my profession, I am fortunate to have an understanding of cybersecurity principles that many laypeople do not. Throughout my career in multiple federal government agencies, I have worked in information technology organizations and been able to be part of teams and task forces responsible for identifying cybersecurity risks and mitigating those issues. 

Currently, in my role as a principal investigator at the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE), I am leading a project that is exploring an important question: Is genomic data distinct from other data types? How should cybersecurity protection be tailored to genomic data?

In August 2021, at the request of Congress, the NCCoE embarked on an effort to answer these questions. We created an interdisciplinary team that included NIST employees, subject matter experts from MITRE and members from both the University of Alabama in Huntsville and the HudsonAlpha Institute for Biotechnology, also in Huntsville. This team is examining the question of what is unique about genomic data, discovering the most common and pressing cybersecurity concerns specific to this data, and identifying and providing guidance around security and privacy practices to help protect it.

As a first step, we hosted the NCCoE Virtual Workshop on the Cybersecurity of Genomic Data on Jan. 26, 2022, during which we heard from 18 subject matter experts from around the world who discussed the unique challenges of securing genomic data. The speakers represented the U.S. government, public and private universities, industry and professional organizations. Speakers covered their experiences from the time data is created on sequencers through to when it is stored, shared and analyzed. We also heard from privacy experts.

Here are a few things I heard that confirmed my earlier suspicions and thoughts.

  • Genomic data is indeed different from other types of data. Unlike my credit card, it can never be changed, and it can be used to disclose additional information about me like the diseases I have now or will likely have in the future.
  • Health advances, including targeted health treatments and earlier disease detections, which I want to benefit me and my family, rely on this genomic data research.
  • There are real risks with genomic data if it falls into the wrong hands, such as the ability to discriminate against me or my children, create biological weapons or thwart businesses that rely on genomic data.
  • Both cybersecurity and privacy are factors when discussing securing genomic data.
  • Challenges and vulnerabilities are not isolated to one aspect of genomic data handling. For example, once data is created using a genomic sequencer device, it is vulnerable and needs safeguards to ensure protection. 

I encourage you to look at the workshop materials posted on our website, find the topics that interest you, and then write to our project’s email address genomic_cybersecurity_nccoe [at] nist.gov (genomic_cybersecurity_nccoe[at]nist[dot]gov) and let us know your thoughts on what you found and what would you like to hear more about.

We have a shared interest in providing the right cybersecurity for genomic data. Our future generations are counting on us to get this right! 

About the author

Ronald Pulivarti

Ronald Pulivarti is a senior cybersecurity engineer who leads an engineering team at the National Cybersecurity Center of Excellence (NCCoE), which is part of the National Institute of Standards and Technology (NIST). He and his team promote the acceleration of businesses’ adoption of standards-based, advanced cybersecurity technologies for the health-care sector. Ron has a strong technical background and cybersecurity experience in multiple high-value-asset applications. Prior to NIST, he worked within the Department of Health and Human Services and has served in many IT leadership roles for over 20 years.

Related posts

Cybersecurity Careers Go Beyond Coding

You don’t have to be a coder or have a technical background to work in cybersecurity. Learn about the career stories of three of our NIST cybersecurity

Comments

El genoma humano esta estrechamente vinculado con las huellas dactilares, algo sorprendente, no existe en los millones de seres humanos de este planeta, que tengan igual huella dactilar.

Another very informative article

I am highly concerned about a large amount of genetic data being collected, harvested, and shared all through the world, and the changes in privacy legislation to be able to use that genomic data forever. I help victims of abuse relocate and change their names. Abusers can locate them, especially those that are connected to crimes and skip tracers and government. In addition, once the DNA is collected under "implied consent" or someone just does not read consent, and the GDPR changes, then yes, injections can be created to kill a certain selection of the world population. People are being fooled that the collection of their DNA or genetic code to their postal code is a good thing. It is a dangerous plan. As you stated which is true: There are real risks with genomic data if it falls into the wrong hands, such as the ability to discriminate against me or my children, create biological weapons or thwart businesses that rely on genomic data.

It is very interesting idea and solve a lot of problems on securing data , but if it is abused with better technology some one will control your life.

I can imagine how many opportunities the legal industry is already banking on with all the legal fun they can have. I just want to track my DNA and it’s use and organizing with others under the same type of traits to manage securing it. I don’t see this ever happening after already attempting to get medical records with red tape by legal requirements. Only an authorized dealer or representative by law to administer and handle securing this information and it’s use for intellectual property rights to uphold.....or some mumbo jumbo legal-lingo to retain the rights in all transactions for your protection.

Enjoying the blog!

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.