Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Why you should (virtually) care
As the pandemic turns endemic, healthcare providers have been eagerly urging patients to return to their offices to enjoy the benefits of in-person care.
But wait.
The last two years have forced all sorts of organizations to be nimble, adaptable and creative in how they work, and this includes healthcare providers’ efforts to maintain continuity of care under the most challenging of conditions. So before we go back to “business as usual,” don’t we owe it to those providers and ourselves to admit that business as usual did not work for most of the people the industry exists to help? If we’re going to embrace yet another period of change – periods that don’t happen often in our complex industry – shouldn’t we first stop and ask ourselves what we’re trying to achieve?
Certainly, COVID has shown that telehealth can be an invaluable tool, particularly for patients in rural and underserved communities that lack access to specialty care. It’s also become clear that many – though not all – healthcare encounters can be effectively conducted from afar. That said, the telehealth tactics that filled the gap during the pandemic were largely stitched together substitutes for existing visit-based workflows: with offices closed, patients scheduled video visits for help managing the side effects of their blood pressure medications or to see their endocrinologist for a quarterly check-in. Anyone whose children slogged through the last year or two of remote learning can tell you that simply virtualizing existing processes doesn’t necessarily improve the experience or the outcomes!
But what if our approach to post-pandemic healthcare came from a patient-driven perspective? We have a fleeting opportunity to advance a care model centered on convenient and equitable access that first prioritizes good outcomes, then selects approaches to care – and locations – tailored to each patient. Using the example of education, imagine how effective it would be if each student, regardless of their school district and aptitude, received such individualized attention.
That’s the idea behind virtual-first care (V1C), a new care model centered on convenient, customized, high-quality care that integrates a full suite of services tailored directly to patients’ clinical needs and preferences. This package includes asynchronous communication such as texting; video and other live virtual modes; and in-person options.
V1C goes beyond what you might think of as standard “telehealth” by using evidence-based protocols and tools that include traditional and digital therapeutics and testing, personalized care plans, dynamic patient monitoring, and team-based approaches to care. This could include spit kits mailed for laboratory tests and complementing clinical care with health coaching. V1C also replaces some in-person exams with ongoing monitoring, using sensors for more ‘whole person’ care.
Amidst all this momentum, we have the opportunity to rethink the goals of healthcare innovation, but that means bringing together key stakeholders to demonstrate that sustainable V1C can redefine healthcare.
Established V1C healthcare providers such as Omada, Headspace, and Heartbeat Health, as well as emerging market entrants like Oshi, Visana, and Wellinks, work with a variety of patients who have complicated long-term conditions such as diabetes, heart failure, gastrointestinal illness, endometriosis, and COPD. V1C is comprehensive in ways that are lacking in digital health and its other predecessors: it has the potential to integrate multiple data streams, incorporate more frequent touches and check-ins over time, and manage a much wider range of chronic health conditions, improving lives and reducing disease burden now and in the future.
Recognizing the pandemic-driven interest in virtual care, significant energy and resources are already flowing fast toward V1C. Some of the world’s largest innovators jumped into V1C early on: Verily, Alphabet’s Life Sciences Company, launched Onduo in 2016 to disrupt the diabetes healthcare market, and is now well positioned to scale its solutions. Major insurers like Aetna and United now offer virtual-first plans to members, responding as organizations expand virtual options for employees. Amidst all this momentum, we have the opportunity to rethink the goals of healthcare innovation, but that means bringing together key stakeholders to demonstrate that sustainable V1C can redefine healthcare.
That was the immediate impetus for IMPACT, a consortium of V1C companies, investors, payers and patients founded last year to ensure access to high-quality, evidence-based V1C. Developed by our team at the Digital Medicine Society (DiMe) in collaboration with the American Telemedicine Association (ATA), IMPACT has begun to explore key issues that include giving patients more integrated experiences when accessing both virtual and brick-and-mortar care.
Digital Medicine Society
V1C is not, nor should it be, virtual-only care. In this new era of hybrid healthcare, success will be defined by how well providers help patients navigate the transitions. How do we smoothly hand a patient off from an onsite primary care physician to, say, a virtual cardiologist? How do we get information from a brick-and-mortar to a digital portal? How do you manage dataflow while still staying HIPAA compliant? There are many complex regulatory implications for these new models, as well as an evolving landscape in terms of privacy, security and interoperability. It will be no small task for groups like IMPACT to determine the best path forward.
None of these factors matter unless the industry can recruit and retain clinicians. Our field is facing an unprecedented workforce crisis. Traditional healthcare is making clinicians miserable, and COVID has only accelerated the trend of overworked, disenchanted healthcare workers leaving in droves. Clinicians want more interactions with patients, and fewer with computer screens – call it “More face time, less FaceTime.” No new model will succeed unless the industry can more efficiently deploy its talent – arguably its most scarce and precious resource. V1C can help with alleviating the increasing burden and frustration borne by individual physicians in today’s status quo.
In healthcare, new technological approaches inevitably provoke no shortage of skepticism. Past lessons from Silicon Valley-driven fixes have led to understandable cynicism. But V1C is a different breed of animal. By building healthcare around the patient, not the clinic, V1C can make healthcare work better for patients, payers and providers. We’re at a fork in the road: we can revert back to a broken sick-care system, or dig in and do the hard work of figuring out how this future-forward healthcare system gets financed, organized and executed. As a field, we must find the courage and summon the energy to embrace this moment, and make it a moment of change.
Podcast: The future of brain health with Percy Griffin
Today's guest is Percy Griffin, director of scientific engagement for the Alzheimer’s Association, a nonprofit that’s focused on speeding up research, finding better ways to detect Alzheimer’s earlier and other approaches for reducing risk. Percy has a doctorate in molecular cell biology from Washington University, he’s led important research on Alzheimer’s, and you can find the link to his full bio in the show notes, below.
Our topic for this conversation is the present and future of the fight against dementia. Billions of dollars have been spent by the National Institutes of Health and biotechs to research new treatments for Alzheimer's and other forms of dementia, but so far there's been little to show for it. Last year, Aduhelm became the first drug to be approved by the FDA for Alzheimer’s in 20 years, but it's received a raft of bad publicity, with red flags about its effectiveness, side effects and cost.
Meanwhile, 6.5 million Americans have Alzheimer's, and this number could increase to 13 million in 2050. Listen to this conversation if you’re concerned about your own brain health, that of family members getting older, or if you’re just concerned about the future of this country with experts predicting the number people over 65 will increase dramatically in the very near future.
Listen to the Episode
Listen on Apple | Listen on Spotify | Listen on Stitcher | Listen on Amazon | Listen on Google
4:40 - We talk about the parts of Percy’s life that led to him to concentrate on working in this important area.
6:20 - He defines Alzheimer's and dementia, and discusses the key elements of communicating science.
10:20 - Percy explains why the Alzheimer’s Association has been supportive of Aduhelm, even as others have been critical.
17:58 - We talk about therapeutics under development, which ones to be excited about, and how they could be tailored to a person's own biology.
24:25 - Percy discusses funding and tradeoffs between investing more money into Alzheimer’s research compared to other intractable diseases like cancer, and new opportunities to accelerate progress, such as ARPA-H, President Biden’s proposed agency to speed up health breakthroughs.
27:24 - We talk about the social determinants of brain health. What are the pros/cons of continuing to spend massive sums of money to develop new drugs like Aduhelm versus refocusing on expanding policies to address social determinants - like better education, nutritious food and safe drinking water - that have enabled some groups more than others to enjoy improved cognition late in life.
34:18 - Percy describes his top lifestyle recommendations for protecting your mind.
37:33 - Is napping bad for the brain?
39:39 - Circadian rhythm and Alzheimer's.
42:34 - What tests can people take to check their brain health today, and which biomarkers are we making progress on?
47:25 - Percy highlights important programs run by the Alzheimer’s Association to support advances.
Show links:
** After this episode was recorded, the Centers for Medicare and Medicaid Services affirmed its decision from last June to limit coverage of Aduhelm. More here.
- Percy Griffin's bio: https://www.alz.org/manh/events/alztalks/upcoming-...
- The Alzheimer's Association's Part the Cloud program: https://alz.org/partthecloud/about-us.asp
- The paradox of dementia rates decreasing: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7455342/
- The argument for focusing more resources on improving institutions and social processes for brain health: https://www.statnews.com/2021/09/23/the-brain-heal...
- Recent research on napping: https://www.ocregister.com/2022/03/25/alzheimers-s...
- The Alzheimer's Association helpline: https://www.alz.org/help-support/resources/helpline
- ALZConnected, a free online community for people affected by dementia https://www.alzconnected.org/
- TrialMatch for people with dementia and healthy volunteers to find clinical trials for Alzheimer's and other dementia: https://www.alz.org/alzheimers-dementia/research_p...