Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
A hacker activating a 3D rendering of DNA data.
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Vaccine passports, if required by businesses and universities, may give people a false sense of security, one expert cautions.
Vaccines are one of the greatest public health accomplishments of all time. For centuries, public health has relied on vaccinations to prevent and control disease outbreaks for a plethora of infectious scourges, with our crowning achievement being the successful eradication of smallpox.
The purpose of vaccine documentation is to provide proof of an individual's protection from either becoming infected or transmitting a vaccine-preventable disease. Vouching for these protections requires a firm knowledge about the epidemiology of the disease, as well as scientific knowledge concerning the efficacy of the vaccine. The vaccines we currently require be documented have met these tests; the vaccine for COVID-19 has not yet been proven to do so.
Let's acknowledge that the term "vaccine passport" is a poor choice of words. Passports are a legal travel document created by nations and governed by law for identification of the bearer to control entry and exit from nation states. They often serve as legal forms of identification and as a record of international travel. They are generally very sophisticated documents that have been created in a secure manner and may include a range of electronic and, in some cases, biometric measures such as fingerprints to ensure the holder is indeed who they say they are. Vaccine passports are medical documents used to document the vaccination status of an individual. They do not undergo the same level of administrative scrutiny and cannot be used to verify that the presenter is indeed the vaccinated individual. Some companies do have electronic methods to address concerns about verification; however, most people currently have paper records that can be easily falsified.
"Vaccine passports" as currently proposed risk giving people a false sense of security.
Successful disease control from vaccination programs relies on the ability to vaccinate at a level that prevents large-scale disease spread and the ability to rapidly identify the presence of disease outbreaks. It requires reliable, safe, and effective vaccines that are easily delivered in clinical and nonclinical settings. Keeping vaccination information as a part of the medical record, and even having a separate specialized vaccine record for personal use, is a time-honored tradition.
Keeping a vaccination record provides a method to keep track of the many shots one receives and serves as a visual reminder to help ensure the appropriate vaccine shot schedule is maintained for vaccines requiring multiple doses. The vaccine record, when combined with vaccine safety monitoring systems, serves as a mechanism to track adverse events to monitor and ensure the safety of vaccines as a consumer product. The record also serves as the official record of vaccination when required for administrative or legally prescribed purposes.
"Vaccine passports" as currently proposed risk giving people a false sense of security. In the case of the COVID-19 vaccines currently approved for use, many of the essential questions remain unanswered. While we do know the current three vaccines are highly protective against severe disease and death, and there is some evidence that these vaccinations do reduce infections and virus transmission of SARS-CoV-2, we do not yet know the full degree to which this occurs.
For example, we know there have been some cases of people that have been infected in close proximity to getting their full vaccination and rare cases of breakthrough reinfections. A breakthrough infection in a restaurant is a challenge for contact tracing, but an outbreak from a movie theater exposure or a baseball game could spark a major outbreak at our current level of vaccination. Current CDC guidance recommends continued mask wearing in order to address these concerns.
We also do not yet know how long the protections will last and if or when a booster or revaccination is required. In effect, it is too soon to know. Should an annual booster shot be required, then a vaccine passport would require annual updating, a process more frequent than renewal of a driver's license.
We also know that the current SARS-CoV-2 virus is mutating briskly. While the current approved vaccines have remained effective overall, there is evidence of some degree of degradation in vaccine effectiveness against some of the circulating strains. We also have sparse data on many of the other emerging strains of concern because we have not had the surveillance capacity in the U.S. to gain an adequate sense of how the virus is changing to fully align vaccine effectiveness with viral capabilities.
The risk of people misusing these "passports" is troubling. The potential for using these documents for hiring, firing or job limitation is a serious concern. Unvaccinated workers are at risk of this form of discrimination even from well-meaning employers or supervisors. Health insurers are prohibited by the Affordable Care Act from discriminating based on preexisting conditions, but they could probably charge a higher premium for unvaccinated individuals. There also is a risk of stigmatizing individuals who are not vaccinated or have left their vaccine documentation at home. Another concern: the opportunity to discriminate based on race, gender, sexual orientation, or religion, using one's vaccination status as an excuse.
These "passports" are being discussed as a "ticket verification" for entry to many activities, including dining at restaurants, flying domestically and/or internationally, going to movie theaters and sporting events, etc. These are all activities we already are doing at reduced levels and for which wearing a mask, hand hygiene and physical distancing are effective disease control practices. COVID-19 vaccines are indeed the measure that will make the ability to totally reopen our society complete, but we are not there yet. Documentation of one's COVID-19 vaccine status may be useful in selected situations in the future. That remains to be seen.
Finally, inadequate vaccine supply and disparities in vaccine delivery have created enormous challenges in providing equal access to vaccination. Also, the amount of misinformation, disinformation, and lingering vaccine hesitancy continue to limit the speed at which we will reach the level of vaccination of the population that would make this documentation meaningful. The requirement for "vaccine passports" is already alienating people who are opposed to vaccinations for a variety of reasons, paradoxically risking reduced vaccine uptake. This politicization of the vaccination effort is of concern. There are indeed people who, due to medical contraindications or legal exemptions, will not be vaccinated, and we do not yet have a national framework on how to address this.
Vaccine passports are not the solution for reopening our society — a robust vaccination program is. The requirement to document one's vaccination status for COVID-19 may one day have its place. For now, it is an idea whose time has not yet come.
Editor's Note: This op/ed is part of a "Big Question" series on the ethics of vaccine passports. Read the flip side argument here.
A digital health passport required by businesses and universities could help us get back to normal more quickly, one expert argues.
"Vaccine passports" are a system that requires proof of a COVID-19 vaccination as a condition of engaging in activities that pose a risk of transmitted SARS-CoV-2. Digital Health Passes (DHPs) are typically a smartphone application with a code that verifies whether someone has been vaccinated.
Vaccine passports could very much be in our future. Many businesses are implementing or planning to require proof of vaccination as a condition of returning to the workplace. Colleges and universities have announced vaccine requirements for students, staff, and faculty. It may not be long before the private sector requires a vaccination card or image to attend an entertainment or sporting event, to travel, or even to dine or shop indoors, at least in some venues.
But it's unlikely the federal government or the states will launch DHPs, at least not in the near-term. President Biden announced the White House has no intention of requiring proof of vaccination. While no state has mandated DHPs, New York is piloting its Excelsior Pass on a voluntary basis, partnering with IBM. Other nations are not so hesitant. Israel's "Green Pass" has gotten the nation back to normal in record time. And various countries and regions are planning DHPs, including the European Union and the United Kingdom. Foreign airlines are likely to require proof of vaccination as a condition of flying internationally.
DHPs could emerge as a way to get us back to normal more quickly, but are they ethical? Let's start with the law. The US Equal Opportunity Commission (EEOC) has specifically said that employers have the legal right to require proof of vaccination as a condition of returning to work. Colleges and universities already require several vaccines for students living in dorms. Hospitals and nursing homes often mandate influenza vaccinations. And, of course, all states require childhood vaccinations for school attendance. Vaccine passports are lawful but are they ethical? The short answer is "yes" but only if we ensure no one is left behind.
Vaccine passports "don't force anyone to be vaccinated against his or her will. They simply say to individuals that if you choose not to be vaccinated, you can't work or recreate in public spaces that risk transmission of the virus."
Why are vaccine passports ethical? Vaccines are a miracle of modern science, but they have become a political symbol, and a significant part of the population doesn't want to get a jab. The rare cases of blood clots associated with the Johnson & Johnson and AstraZeneca vaccines have only created more distrust.
Most opposition to vaccine passports hinges on the claim that they infringe personal autonomy and liberty. But this argument misses the point. Of course, every competent adult has the right to make decisions that affect his or her own health and safety. But no one has a right to infringe on the rights of others, such as by exposing them to a potentially serious or deadly infectious disease. An individual can't claim the right to attend a crowded event mask-less and unvaccinated. This was once accepted across the political spectrum. Conservative economists called it an "externality," that is a person has no right to harm others. The U.S. has lost the tradition of the common good. We have become so focused on our own individual rights that we forget about our ethical obligations to our neighbors and to our community.
In fact, DHPs actually don't force anyone to be vaccinated against his or her will. They simply say to individuals that if you choose not to be vaccinated, you can't work or recreate in public spaces that risk transmission of the virus.
DHPs also don't infringe on privacy. Again, everyone has the choice whether to show proof of vaccination. It isn't required. Moreover, DHPs may actually protect privacy because all they do is show whether or not you have been vaccinated. They don't disclose any other personal medical information. All of us actually have already had to show proof of vaccination as a condition of going to school. Thus, DHPs are well established in the United States.
But there is one ethical argument against DHPs that I find to be powerful, and that is equity. If we require proof of vaccination while doses are scarce, we will give the already privileged even more privilege. And that would be unconscionable. Thus, DHPs should not be implemented until everyone who wants a vaccine is able to get a vaccine. Equity isn't a side issue. It needs to be front and center.
As of today, all adults in the U.S. are eligible to get vaccinated, and President Biden has pledged that by the end of May there will be enough doses to vaccinate the entire U.S. population. It is a realistic promise. Once vaccines become plentiful, everyone should get their shot. All Food and Drug Administration authorized vaccines are highly safe and effective, even the Johnson & Johnson vaccine that the FDA has just put on pause.
Businesses have an economic incentive to require proof of vaccination. Very few of us would feel comfortable returning to our jobs, shops, theaters, or restaurants unless we feel safe. Businesses understand the duty to create safer places for work, recreation, and commerce.
One question has dominated national conversation since the pandemic began. "When will we get back to normal?" There is a deep human yearning to hug family and friends, see our work colleagues, recreate, and be entertained. One day we will have defeated this wily virus and get back to normal. But vaccine passports can help us get back to the things we love faster and more safely. As long as we don't leave anyone behind, using this miracle of modern science to make our lives better is both lawful and ethical.
Editor's Note: This op/ed is part of a "Big Question" series on the ethics of vaccine passports. Read the flip-side argument here.