Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
A hacker activating a 3D rendering of DNA data.
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Antibody Testing Alone is Not the Key to Re-Opening Society
Immunity tests have too many unknowns right now to make them very useful in determining protective antibody status.
[Editor's Note: We asked experts from different specialties to weigh in on a timely Big Question: "How should immunity testing play a role in re-opening society?" Below, a virologist offers her perspective.]
With the advent of serology testing and increased emphasis on "re-opening" America, public health officials have begun considering whether or not people who have recovered from COVID-19 can safely re-enter the workplace.
"Immunity certificates cannot certify what is not known."
Conventional wisdom holds that people who have developed antibodies in response to infection with SARS-CoV-2, the coronavirus that causes COVID-19, are likely to be immune to reinfection.
For most acute viral infections, this is generally true. However, SARS-CoV-2 is a new pathogen, and there are currently many unanswered questions about immunity. Can recovered patients be reinfected or transmit the virus? Does symptom severity determine how protective responses will be after recovery? How long will protection last? Understanding these basic features is essential to phased re-opening of the government and economy for people who have recovered from COVID-19.
One mechanism that has been considered is issuing "immunity certificates" to individuals with antibodies against SARS-CoV-2. These certificates would verify that individuals have already recovered from COVID-19, and thus have antibodies in their blood that will protect them against reinfection, enabling them to safely return to work and participate in society. Although this sounds reasonable in theory, there are many practical reasons why this is not a wise policy decision to ease off restrictive stay-home orders and distancing practices.
Too Many Scientific Unknowns
Serology tests measure antibodies in the serum—the liquid component of blood, which is where the antibodies are located. In this case, serology tests measure antibodies that specifically bind to SARS-CoV-2 virus particles. Usually when a person is infected with a virus, they develop antibodies that can "recognize" that virus, so the presence of SARS-CoV-2 antibodies indicates that a person has been previously exposed to the virus. Broad serology testing is critical to knowing how many people have been infected with SARS-CoV-2, since testing capacity for the virus itself has been so low.
Tests for the virus measure amounts of SARS-CoV-2 RNA—the virus's genetic material—directly, and thus will not detect the virus once a person has recovered. Thus, the majority of people who were not severely ill and did not require hospitalization, or did not have direct contact with a confirmed case, will not test positive for the virus weeks after they have recovered and can only determine if they had COVID-19 by testing for antibodies.
In most cases, for most pathogens, antibodies are also neutralizing, meaning they bind to the virus and render it incapable of infecting cells, and this protects against future infections. Immunity certificates are based on the assumption that people with antibodies specific for SARS-CoV-2 will be protected against reinfection. The problem is that we've only known that SARS-CoV-2 existed for a little over four months. Although studies so far indicate that most (but not all) patients with confirmed COVID-19 cases develop antibodies, we don't know the extent to which antibodies are protective against reinfection, or how long that protection will last. Immunity certificates cannot certify what is not known.
The limited data so far is encouraging with regard to protective immunity. Most of the patient sera tested for antibodies show reasonable titers of IgG, the type of antibodies most likely to be neutralizing. Furthermore, studies have shown that these IgG antibodies are capable of neutralizing surrogate viruses as well as infectious SARS-CoV-2 in laboratory tests. In addition, rhesus monkeys that were experimentally infected with SARS-CoV-2 and allowed to recover were protected from reinfection after a subsequent experimental challenge. These data tentatively suggest that most people are likely to develop neutralizing IgG, and protective immunity, after being infected by SARS-CoV-2.
However, not all COVID-19 patients do produce high levels of antibodies specific for SARS-CoV-2. A small number of patients in one study had no detectable neutralizing IgG. There have also been reports of patients in South Korea testing PCR positive after a prior negative test, indicating reinfection or reactivation. These cases may be explained by the sensitivity of the PCR test, and no data have been produced to indicate that these cases are genuine reinfection or recurrence of viral infection.
Complicating matters further, not all serology tests measure antibody titers. Some rapid serology tests are designed to be binary—the test can either detect antibodies or not, but does not give information about the amount of antibodies circulating. Based on our current knowledge, we cannot be certain that merely having any level of detectable antibodies alone guarantees protection from reinfection, or from a subclinical reinfection that might not cause a second case of COVID-19, but could still result in transmission to others. These unknowns remain problematic even with tests that accurately detect the presence of antibodies—which is not a given today, as many of the newly available tests are reportedly unreliable.
A Logistical and Ethical Quagmire
While most people are eager to cast off the isolation of physical distancing and resume their normal lives, mere desire to return to normality is not an indicator of whether those antibodies actually work, and no certificate can confer immune protection. Furthermore, immunity certificates could lead to some complicated logistical and ethical issues. If antibodies do not guarantee protective immunity, certifying that they do could give antibody-positive people a false sense of security, causing them to relax infection control practices such as distancing and hand hygiene.
"We should not, however, place our faith in assumptions and make return to normality contingent on an arbitrary and uninformative piece of paper."
Certificates could be forged, putting susceptible people at higher exposure risk. It's not clear who would issue them, what they would entitle the bearer to do or not do, or how certification would be verified or enforced. There are many ways in which such certificates could be used as a pretext to discriminate against people based on health status, in addition to disability, race, and socioeconomic status. Tracking people based on immune status raises further concerns about privacy and civil rights.
Rather than issuing documents confirming immune status, we should instead "re-open" society cautiously, with widespread virus and serology testing to accurately identify and isolate infected cases rapidly, with immediate contact tracing to safely quarantine and monitor those at exposure risk. Broad serosurveillance must be coupled with functional assays for neutralization activity to begin assessing how protective antibodies might actually be against SARS-CoV-2 infection. To understand how long immunity lasts, we should study antibodies, as well as the functional capabilities of other components of the larger immune system, such as T cells, in recovered COVID-19 patients over time.
We should not, however, place our faith in assumptions and make return to normality contingent on an arbitrary and uninformative piece of paper. Re-opening society, the government, and the economy depends not only on accurately determining how many people have antibodies to SARS-CoV-2, but on a deeper understanding of how those antibodies work to provide protection.
Harvard Researchers Are Using a Breakthrough Tool to Find the Antibodies That Best Knock Out the Coronavirus
Knowing which antibodies bind best to the coronavirus can help guide new medicines and vaccine development.
To find a cure for a deadly infectious disease in the 1995 medical thriller Outbreak, scientists extract the virus's antibodies from its original host—an African monkey.
"When a person is infected, the immune system makes antibodies kind of blindly."
The antibodies prevent the monkeys from getting sick, so doctors use these antibodies to make the therapeutic serum for humans. With SARS-CoV-2, the original hosts might be bats or pangolins, but scientists don't have access to either, so they are turning to the humans who beat the virus.
Patients who recovered from COVID-19 are valuable reservoirs of viral antibodies and may help scientists develop efficient therapeutics, says Stephen J. Elledge, professor of genetics and medicine at Harvard Medical School in Boston. Studying the structure of the antibodies floating in their blood can help understand what their immune systems did right to kill the pathogen.
When viruses invade the body, the immune system builds antibodies against them. The antibodies work like Velcro strips—they use special spots on their surface called paratopes to cling to the specific spots on the viral shell called epitopes. Once the antibodies circulating in the blood find their "match," they cling on to the virus and deactivate it.
But that process is far from simple. The epitopes and paratopes are built of various peptides that have complex shapes, are folded in specific ways, and may carry an electrical charge that repels certain molecules. Only when all of these parameters match, an antibody can get close enough to a viral particle—and shut it out.
So the immune system forges many different antibodies with varied parameters in hopes that some will work. "When a person is infected, the immune system makes antibodies kind of blindly," Elledge says. "It's doing a shotgun approach. It's not sure which ones will work, but it knows once it's made a good one that works."
Elledge and his team want to take the guessing out of the process. They are using their home-built tool VirScan to comb through the blood samples of the recovered COVID-19 patients to see what parameters the efficient antibodies should have. First developed in 2015, the VirScan has a library of epitopes found on the shells of viruses known to afflict humans, akin to a database of criminals' mug shots maintained by the police.
Originally, VirScan was meant to reveal which pathogens a person overcame throughout a lifetime, and could identify over 1,000 different strains of viruses and bacteria. When the team ran blood samples against the VirScan's library, the tool would pick out all the "usual suspects." And unlike traditional blood tests called ELISA, which can only detect one pathogen at a time, VirScan can detect all of them at once. Now, the team has updated VirScan with the SARS-CoV-2 "mug shot" and is beginning to test which antibodies from the recovered patients' blood will bind to them.
Knowing which antibodies bind best can also help fine-tune vaccines.
Obtaining blood samples was a challenge that caused some delays. "So far most of the recovered patients have been in China and those samples are hard to get," Elledge says. It also takes a person five to 10 days to develop antibodies, so the blood must be drawn at the right time during the illness. If a person is asymptomatic, it's hard to pinpoint the right moment. "We just got a couple of blood samples so we are testing now," he said. The team hopes to get some results very soon.
Elucidating the structure of efficient antibodies can help create therapeutics for COVID-19. "VirScan is a powerful technology to study antibody responses," says Harvard Medical School professor Dan Barouch, who also directs the Center for Virology and Vaccine Research. "A detailed understanding of the antibody responses to COVID-19 will help guide the design of next-generation vaccines and therapeutics."
For example, scientists can synthesize antibodies to specs and give them to patients as medicine. Once vaccines are designed, medics can use VirScan to see if those vaccinated again COVID-19 generate the necessary antibodies.
Knowing which antibodies bind best can also help fine-tune vaccines. Sometimes, viruses cause the immune system to generate antibodies that don't deactivate it. "We think the virus is trying to confuse the immune system; it is its business plan," Elledge says—so those unhelpful antibodies shouldn't be included in vaccines.
More importantly, VirScan can also tell which people have developed immunity to SARS-CoV-2 and can return to their workplaces and businesses, which is crucial to restoring the economy. Knowing one's immunity status is especially important for doctors working on the frontlines, Elledge notes. "The resistant ones can intubate the sick."
Lina Zeldovich has written about science, medicine and technology for Popular Science, Smithsonian, National Geographic, Scientific American, Reader’s Digest, the New York Times and other major national and international publications. A Columbia J-School alumna, she has won several awards for her stories, including the ASJA Crisis Coverage Award for Covid reporting, and has been a contributing editor at Nautilus Magazine. In 2021, Zeldovich released her first book, The Other Dark Matter, published by the University of Chicago Press, about the science and business of turning waste into wealth and health. You can find her on http://linazeldovich.com/ and @linazeldovich.