Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
A hacker activating a 3D rendering of DNA data.
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
A Surprising Breakthrough Will Allow Tiny Implants to Fix—and Even Upgrade—Your Body
The medical implants of the future will prompt lively discussion around the boundaries between treatment and enhancement.
Imagine it's the year 2040 and you're due for your regular health checkup. Time to schedule your next colonoscopy, Pap smear if you're a woman, and prostate screen if you're a man.
"The evolution of the biological ion transistor technology is a game changer."
But wait, you no longer need any of those, since you recently got one of the new biomed implants – a device that integrates seamlessly with body tissues, because of a watershed breakthrough that happened in the early 2020s. It's an improved biological transistor driven by electrically charged particles that move in and out of your own cells. Like insulin pumps and cardiac pacemakers, the medical implants of the future will go where they are needed, on or inside the body.
But unlike current implants, biological transistors will have a remarkable range of applications. Currently small enough to fit between a patient's hair follicles, the devices could one day enable correction of problems ranging from damaged heart muscle to failing retinas to deficiencies of hormones and enzymes.
Their usefulness raises the prospect of overcorrection to the point of human enhancement, as in the bionic parts that were imagined on the ABC television series The Six Million Dollar Man, which aired in the 1970s.
"The evolution of the biological ion transistor technology is a game changer," says Zoltan Istvan, who ran as a U.S. Presidential candidate in 2016 for the Transhumanist Party and later ran for California governor. Istvan envisions humans becoming faster, stronger, and increasingly more capable by way of technological innovations, especially in the biotechnology realm. "It's a big step forward on how we can improve and upgrade the human body."
How It Works
The new transistors are more like the soft, organic machines that biology has evolved than like traditional transistors built of semiconductors and metal, according to electric engineering expert Dion Khodagholy, one of the leaders of the team at Columbia University that developed the technology.
The key to the advance, notes Khodagholy, is that the transistors will interface seamlessly with tissue, because the electricity will be of the biological type -- transmitted via the flow of ions through liquid, rather than electrons through metal. This will boost the sensitivity of detection and decoding of biological change.
Naturally, such a paradigm change in the world of medical devices raises potential societal and ethical dilemmas.
Known as an ion-gated transistor (IGT), the new class of technology effectively melds electronics with molecules of human skin. That's the current prototype, but ultimately, biological devices will be able to go anywhere in the body. "IGT-based devices hold great promise for development of fully implantable bioelectronic devices that can address key clinical issues for patients with neuropsychiatric disease," says Khodagholy, based on the expectation that future devices could fuse with, measure, and modulate cells of the human nervous system.
Ethical Implications
Naturally, such a paradigm change in the world of medical devices raises potential societal and ethical dilemmas, starting with who receives the new technology and who pays for it. But, according clinical ethicist and health care attorney David Hoffman, we can gain insight from past experience, such as how society reacted to the invention of kidney dialysis in the mid 20th century.
"Kidney dialysis has been federally funded for all these decades, largely because the who-gets-the-technology question was an issue when the technology entered clinical medicine," says Hoffman, who teaches bioethics at Columbia's College of Physicians and Surgeons as well as at the law school and medical school of Yeshiva University. Just as dialysis became a necessity for many patients, he suggests that the emerging bio-transistors may also become critical life-sustaining devices, prompting discussions about federal coverage.
But unlike dialysis, biological transistors could allow some users to become "better than well," making it more similar to medication for ADHD (attention deficit hyperactivity disorder): People who don't require it can still use it to improve their baseline normal functioning. This raises the classic question: Should society draw a line between treatment and enhancement? And who gets to decide the answer?
If it's strictly a medical use of the technology, should everyone who needs it get to use it, regardless of ability to pay, relying on federal or private insurance coverage? On the other hand, if it's used voluntarily for enhancement, should that option also be available to everyone -- but at an upfront cost?
From a transhumanist viewpoint, getting wrapped up with concerns about the evolution of devices from therapy to enhancement is not worth the trouble.
It seems safe to say that some lively debates and growing pains are on the horizon.
"Even if [the biological ion transistor] is developed only for medical devices that compensate for losses and deficiencies similar to that of a cardiac pacemaker, it will be hard to stop its eventual evolution from compensation to enhancement," says Istvan. "If you use it in a bionic eye to restore vision to the blind, how do you draw the line between replacement of normal function and provision of enhanced function? Do you pass a law placing limits on visual capabilities of a synthetic eye? Transhumanists would oppose such laws, and any restrictions in one country or another would allow another country to gain an advantage by creating their own real-life super human cyborg citizens."
In the same breath though, Istvan admits that biotechnology on a bionic scale is bound to complicate a range of international phenomena, from economic growth and military confrontations to sporting events like the Olympic Games.
The technology is already here, and it's just a matter of time before we see clinically viable, implantable devices. As for how society will react, it seems safe to say that some lively debates and growing pains are on the horizon.
Clever Firm Predicts Patients Most at Risk, Then Tries to Intervene Before They Get Sicker
Health firm Populytics tracks and analyzes patient data, and makes care suggestions based on that data.
The diabetic patient hit the danger zone.
Ideally, blood sugar, measured by an A1C test, rests at 5.9 or less. A 7 is elevated, according to the Diabetes Council. Over 10, and you're into the extreme danger zone, at risk of every diabetic crisis from kidney failure to blindness.
In three months of working with a case manager, Jen's blood sugar had dropped to 7.2, a much safer range.
This patient's A1C was 10. Let's call her Jen for the sake of this story. (Although the facts of her case are real, the patient's actual name wasn't released due to privacy laws.).
Jen happens to live in Pennsylvania's Lehigh Valley, home of the nonprofit Lehigh Valley Health Network, which has eight hospital campuses and various clinics and other services. This network has invested more than $1 billion in IT infrastructure and founded Populytics, a spin-off firm that tracks and analyzes patient data, and makes care suggestions based on that data.
When Jen left the doctor's office, the Populytics data machine started churning, analyzing her data compared to a wealth of information about future likely hospital visits if she did not comply with recommendations, as well as the potential positive impacts of outreach and early intervention.
About a month after Jen received the dangerous blood test results, a community outreach specialist with psychological training called her. She was on a list generated by Populytics of follow-up patients to contact.
"It's a very gentle conversation," says Cathryn Kelly, who manages a care coordination team at Populytics. "The case manager provides them understanding and support and coaching." The goal, in this case, was small behavioral changes that would actually stick, like dietary ones.
In three months of working with a case manager, Jen's blood sugar had dropped to 7.2, a much safer range. The odds of her cycling back to the hospital ER or veering into kidney failure, or worse, had dropped significantly.
While the health network is extremely localized to one area of one state, using data to inform precise medical decision-making appears to be the wave of the future, says Ann Mongovern, the associate director of Health Care Ethics at the Markkula Center for Applied Ethics at Santa Clara University in California.
"Many hospitals and hospital systems don't yet try to do this at all, which is striking given where we're at in terms of our general technical ability in this society," Mongovern says.
How It Happened
While many hospitals make money by filling beds, the Lehigh Valley Health Network, as a nonprofit, accepts many patients on Medicaid and other government insurances that don't cover some of the costs of a hospitalization. The area's population is both poorer and older than national averages, according to the U.S. Census data, meaning more people with higher medical needs that may not have the support to care for themselves. They end up in the ER, or worse, again and again.
In the early 2000s, LVHN CEO Dr. Brian Nester started wondering if his health network could develop a way to predict who is most likely to land themselves a pricey ICU stay -- and offer support before those people end up needing serious care.
Embracing data use in such specific ways also brings up issues of data security and patient safety.
"There was an early understanding, even if you go back to the (federal) balanced budget act of 1997, that we were just kicking the can down the road to having a functional financial model to deliver healthcare to everyone with a reasonable price," Nester says. "We've got a lot of people living longer without more of an investment in the healthcare trust."
Popultyics, founded in 2013, was the result of years of planning and agonizing over those population numbers and cost concerns.
"We looked at our own health plan," Nester says. Out of all the employees and dependants on the LVHN's own insurance network, "roughly 1.5 percent of our 25,000 people — under 400 people — drove $30 million of our $130 million on insurance costs -- about 25 percent."
"You don't have to boil the ocean to take cost out of the system," he says. "You just have to focus on that 1.5%."
Take Jen, the diabetic patient. High blood sugar can lead to kidney failure, which can mean weekly expensive dialysis for 20 years. Investing in the data and staff to reach patients, he says, is "pennies compared to $100 bills."
For most doctors, "there's no awareness for providers to know who they should be seeing vs. who they are seeing. There's no incentive, because the incentive is to see as many patients as you can," he says.
To change that, first the LVHN invested in the popular medical management system, Epic. Then, they negotiated with the top 18 insurance companies that cover patients in the region to allow access to their patient care data, which means they have reams of patient history to feed the analytics machine in order to make predictions about outcomes. Nester admits not every hospital could do that -- with 52 percent of the market share, LVHN had a very strong negotiating position.
Third party services take that data and churn out analytics that feeds models and care management plans. All identifying information is stripped from the data.
"We can do predictive modeling in patients," says Populytics President and CEO Gregory Kile. "We can identify care gaps. Those care gaps are noted as alerts when the patient presents at the office."
Kile uses himself as a hypothetical patient.
"I pull up Gregory Kile, and boom, I see a flag or an alert. I see he hasn't been in for his last blood test. There is a care gap there we need to complete."
"There's just so much more you can do with that information," he says, envisioning a future where follow-up for, say, knee replacement surgery and outcomes could be tracked, and either validated or changed.
Ethical Issues at the Forefront
Of course, embracing data use in such specific ways also brings up issues of security and patient safety. For example, says medical ethicist Mongovern, there are many touchpoints where breaches could occur. The public has a growing awareness of how data used to personalize their experiences, such as social media analytics, can also be monetized and sold in ways that benefit a company, but not the user. That's not to say data supporting medical decisions is a bad thing, she says, just one with potential for public distrust if not handled thoughtfully.
"You're going to need to do this to stay competitive," she says. "But there's obviously big challenges, not the least of which is patient trust."
So far, a majority of the patients targeted – 62 percent -- appear to embrace the effort.
Among the ways the LVHN uses the data is monthly reports they call registries, which include patients who have just come in contact with the health network, either through the hospital or a doctor that works with them. The community outreach team members at Populytics take the names from the list, pull their records, and start calling. So far, a majority of the patients targeted – 62 percent -- appear to embrace the effort.
Says Nester: "Most of these are vulnerable people who are thrilled to have someone care about them. So they engage, and when a person engages in their care, they take their insulin shots. It's not rocket science. The rocket science is in identifying who the people are — the delivery of care is easy."