Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
A hacker activating a 3D rendering of DNA data.
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Diagnosed by App: Medical Testing in the Palm of Your Hand
The shift to in-home medical testing through smartphone apps is expected to save patients time in receiving certain kinds of diagnoses, but raises some privacy concerns.
Urinary tract infections aren't life-threatening, but they can be excruciatingly painful and debilitating.
"Overnight, I'd be gripped by this searing pain and I can barely walk," says Ling Koh, a Los Angeles-based bioengineer. But short of going to the ER or urgent care, she'd have to suffer for a few days until she could get in to see her family doctor for an antibiotic prescription.
Smartphones are now able to do on-the-spot diagnostic tests that were previously only able to be performed in a lab.
No longer. Koh, who works for Scanwell Health, was instrumental in the development of the company's smartphone app that is FDA-cleared for urinary tract infection screening. It allows someone to test urine at home using a paper test strip — the same one used by doctors in ERs and labs. The phone app reads a scan card from the test kit that can analyze what's on the strip and then connect the patient to a physician who can make a virtual diagnosis.
Test strips cost $15 for a three-pack and consultation with a doc is about the same as an average co-pay -- $25, and the app matches the quality of clinical laboratory tests, according to the company. Right now, you can get a referral to a telehealth visit with a doctor in California and get a prescription. A national rollout is in the works within the next couple of months.
"It's so easy to use them at home and eliminate the inefficiencies in the process," says Koh. "A telemedicine doctor can look at the test results and prescribe directly to the pharmacy instead of women waiting at home, miserable, and crying in the bathtub."
Scanwell is now involved in an ongoing National Institutes of Health- sponsored study of chronic kidney disease to test a version of the app to identify patients who have the disease, which affects more than 30 million Americans. "Because kidney disease has virtually no symptoms, by the time people realize they're sick, their illness is advanced and they're ready for dialysis," says Koh. "If we can catch it sooner, early intervention can help them avoid kidney failure."
Smartphones have changed society — and now they may change medical care, too. Thanks to the incredible processing capabilities of our smartphones, which come equipped with a camera, access to the internet and are thousands of times faster than the 1960s era NASA computers that ran the Apollo Moon Mission, these pocket-sized powerhouses have become an invaluable tool for managing our health and are even able to do on-the-spot diagnostic tests that were previously only able to be performed in a lab.
This shift to in-home testing is the wave of the future, promising to ease some of the medical care bottlenecks in which patients can have two- to three-week waits to see their family doctors and lift some of the burdens on overworked physicians.
"This is really the democratization of medicine because a lot of the things we used to rely on doctors, hospitals, or labs to do we'll be able to do ourselves," says Dr. Eric Topol, an eminent cardiologist and digital health pioneer at the Scripps Clinic and Research Institute in La Jolla.
But troubling questions remain. Aside from the obvious convenience, are these tests truly as accurate as ones in a doctor's office? And with all this medical information stored and collected by smartphones, will privacy be sacrificed? Will friends, family members, and employers suddenly have access to personal medical information we'd rather keep to ourselves?
The range of what these DIY health care apps can do is mind-boggling, and even more complex tests are on the way.
"I'm really worried about that because we've let our guard down," says Topol. "Data stored on servers is a target for cyber thieves — and data is being breached, hacked, brokered, and sold, and we're complacent."
Still, the apps have come a long way since 2011 when Topol whipped out an experimental smartphone electro-cardiogram that he had been testing on his patients when a fellow passenger on a flight from Washington D.C. was seized with severe chest pains. At 35,000 feet in the air, the app, which uses fingertip sensors to detect heart rate, showed the man was having a heart attack. After an emergency landing, the passenger was rushed to the closest hospital and survived. These days, even the Apple Watch has an FDA-approved app that can monitor your electro-cardiogram readings.
The range of what these DIY health care apps can do is mind-boggling, and even more complex tests are on the way. Phone apps can now monitor sleep quality to detect sleep apnea, blood pressure, weight and temperature. In the future, rapid diagnostic tests for infectious diseases, like flu, Dengue or Zika, and urinalysis will become common.
"There is virtually no limit to the kinds of testing that can be done using a smartphone," says Dr. John Halamka, Executive Director of the Health Technology Exploration Center at Beth Israel Lahey Health. "No one wants to drive to a clinician's office or lab if that same quality testing can be achieved at a lower cost without leaving home."
SkinVision's skin cancer screening tool, for instance, can tell if a suspicious mole is cancerous. Users take three photos, which are then run through the app's algorithm that compares their lesions with more than three million pictures, evaluating such elements as asymmetry, color, and shape, and spits out an assessment within thirty seconds. A team of in-house experts provide a review regardless of whether the mole is high or low risk, and the app encourages users to see their doctors. The Dutch-based company's app has been used by more than a million people globally in the EU, and in New Zealand and Australia, where skin cancer is rampant and early detection can save lives. The company has plans to enter the U.S. market, according to a spokesperson.
Apps like Instant Heart Rate analyze blood flow, which can indicate whether your heart is functioning normally, while uChek examines urine samples for up to 10 markers for conditions like diabetes and urinary tract infections. Some behavioral apps even have sensors that can spot suicide risks if users are less active, indicating they may be suffering from a bout of the blues.
Even more complex tests are in the research pipeline. Apps like ResAppDX could eventually replace x-rays, CT scans, and blood tests in diagnosing severe respiratory infections in kids, while an EU-funded project called i-Prognosis can track a variety of clues — voice changes, facial expressions, hand steadiness — that indicate the onset of Parkinson's disease.
These hand-held testing devices can be especially helpful in developing countries, and there are pilot programs to use smartphone technology to diagnose malaria and HIV infections in remote outposts in Africa.
"In a lot of these places, there's no infrastructure but everyone has a smartphone," says Scanwell's Koh. "We need to leverage the smartphone in a clinically relevant way."
However, patient privacy is an ongoing concern. A 2019 review in the Journal of the American Medical Association conducted by Australian and American researchers looked at three dozen behavioral health apps, mainly for depression and smoking cessation. They found that about 70 percent shared data with third parties, like Facebook and Google, but only one third of them disclosed this in a privacy policy.
"Patients just blindly accept the end user agreements without understanding the implications."
Users need to be vigilant, too. "Patients just blindly accept the end user agreements without understanding the implications," says Hamalka, who is also the Chief Information Officer and Dean for Technology at Harvard Medical School.
And quality control is an issue. Right now, the diagnostic tools currently available have been vetted by the FDA, and overseas companies like Skin Vision have been scrutinized by the U.K.'s National Health Service and the EU. But the danger is that a lot of apps are going to be popping up soon that haven't been properly tested, due to loopholes in the regulations.
"All we want," says Topol, "are rigorous studies to make sure what consumers are using is validated."
[Correction, August 19th, 2019: An earlier version of this story misstated the specifics of SkinVision's service. A team of in-house experts reviews users' submissions, not in-house dermatologists, and the service is not free.]
Enter our writing contest for a chance to win a cash prize and publication on leapsmag.
Last year, we sponsored a short story contest, asking writers to share a fictional vision of how emerging technology might shape the future. This year, the competition has a new spin.
The Prompt:
Write a personal essay of up to 2000 words describing how a new advance in medicine or science has profoundly affected your life.
The Rules:
Submissions must be received by midnight EST on September 20th, 2019. Send your original, previously unpublished essay as a double-spaced attachment in size 12 Times New Roman font to kira@leapsmag.com. Include your name and a short bio. It is free to enter, and authors retain all ownership of their work. Upon submitting an entry, the author agrees to grant leapsmag one-time nonexclusive publication rights.
All submissions will be judged by the Editor-in-Chief on the basis of insightfulness, quality of writing, and relevance to the prompt. The Contest is open to anyone around the world of any age, except for the friends and family of leapsmag staff and associates.
The winners will be announced by October 31st, 2019.
The Prizes:
Grand Prize: $500, publication of your story on leapsmag, and promotion on our social media channels.
First Runner-Up: $100 and a shout-out on our social media channels.
Good luck!
Kira Peikoff was the editor-in-chief of Leaps.org from 2017 to 2021. As a journalist, her work has appeared in The New York Times, Newsweek, Nautilus, Popular Mechanics, The New York Academy of Sciences, and other outlets. She is also the author of four suspense novels that explore controversial issues arising from scientific innovation: Living Proof, No Time to Die, Die Again Tomorrow, and Mother Knows Best. Peikoff holds a B.A. in Journalism from New York University and an M.S. in Bioethics from Columbia University. She lives in New Jersey with her husband and two young sons. Follow her on Twitter @KiraPeikoff.