Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Podcast: The Friday Five - your health research roundup
The Friday Five is a new podcast series in which Leaps.org covers five breakthroughs in research over the previous week that you may have missed. There are plenty of controversies and ethical issues in science – and we get into many of them in our online magazine – but there’s also plenty to be excited about, and this news roundup is focused on inspiring scientific work to give you some momentum headed into the weekend.
Covered in this week's Friday Five:
- Puffer fish chemical for treating chronic pain
- Sleep study on the health benefits of waking up multiples times per night
- Best exercise regimens for reducing the risk of mortality aka living longer
- AI breakthrough in mapping protein structures with DeepMind
- Ultrasound stickers to see inside your body
CandyCodes could provide sweet justice against fake pills
When we swallow a pill, we hope it will work without side effects. Few of us know to worry about a growing issue facing the pharmaceutical industry: counterfeit medications. These pills, patches, and other medical products might look just like the real thing. But they’re often stuffed with fillers that dilute the medication’s potency or they’re simply substituted for lookalikes that contain none of the prescribed medication at all.
Now, bioengineer William Grover at the University of California, Riverside, may have a solution. Inspired by the tiny, multi-colored sprinkles called nonpareils that decorate baked goods and candies, Grover created CandyCodes pill coatings to prevent counterfeits.
The idea was borne out of pandemic boredom. Confined to his home, Grover was struck by the patterns of nonpareils he saw on candies, and found himself counting the number of little balls on each one. “It’s random, how they’re applied,” he says. “I wondered if it ever repeats itself or if each of these candies is unique in the entire world.” He suspected the latter, and some quick math proved his hypothesis: Given dozens of nonpareils per candy in a handful of different colors, it’s highly unlikely that the sprinklings on any two candies would be identical.
He quickly realized his finding could have practical applications: pills or capsules could be coated with similar “sprinkles,” with the manufacturer photographing each pill or capsule before selling its products. Consumers looking to weed out fakes could potentially take a photo with their cell phones and go online to compare images of their own pills to the manufacturer’s database, with the help of an algorithm that would determine their authenticity. Or, a computer could generate another type of unique identifier, such as a text-based code, tracking to the color and location of the sprinkles. This would allow for a speedier validation than a photo-based comparison, Grover says. “It could be done very quickly, in a fraction of a second.”
Researchers and manufacturers have already developed some anti-counterfeit tools, including built-in identifiers like edible papers with scannable QR codes. But such methods, while functional, can be costly to implement, Grover says.
It wouldn’t be paranoid to take such precautions. Counterfeits are a growing problem, according to Young Kim, a biomedical engineer at Purdue University who was not involved in the CandyCodes study. “There are approximately 40,000 online pharmacies that one can access via the Internet,” he says. “Only three to four percent of them are operated legally.” Purchases from online pharmacies rose dramatically during the pandemic, and Kim expects a boom in counterfeit medical products alongside it.
The FDA warns that U.S. consumers can be exposed to counterfeits through online purchases, in particular. The problem is magnified in low- to middle-income nations, where one in 10 medical products are counterfeit, according to a World Health Organization estimate. Cost doesn’t seem to be a factor, either; antimalarials and antibiotics are most often reported as counterfeits or fakes, and generic medications are swapped as often as brand-name drugs, according to the same WHO report.
Counterfeits weren’t tracked globally until 2013; since then, there have been 1,500 reports to the WHO, with actual incidences of counterfeiting likely much higher. Fake medicines have been estimated to result in costs of $200 billion each year, and are blamed for more than 72,000 pneumonia- and 116,000 malaria-related deaths.
Researchers and manufacturers have already developed some anti-counterfeit tools, including built-in identifiers like edible papers with scannable QR codes or barcodes that are stamped onto or otherwise incorporated into pills and other medical products. But such methods, while functional, can be costly to implement, Grover says.
CandyCodes could provide unique identifiers for at least 41 million pills for every person on the planet.
William Grover
“Putting universal codes on each pill and each dosage is attractive,” he says. “The challenge is, how can we do it in a way that requires as little modification to the existing manufacturing process as possible? That's where I hope CandyCodes have an edge. It's not zero modification, but I hope it is as minor a modification of the manufacturing process as possible.”
Kim calls the concept “a clever idea to introduce entropy for high-level security” even if it may not be as close to market as other emerging technologies, including some edible watermarks he’s helped develop. He points out that CandyCodes still needs to be tested for reproducibility and readability.
The possibilities are already intriguing, though. Grover’s recent research, published in Scientific Reports, predicts that unique codes could be used for at least 41 million pills for every person on the planet.
Sadly, CandyCodes’ multicolored bits probably won’t taste like candy. They must be made of non-caloric ingredients to meet the international regulatory standards that govern food dyes and colorants. But Grover hopes CandyCodes represent a simple, accessible solution to a heart-wrenching issue. “This feels like trying to track down and go after bad guys,” he says. “Someone who would pass off a medicine intended for a child or a sick person and pass it off as something effective, I can't imagine anything much more evil than that. It's fun and, and a little fulfilling to try to develop technologies that chip away at that.”