Genetic Information Security 101: Safeguarding the Future
genetic-info-safeguarding-tsaaro-event

Importance of Genetic Information Security:

Genetic information is being generated at an increasingly rapid pace, offering advances in science and medicine that are paralleled only by the threats and risk present within the responsible systems. Human genetic information is identifiable and contains sensitive information, but security genetic information is only recently gaining attention. Extensive development of laboratory security is required to realize the potential of this emerging field while protecting the bioeconomy and all of its stakeholders.

Security concerns relating to DNA:

Human genetic data contains a wealth of sensitive information. It can be used to identify an individual and predict their physical characteristics. Sensitive genetic data of humans and other entities and their respective systems must be secured to prevent private to global risks.

Genetic Information – Security breaches:

Security incidents surrounding genetic information systems are increasing rapidly. The most common reasons have been misconfigurations in cloud security settings, email phishing attacks, and the compromise of connected third-party systems. As a result, these groups may face legal action, penalties, reputational loss, and many other risks and consequences.

Genetic Information: Data Protection

Genetic information, which includes both biological material and digital genetic data, is the primary asset of concern, and associated assets, such as metadata (metadata is “data that provides information about other data”, but not the content of the data), electronic health records and intellectual property, are also vulnerable within these systems. Genetic information systems are distributed cyber-physical systems containing numerous stakeholders, personnel, and devices with extensive computing and networking capabilities. Software, hardware, and many other components introduce attack vectors that can be used to compromise these systems, including through purposefully adversarial activity and human error.

Basic security features and tools, such as antivirus software, are usually recommended with little support given, and they can also easily be subverted. Advanced and comprehensive controls and policies are not commonly implemented. On-premises or adjacent network attacks could lead to certain devices, stakeholders, and individuals being affected, while supply chain and remote attacks could lead to global-scale impact. Depending on the type and scale of a threat or exploit, hundreds to millions of people’s data could be compromised.

Conclusion:

Securing genetic information is a major challenge in this rapidly evolving ecosystem. Adequate national regulations are needed for security and privacy enforcement, incentivization, and liability, but legal protection is dictated by regulators’ responses and timelines. However, data originators, controllers, and processors can take immediate action to protect their data.

Genetic information security is a shared responsibility between sequencing laboratories and device vendors, as well as all other involved stakeholders. To protect genetic information, laboratories, and other data processors need to create strong organizational policies and reinvestments towards their physical and cyber infrastructure.

They also need to determine the sensitivity of their data and material and take necessary precautions to safeguard sensitive genetic information. Data controllers, especially healthcare providers and DTC companies, should reevaluate how their genetic data is generated and processed, with special consideration for the identifiability of human genetic data. Device vendors need to consider security when their products are being designed, implemented, and maintained throughout their lifecycles.

Major Privacy Updates of the Week

Oregon and Louisiana Departments' motor vehicles’ data compromised:

The US states of Oregon and Louisiana said that their departments of motor vehicles were compromised as part of the MOVEit software vulnerability that has been wreaking havoc in recent weeks. Louisiana’s OMV (Office of Motor Vehicles) said that at least six million records, including driver’s license information, were stolen.

The state was quick to point out that the crooks did not breach its internal systems but rather those of MOVEit, the third-party software provider that the OMV used to share files. It’s made it difficult to gauge the full extent of the damage in this incident, but the OMV believes that all Louisianans with a state-issued driver’s license, ID or car registration may have had personal data exposed. Read More

genworth-tsaaro (1)

Genworth Financial Caught up in a Data Breach:

Genworth Financial was another organisation caught up in the MOVEit breach, with at least 2.5 million records exposed in the attack.

The US-based organisation, which provides life insurance services, said that it was notified about the breach on 16 June 2023 and subsequently verified that customers’ personal data was stolen. The exposed information includes names, dates of birth, Social Security numbers, physical addresses and policy numbers. Read More

mcnadental-tsaaro

MCNA Insurance Faces Cyber Attack:

MCNA Insurance, also known as MCNA Dental, was caught up in a cyber hacking incident in May 2023, in which 112 covered entities were affected.

According to the organisation’s disclosure- the specific types of information compromised in the attack varied by individual. However, it included patients’ first and last names, physical addresses, dates of birth, phone numbers, email addresses, Social Security numbers, driver’s license numbers and other government-issued IDs.

In addition, the attackers stole health insurance data (including plan information, insurance provider, member number, and Medicaid-Medicare ID numbers), information about treatment that patients had received, the bills they had been given and insurance claims. Read More

tsmc-tsaaro

Taiwan Semiconductor Manufacturing Company Faces Ransomware Attack:

The LockBit ransomware gang is demanding US$70 million from the Taiwan Semiconductor Manufacturing Company. The company has confirmed there was a cyber incident but not one it suffered directly.

An attack at one of the company’s IT hardware suppliers, Kinmax Technology, led to the leak of what Taiwan Semiconductor said was “information pertinent to server initial setup and configuration.” The incident has not affected Taiwan Semiconductor’s business operations or compromised any customer information, the company said. Read More

cambian-tsaaro

Cambian Data Breach:

Cambian Group, which is one of the largest children’s social care providers in the UK, discovered “unauthorised activity” on its computer systems. Data stolen in this hack has been found on the dark web, and months after the hack, this data was still for sale online.

Vulnerable individuals are at risk – including foster children and highly sensitive information, including current home addresses, has been found online. Some victims have experienced fraudulent transactions and had to change their payment cards and secure their bank accounts. Read More

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay

WEEKLY PRIVACY NEWSLETTER

Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro