On December 20, 2023, the National Institute of Standards and Technology (“NIST”) National Cybersecurity Center of Excellence (“NCCoE”) published its Cybersecurity of Genomic Data report (the “Report”).  The Report aims to assist organizations in protecting against misuse of genomic data and enabling secure collaborative innovations.  Note, however, that the Report is not authoritative with respect to its assessment of the treatment of genomic data under the current U.S. regulatory framework, including with respect to the identifiability of such information.

Genomic data—which comprises information on deoxyribonucleic acid (“DNA”) sequences, variants and gene activity—is heavily relied upon by researchers, government and private industry to decipher how differences in DNA sequences affect health.  This type of data is highly sensitive in nature, and there is debate as to whether and how it can be truly deidentified.  However, current risk management guidance does not adequately capture the unique cybersecurity and privacy concerns regarding the use of genomic data, particularly with respect to balancing access restrictions with the need to share such data.  Accordingly, the Report highlights the specific privacy and cybersecurity concerns associated with the use of genomic data and, based on input from genomic stakeholders from industry, government and academia, identifies significant gaps in current policy, regulations, legislation, and guidance, as well as technology, for protecting genomic data.  The Report concludes by proposing potential solutions to identified gaps and areas for further research.

The field of genomic data science has grown rapidly, resulting in the increased generation and sharing of genomic data for research, often through “big data” collaborations that involve researchers from multiple institutions and countries.  According to the NIH National Human Genome Research Institute, approximately 2 to 40 billion gigabytes of genomic data are generated each year from millions of people globally.  In turn, as reflected in the 2022 Executive Order on Advancing Biotechnology and Biomanufacturing Innovation for a Sustainable, Safe, and Secure American Bioeconomy, there has been emerging awareness of certain risks to the economy, biotechnology industry and individuals, as well as U.S. national security, resulting from privacy or cybersecurity incidents targeting genomic data. 

Specifically, the Report notes certain privacy risks for individuals inherent in the use of genomic data, including, “enabling intimidation for financial gain, discrimination based on disease risk, revelation of hidden consanguinity or phenotypes including health, emotional stability, mental capacity, appearance, and physical abilities.”  In addition, the Report explains that using a patient’s genomic data for health care purpose may implicate certain concerns including “portability, chain-of-custody, reinterpretation of genomic data, and consent management” as well as harm resulting from theft or sabotage of analytical processes or systems that govern the creation of precision medicine. 

The Report states that current privacy and cybersecurity risk management guidance does not address the risks inherent in the use of genomic data.  Moreover, the Report describes the following significant gaps in current guidance, as identified by bioeconomy stakeholders during various 2022 NCCoE-hosted workshops and through subsequent research:

  • Practices across the lifecycle concerning genomic data generation;
  • Safe and responsible sharing of genomic data;
  • Monitoring the systems processing genomic data;
  • Lack of specific guidance documents addressing the unique needs of genomic data processors; and
  • Regulatory/policy gaps with respect to national security and privacy threats in the collection, storage, sharing, and aggregation of human genomic data.

Accordingly, to bolster the privacy and security of genomic data, the Report proposes the following:

  • Existing guidance, such as the NIST Risk Management Framework (RMF), Cybersecurity Framework and Privacy Framework, must be tailored to include specific and appropriate protections for genomic data;
  • The NIST Privacy Framework Profile for Genomic Data, which is scheduled to be published in 2024, could clarify how to manage privacy risks associated with the aggregation, storage and processing of genomic data;
  • The Manufacturer Usage Description specification could improve sequencer security and reduce likelihood of ransomware attacks as well as intellectual property or privacy loss from data exfiltration;
  • Demonstration projects should be created to illustrate how to leverage secure cloud-based solutions to protect genomic data, as per the NIST RMF, and how the use of federated homomorphic encryption could reduce risk of loss of confidentiality or integrity caused by sharing genomic data; and
  • Security guidelines or benchmarks for genomic sequencers could provide best cybersecurity practices, including with respect to improving supply chain security and cyber resiliency against future threats. 

Lastly, the Report identifies the following areas of future research:

  • Methods for securely integrating genomic data with a patient’s electronic health record while maintaining patient privacy and allowing for interoperability;
  • Improving the precision of vulnerability scanners for software containers; and
  • Technical solutions to solve the containment problem in genomic data for analysis methods not currently addressed by federated multi-party homomorphic encryption.

Given the strong recommendations set forth in the Report, stakeholders in this space should stay abreast of potential developments regarding the privacy and cybersecurity measures necessary to safeguard genomic data.