Difference between revisions of "Journal:National and transnational security implications of asymmetric access to and use of biological data"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 35: Line 35:


The interconnectedness between the digital and biological worlds can be exploited by state actors, malicious nonstate actors, and hackers through a variety of means, resulting in harmful consequences from potential theft of information, promulgation of incorrect information, and/or disruption of activities.<ref name="LordTheReal17">{{cite web |url=https://www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-is-in-your-medical-records-not-credit-cards/#445711491b59 |title=The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards |author=Lord, R.; Forbes Technology Council |work=Forbes |date=15 December 2017}}</ref><ref name="SouzaLessons18">{{cite journal |title=Lessons for Pharma from the Merck Cyber Attack |journal=PharmExec.com |author=Souza, C. |volume=38 |issue=12 |date=10 December 2018 |url=http://www.pharmexec.com/lessons-pharma-merck-cyber-attack |accessdate=21 January 2019}}</ref><ref name="WardISIS18">{{cite web |url=https://www.rand.org/blog/2018/12/isiss-use-of-social-media-still-poses-a-threat-to-stability.html |title=SIS's Use of Social Media Still Poses a Threat to Stability in the Middle East and Africa |author=Ward, A. |work=The RAND Blog |date=11 December 2018 |accessdate=21 January 2019}}</ref> For example, theft of proprietary information from a pharmaceutical or biotechnology company may reveal trade secrets and allow competitors to develop superior products and/or bring existing products to market more quickly<ref name="FriedmanCyber13">{{cite web |url=https://www.brookings.edu/research/cyber-theft-of-competitive-data-asking-the-right-questions/ |title=Cyber Theft of Competitive Data: Asking the Right Questions |author=Friedman, A.A. |work=Brookings |publisher=The Brookings Institution |date=25 September 2013}}</ref>, stifling innovation in the global commercial market and allowing adversaries to create harmful, untested therapies. Another example is theft of hundreds of millions of [[Electronic health record|electronic healthcare records]], the uses of which are not clear.<ref name="BogleHeath18">{{cite web |url=https://www.abc.net.au/news/science/2018-04-18/healthcare-target-for-hackers-experts-warn/9663304 |title=Healthcare data a growing target for hackers, cybersecurity experts warn |author=Bogle, A. |work=ABC.net.au |date=07 June 2018 |accessdate=23 November 2018}}</ref><ref name="CohenMassive18">{{cite web |url=https://www.sciencemag.org/news/2018/03/massive-cyber-hack-iran-allegedly-stole-research-320-universities-governments-and |title=Massive cyberhack by Iran allegedly stole research from 320 universities, governments, and companies |author=Cohen, J. |work=Science |date=23 March 2018 |doi=10.1126/science.aat6849}}</ref><ref name="HITTheBig18">{{cite web |url=https://www.healthcareitnews.com/projects/biggest-healthcare-data-breaches-2018-so-far |title=The biggest healthcare data breaches of 2018 (so far) |author=Healthcare IT News Staff |work=Healthcare IT News |date=2018 |accessdate=23 November 2018}}</ref><ref name="HuangChina18">{{cite web |url=https://www.defenseone.com/threats/2018/10/china-secretly-enrolling-military-scientists-western-universities/152383/ |title=China Is Secretly Enrolling Military Scientists in Western Universities |work=Defense One |author=Huang, E.; Steger, I. |date=29 October 2018 |accessdate=23 November 2018}}</ref><ref name="KeownSecond18">{{cite web |url=https://www.biospace.com/article/-jc1n-second-scientist-pleads-guilty-to-stealing-glaxosmithkline-trade-secrets/ |title=Second Scientist Pleads Guilty to Stealing GlaxoSmithKline Trade Secrets |author=Keown, A. |work=BioSpace |date=18 September 2018 |accessdate=23 November 2018}}</ref> Although unauthorized access to protected data may be aided by technical vulnerabilities in networked computer systems, poor security practices, insider threats in academia, industry, and health facilities, and legal business dealings also can enable adversary access to such data.<ref name="LynchBio17">{{cite web |url=https://www.ft.com/content/245a7c60-6880-11e7-9a66-93fb352ba1fe |title=Biotechnology: the US-China Dispute over Genentic Data |author=Lynch, D.J. |work=Financial Times |date=2017 |accessdate=23 November 2018}}</ref><ref name="RappeportInNew18">{{cite web |url=https://www.nytimes.com/2018/10/10/business/us-china-investment-cfius.html |title=In New Slap at China, U.S. Expands Power to Block Foreign Investments |author=Rappeport, A. |work=The New York Times |date=10 October 2018 |accessdate=23 November 2018}}</ref><ref name="BloombergChinese18">{{cite web |url=https://www.scmp.com/business/global-economy/article/2142351/chinese-funds-pour-us14b-us-biotechnology-firms-first-three |title=Chinese funds pour US$1.4b into US biotechnology firms in the first three months of the year |author=Bloomberg News |work=South China Morning Post |date=19 April 2018 |accessdate=23 November 2018}}</ref><ref name="RespautAsChina18">{{cite web |url=https://www.reuters.com/article/us-biotech-china-investment/as-china-builds-biotech-sector-cash-floods-u-s-startups-idUSKCN1M400G |title=As China builds biotech sector, cash floods U.S. startups |author=Respaut, R.; Zhu, J. |work=Reuters |date=23 September 2018 |accessdate=23 November 2018}}</ref> For examples, more than half of all data breaches at healthcare facilities are caused by healthcare personnel errors, a quarter of which resulted in unauthorized access to or disclosure of patient records through sharing of unencrypted information, sending information to the wrong patients, and accessing the data without authorization.<ref name="BaiHospital17">{{cite journal |title=Hospital risk of data breaches |journal=JAMA Internal Medicine |author=Bai, G.; Jiang, J.X.; Flasher, R. |volume=1777 |issue=6 |pages=878-880 |year=2017 |doi=10.1001/jamainternmed.2017.0336 |pmid=28384777 |pmc=PMC5818824}}</ref><ref name="MSUHealthcare18">{{cite web |url=https://eurekalert.org/pub_releases/2018-11/msu-hp-111618.php |title=Healthcare providers -- not hackers -- leak more of your data |author=Michigan State University |work=EurekAlert! |date=19 November 2018 |accessdate=23 November 2019}}</ref> In addition, the Federal Bureau of Investigation (FBI) has raised national security concerns about foreign access to genomic data of U.S. citizens through legitimate scientific collaboration, funding of scientific research, investment in genomic sequencing companies (e.g., China-based WuXi Healthcare Ventures investment in the U.S.-based 23andMe<ref name="BSWuXi15">{{cite web |url=https://www.biospace.com/article/releases/-b-wuxi-healthcare-b-invests-in-us-genomics-testmaker-23andme-/ |title=WuXi Healthcare Invests In US Genomics Testmaker 23andMe |author=BioSpace |work=BioSpace |date=21 October 2015}}</ref><ref name="MuiChina16">{{cite web |url=https://www.washingtonpost.com/news/wonk/wp/2016/12/30/chinas-9-billion-effort-to-beat-the-u-s-in-genetic-testing/?noredirect=on&utm_term=.8586cdbf28b8 |title=China’s $9 billion effort to beat the U.S. in genetic testing |author=Mui, Y.Q. |work=The Washington Post |date=30 December 2016}}</ref>), and purchase of companies (e.g., Complete Genomics).<ref name="BakerChina12">{{cite journal |title=China buys U.S. sequencing firm |journal=Nature |author=Baker, M. |volume=489 |issue=7417 |pages=485–6 |year=2012 |doi=10.1038/489485a |pmid=23018943}}</ref><ref name="GWComplete12">{{cite web |url=https://www.genomeweb.com/clinical-sequencing/complete-genomics-bgi-agree-1176m-merger#.XEqIOFxKiUl |title=Complete Genomics, BGI Agree to $117.6M Merger |author=Genome Web Staff Reporter |work=Genome Web |date=17 September 2012 |accessdate=24 January 2019}}</ref> As vulnerabilities are created through scientific advances, such as the use of machine learning algorithms to trick fingerprint authentication systems, new risks are identified.<ref name="BontragerDeep18">{{cite web |url=https://arxiv.org/abs/1705.07386 |title=DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution |author=Bontrager, P.; Roy, A.; Togelius, J. et al. |work=arXiv.org |date=18 October 2018}}</ref><ref name="NYUTandonMachine18">{{cite web |url=https://www.prnewswire.com/news-releases/machine-learning-masters-the-fingerprint-to-fool-biometric-systems-300753375.html |title=Machine Learning Masters the Fingerprint to Fool Biometric Systems |author=NYU Tandon School of Engineering |work=PR Newswire |date=20 November 2018}}</ref> Some of these concerns have resulted in the passage of the 2018 Foreign Investment Risk Review Modernization Act, which has initiated reform of the U.S. Government process for evaluating foreign investment in U.S. entities and export control of emerging technologies.<ref name="RappeportInNew18" /><ref name="USCongressForeign18">{{cite web |url=https://www.govtrack.us/congress/bills/115/s2098 |title=S. 2098 (115<sup>th</sup>): Foreign Investment Risk Review Modernization Act of 2018 |author=U.S. Congress |work=govtrack |date=2018}}</ref> Yet, these policy activities largely are reactive, rather than proactive.
The interconnectedness between the digital and biological worlds can be exploited by state actors, malicious nonstate actors, and hackers through a variety of means, resulting in harmful consequences from potential theft of information, promulgation of incorrect information, and/or disruption of activities.<ref name="LordTheReal17">{{cite web |url=https://www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-is-in-your-medical-records-not-credit-cards/#445711491b59 |title=The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards |author=Lord, R.; Forbes Technology Council |work=Forbes |date=15 December 2017}}</ref><ref name="SouzaLessons18">{{cite journal |title=Lessons for Pharma from the Merck Cyber Attack |journal=PharmExec.com |author=Souza, C. |volume=38 |issue=12 |date=10 December 2018 |url=http://www.pharmexec.com/lessons-pharma-merck-cyber-attack |accessdate=21 January 2019}}</ref><ref name="WardISIS18">{{cite web |url=https://www.rand.org/blog/2018/12/isiss-use-of-social-media-still-poses-a-threat-to-stability.html |title=SIS's Use of Social Media Still Poses a Threat to Stability in the Middle East and Africa |author=Ward, A. |work=The RAND Blog |date=11 December 2018 |accessdate=21 January 2019}}</ref> For example, theft of proprietary information from a pharmaceutical or biotechnology company may reveal trade secrets and allow competitors to develop superior products and/or bring existing products to market more quickly<ref name="FriedmanCyber13">{{cite web |url=https://www.brookings.edu/research/cyber-theft-of-competitive-data-asking-the-right-questions/ |title=Cyber Theft of Competitive Data: Asking the Right Questions |author=Friedman, A.A. |work=Brookings |publisher=The Brookings Institution |date=25 September 2013}}</ref>, stifling innovation in the global commercial market and allowing adversaries to create harmful, untested therapies. Another example is theft of hundreds of millions of [[Electronic health record|electronic healthcare records]], the uses of which are not clear.<ref name="BogleHeath18">{{cite web |url=https://www.abc.net.au/news/science/2018-04-18/healthcare-target-for-hackers-experts-warn/9663304 |title=Healthcare data a growing target for hackers, cybersecurity experts warn |author=Bogle, A. |work=ABC.net.au |date=07 June 2018 |accessdate=23 November 2018}}</ref><ref name="CohenMassive18">{{cite web |url=https://www.sciencemag.org/news/2018/03/massive-cyber-hack-iran-allegedly-stole-research-320-universities-governments-and |title=Massive cyberhack by Iran allegedly stole research from 320 universities, governments, and companies |author=Cohen, J. |work=Science |date=23 March 2018 |doi=10.1126/science.aat6849}}</ref><ref name="HITTheBig18">{{cite web |url=https://www.healthcareitnews.com/projects/biggest-healthcare-data-breaches-2018-so-far |title=The biggest healthcare data breaches of 2018 (so far) |author=Healthcare IT News Staff |work=Healthcare IT News |date=2018 |accessdate=23 November 2018}}</ref><ref name="HuangChina18">{{cite web |url=https://www.defenseone.com/threats/2018/10/china-secretly-enrolling-military-scientists-western-universities/152383/ |title=China Is Secretly Enrolling Military Scientists in Western Universities |work=Defense One |author=Huang, E.; Steger, I. |date=29 October 2018 |accessdate=23 November 2018}}</ref><ref name="KeownSecond18">{{cite web |url=https://www.biospace.com/article/-jc1n-second-scientist-pleads-guilty-to-stealing-glaxosmithkline-trade-secrets/ |title=Second Scientist Pleads Guilty to Stealing GlaxoSmithKline Trade Secrets |author=Keown, A. |work=BioSpace |date=18 September 2018 |accessdate=23 November 2018}}</ref> Although unauthorized access to protected data may be aided by technical vulnerabilities in networked computer systems, poor security practices, insider threats in academia, industry, and health facilities, and legal business dealings also can enable adversary access to such data.<ref name="LynchBio17">{{cite web |url=https://www.ft.com/content/245a7c60-6880-11e7-9a66-93fb352ba1fe |title=Biotechnology: the US-China Dispute over Genentic Data |author=Lynch, D.J. |work=Financial Times |date=2017 |accessdate=23 November 2018}}</ref><ref name="RappeportInNew18">{{cite web |url=https://www.nytimes.com/2018/10/10/business/us-china-investment-cfius.html |title=In New Slap at China, U.S. Expands Power to Block Foreign Investments |author=Rappeport, A. |work=The New York Times |date=10 October 2018 |accessdate=23 November 2018}}</ref><ref name="BloombergChinese18">{{cite web |url=https://www.scmp.com/business/global-economy/article/2142351/chinese-funds-pour-us14b-us-biotechnology-firms-first-three |title=Chinese funds pour US$1.4b into US biotechnology firms in the first three months of the year |author=Bloomberg News |work=South China Morning Post |date=19 April 2018 |accessdate=23 November 2018}}</ref><ref name="RespautAsChina18">{{cite web |url=https://www.reuters.com/article/us-biotech-china-investment/as-china-builds-biotech-sector-cash-floods-u-s-startups-idUSKCN1M400G |title=As China builds biotech sector, cash floods U.S. startups |author=Respaut, R.; Zhu, J. |work=Reuters |date=23 September 2018 |accessdate=23 November 2018}}</ref> For examples, more than half of all data breaches at healthcare facilities are caused by healthcare personnel errors, a quarter of which resulted in unauthorized access to or disclosure of patient records through sharing of unencrypted information, sending information to the wrong patients, and accessing the data without authorization.<ref name="BaiHospital17">{{cite journal |title=Hospital risk of data breaches |journal=JAMA Internal Medicine |author=Bai, G.; Jiang, J.X.; Flasher, R. |volume=1777 |issue=6 |pages=878-880 |year=2017 |doi=10.1001/jamainternmed.2017.0336 |pmid=28384777 |pmc=PMC5818824}}</ref><ref name="MSUHealthcare18">{{cite web |url=https://eurekalert.org/pub_releases/2018-11/msu-hp-111618.php |title=Healthcare providers -- not hackers -- leak more of your data |author=Michigan State University |work=EurekAlert! |date=19 November 2018 |accessdate=23 November 2019}}</ref> In addition, the Federal Bureau of Investigation (FBI) has raised national security concerns about foreign access to genomic data of U.S. citizens through legitimate scientific collaboration, funding of scientific research, investment in genomic sequencing companies (e.g., China-based WuXi Healthcare Ventures investment in the U.S.-based 23andMe<ref name="BSWuXi15">{{cite web |url=https://www.biospace.com/article/releases/-b-wuxi-healthcare-b-invests-in-us-genomics-testmaker-23andme-/ |title=WuXi Healthcare Invests In US Genomics Testmaker 23andMe |author=BioSpace |work=BioSpace |date=21 October 2015}}</ref><ref name="MuiChina16">{{cite web |url=https://www.washingtonpost.com/news/wonk/wp/2016/12/30/chinas-9-billion-effort-to-beat-the-u-s-in-genetic-testing/?noredirect=on&utm_term=.8586cdbf28b8 |title=China’s $9 billion effort to beat the U.S. in genetic testing |author=Mui, Y.Q. |work=The Washington Post |date=30 December 2016}}</ref>), and purchase of companies (e.g., Complete Genomics).<ref name="BakerChina12">{{cite journal |title=China buys U.S. sequencing firm |journal=Nature |author=Baker, M. |volume=489 |issue=7417 |pages=485–6 |year=2012 |doi=10.1038/489485a |pmid=23018943}}</ref><ref name="GWComplete12">{{cite web |url=https://www.genomeweb.com/clinical-sequencing/complete-genomics-bgi-agree-1176m-merger#.XEqIOFxKiUl |title=Complete Genomics, BGI Agree to $117.6M Merger |author=Genome Web Staff Reporter |work=Genome Web |date=17 September 2012 |accessdate=24 January 2019}}</ref> As vulnerabilities are created through scientific advances, such as the use of machine learning algorithms to trick fingerprint authentication systems, new risks are identified.<ref name="BontragerDeep18">{{cite web |url=https://arxiv.org/abs/1705.07386 |title=DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution |author=Bontrager, P.; Roy, A.; Togelius, J. et al. |work=arXiv.org |date=18 October 2018}}</ref><ref name="NYUTandonMachine18">{{cite web |url=https://www.prnewswire.com/news-releases/machine-learning-masters-the-fingerprint-to-fool-biometric-systems-300753375.html |title=Machine Learning Masters the Fingerprint to Fool Biometric Systems |author=NYU Tandon School of Engineering |work=PR Newswire |date=20 November 2018}}</ref> Some of these concerns have resulted in the passage of the 2018 Foreign Investment Risk Review Modernization Act, which has initiated reform of the U.S. Government process for evaluating foreign investment in U.S. entities and export control of emerging technologies.<ref name="RappeportInNew18" /><ref name="USCongressForeign18">{{cite web |url=https://www.govtrack.us/congress/bills/115/s2098 |title=S. 2098 (115<sup>th</sup>): Foreign Investment Risk Review Modernization Act of 2018 |author=U.S. Congress |work=govtrack |date=2018}}</ref> Yet, these policy activities largely are reactive, rather than proactive.
==Current approaches to protecting data==
Preventing accidental and deliberate risks typically involves the use of cyber and information security systems that include technological and behavioral solutions. Protection of laboratory control systems, computer networks, and databases often involves the use of technological solutions. However, some risks are addressed better through training of personnel to recognize and report phishing attempts, ensure sensitive information is [[Encryption|encrypted]], and prevent unauthorized individuals from gaining access to sensitive data, databases, and computer networks. To enhance security, policies for promulgating these practices for specific materials and information have been issued. For example, the U.S. Biological Select Agents and Toxins Regulations include guidance for network security to prevent failure of laboratories, equipment, and access controls to facilities and data.<ref name="CDCInformation17">{{cite web |url=https://www.selectagents.gov/isg-intro.html |title=Information Systems Security Control Guidance |work=Federal Select Agent Program |author=CDC, USDA |date=2017}}</ref> In addition, the U.S. has policies for protecting individual privacy, several of which were described in a 2014 report sponsored by the White House.<Ref name="BDPWGBigData15">{{cite web |url=https://obamawhitehouse.archives.gov/sites/default/files/docs/20150204_Big_Data_Seizing_Opportunities_Preserving_Values_Memo.pdf |format=PDF |title=Big Data: Seizing Opportunities, Preserving Values |author=Big Data and Privacy Working Group |publisher=U.S. Government |date=February 2015}}</ref> However, error, carelessness, or negligence by personnel can counteract the benefits afforded by security measures and may lead to devastating consequences if biological data and materials are involved.
Although policies for protecting biological data from cyberattack are limited, policies that govern data access and sharing are prevalent. These top-down, data access policies intend to protect individual rights and/or prevent sharing or distribution of data, including biological data. Examples of recent policies include: (a) the 2018 update of the European Union General Data Protection Regulation<ref name="EC2018Reform18">{{cite web |url=https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en |title=2018 reform of EU data protection rules |author=European Commission |date=2018}}</ref>, which strengthened the European Union's rules for protecting personal data of individuals, in part by giving its citizens “more control over their personal data”; (b) the 2018 Chinese Personal Information Security Specification, which is one system under the Chinese Cybersecurity law, involves the “collection, storage, use, sharing, transfer, and disclosure of personal information,” and enables companies operating in China to access data to “not hamper the development of fields like AI”<ref name="SacksChinas18">{{cite web |url=https://www.csis.org/analysis/chinas-emerging-data-privacy-system-and-gdpr |title=China’s Emerging Data Privacy System and GDPR |author=Sacks, S. |work=Center for Strategic & International Studies |date=09 March 2018||</ref>; (c) the 2018 General Data Protection Law in Brazil, which provides a framework for the use of personal data in Brazil<ref name="SoaresBrazil18">{{cite web |url=https://www.loc.gov/law/foreign-news/article/brazil-personal-data-protection-law-enacted/ |title=Brazil: Personal Data Protection Law Enacted |author=Soares, E. |work=Global Legal Monitor |date=28 August 2018}}</ref>; and (d) the U.S. [[Health Insurance Portability and Accountability Act]] of 1996 (HIPAA), which promotes the protection of privacy and security of patient health information in the United States.<ref name="HHSSummary13">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html |title=Summary of the HIPAA Security Rule |author=U.S. Department of Health and Human Services |date=26 July 2013}}</ref> At the same time, the U.S. has issued policies governing data generation, access, and sharing to promote information-sharing and transparency of government-sponsored research.<ref name="VanNoordenWhite13">{{cite web |url=http://blogs.nature.com/news/2013/02/us-white-house-announces-open-access-policy.html |title=White House announces new US open-access policy |author=Van Noorden, R. |work=Nature NewsBlog |date=22 February 2013 |accessdate=23 November 2018}}</ref> Internationally, the Nagoya Protocol of the Convention on Biodiversity<ref name="CBDAbout">{{cite web |url=https://www.cbd.int/abs/about/ |title=About the Nagoya Protocol |work=Convention on Biological Diversity |author=United Nations Environment Programme}}</ref> promotes governance on access to and fair, equitable sharing of the benefits from the use of non-human biological data. However, questions exist about whether the Nagoya Protocol focuses more on biological samples that provide genetic information or the genetic information itself, which ultimately affects national-level efforts for codifying the international agreement.<ref name="dosSRibeiroThreats18">{{cite web |url=https://science.sciencemag.org/content/362/6413/404 |title=Threats to timely sharing of pathogen sequence data |author=dos S. Ribeiro, C.; Koopmans, M.P.; Haringhuizen, G.B. |work=Science |date=26 October 2018 |doi=10.1126/science.aau5229}}</ref> Despite these activities, protection of some data, such as personal health data, may not extend beyond a country's borders and may apply only to data collected by certain entities. Furthermore, data protection polices do not extend to information that already has been stolen. Taken together, these national, regional, and international level policies for data protection may not prevent the inappropriate or unauthorized acquisition of data to different actors, the consequences of which are unclear for biotechnology data.




Line 41: Line 47:


==Notes==
==Notes==
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.  
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The two footnotes in the original material were turned into inline references for this version.


<!--Place all category tags here-->
<!--Place all category tags here-->

Revision as of 23:48, 20 May 2019

Full article title National and transnational security implications of asymmetric access to and use of biological data
Journal Frontiers in Bioengineering and Biotechnology
Author(s) Berger, Kavita M.; Schneck, Phyllis A.
Author affiliation(s) Gryphon Scientific, LLC; Promontory Financial Group, an IBM Company
Primary contact Email: kberger at gryphonscientific dot com
Editors Murch, Randall S.
Year published 2019
Volume and issue 7
Page(s) 21
DOI 10.3389/fbioe.2019.00021
ISSN 2296-4185
Distribution license Creative Commons Attribution 4.0 International
Website https://www.frontiersin.org/articles/10.3389/fbioe.2019.00021/full
Download https://www.frontiersin.org/articles/10.3389/fbioe.2019.00021/pdf (PDF)
This article should not be considered complete until this message box has been removed. This is a work in progress.

Abstract

Biology and biotechnology have changed dramatically during the past 20 years, in part because of increases in computational capabilities and use of engineering principles to study biology. The advances in supercomputing, data storage capacity, and cloud platforms enable scientists throughout the world to generate, analyze, share, and store vast amounts of data, some of which are biological and much of which may be used to understand the human condition, agricultural systems, evolution, and environmental ecosystems. These advances and applications have enabled: (1) the emergence of data science, which involves the development of new algorithms to analyze and visualize data; and (2) the use of engineering approaches to manipulate or create new biological organisms that have specific functions, such as production of industrial chemical precursors and development of environmental bio-based sensors. Several biological sciences fields harness the capabilities of computer, data, and engineering sciences, including synthetic biology, precision medicine, precision agriculture, and systems biology. These advances and applications are not limited to one country. This capability has economic and physical consequences but is vulnerable to unauthorized intervention. Healthcare and genomic information of patients, information about pharmaceutical and biotechnology products in development, and results of scientific research have been stolen by state and non-state actors through infiltration of databases and computer systems containing this information. Countries have developed their own policies for governing data generation, access, and sharing with foreign entities, resulting in asymmetry of data sharing. This paper describes security implications of asymmetric access to and use of biological data.

Keywords: biotechnology, cybersecurity, information security, data vulnerability, biological data, biosecurity, data access, data protection

Introduction

Advances in computer science, engineering, and data science have changed research, development, and application of biology and biotechnology in the United States and internationally. Examples of changes include: (a) increased reliance on internet connectivity for research and laboratory operations[1][2][3]; (b) increased use of automation in life-science laboratories[4]; (c) application of the “design-build-test” paradigm to create new biological organisms[5][6]; (d) increased generation, analyses, and computational modeling of information about biological systems, cells, and molecules[7][8]; (e) treatment of organisms and DNA as materials rather than phenomena to study[9][10][11]; and (f) new funders such as venture capital, crowdfunding platforms, and foreign companies and governments.[12][13][14] These changes have transformed the scientific, agricultural, and health communities' ability to understand and manipulate the world around them. In addition, the changes have enabled an influx of new practitioners and problem-solvers into biology, providing opportunities for education and research all over the world.

Biotechnology harnesses the capabilities of computer, data, and engineering sciences to establish and advance new fields such as synthetic biology, precision medicine, precision agriculture, and systems biology. Cloud-based platforms and open-source, easy-to-use software enable scientists from anywhere in the world to use advanced data analytics in their studies. The software and hardware emerging from these fields improve our collective understanding of molecular and systems-level genetics, new drug therapies for longer and better quality of life, and design of novel and/or unnatural organisms. Critical to these pursuits is the sharing of research results and underlying data, without which societal decision-making about human, animal, plant, and environmental health cannot be realized fully. However, during the past two decades, concerns about data sharing have been raised, resulting in the issuance of international, regional, and national-level policies governing access to different types of data, including biological data. In addition, the platforms through which data are stored, transported, and analyzed may be vulnerable to unauthorized acquisition of information by malicious actors, which could lead to significant economic and physical harms to the health, safety, and security of a population. Although not considered “dual use life sciences research of concern,”[15][16] the potential for both benefit and risk to humanity meets the spirit of the dual use concept.[17] Given the significant benefits afforded by data sharing and analysis, this paper highlights current data protection policies, potential risks of data exploitation by malicious actors, and potential strategies to mitigate those risks and promote rapid recovery in biotechnology fields that are breached.

The interconnectedness between the digital and biological worlds can be exploited by state actors, malicious nonstate actors, and hackers through a variety of means, resulting in harmful consequences from potential theft of information, promulgation of incorrect information, and/or disruption of activities.[18][19][20] For example, theft of proprietary information from a pharmaceutical or biotechnology company may reveal trade secrets and allow competitors to develop superior products and/or bring existing products to market more quickly[21], stifling innovation in the global commercial market and allowing adversaries to create harmful, untested therapies. Another example is theft of hundreds of millions of electronic healthcare records, the uses of which are not clear.[22][23][24][25][26] Although unauthorized access to protected data may be aided by technical vulnerabilities in networked computer systems, poor security practices, insider threats in academia, industry, and health facilities, and legal business dealings also can enable adversary access to such data.[27][28][29][30] For examples, more than half of all data breaches at healthcare facilities are caused by healthcare personnel errors, a quarter of which resulted in unauthorized access to or disclosure of patient records through sharing of unencrypted information, sending information to the wrong patients, and accessing the data without authorization.[31][32] In addition, the Federal Bureau of Investigation (FBI) has raised national security concerns about foreign access to genomic data of U.S. citizens through legitimate scientific collaboration, funding of scientific research, investment in genomic sequencing companies (e.g., China-based WuXi Healthcare Ventures investment in the U.S.-based 23andMe[33][34]), and purchase of companies (e.g., Complete Genomics).[35][36] As vulnerabilities are created through scientific advances, such as the use of machine learning algorithms to trick fingerprint authentication systems, new risks are identified.[37][38] Some of these concerns have resulted in the passage of the 2018 Foreign Investment Risk Review Modernization Act, which has initiated reform of the U.S. Government process for evaluating foreign investment in U.S. entities and export control of emerging technologies.[28][39] Yet, these policy activities largely are reactive, rather than proactive.

Current approaches to protecting data

Preventing accidental and deliberate risks typically involves the use of cyber and information security systems that include technological and behavioral solutions. Protection of laboratory control systems, computer networks, and databases often involves the use of technological solutions. However, some risks are addressed better through training of personnel to recognize and report phishing attempts, ensure sensitive information is encrypted, and prevent unauthorized individuals from gaining access to sensitive data, databases, and computer networks. To enhance security, policies for promulgating these practices for specific materials and information have been issued. For example, the U.S. Biological Select Agents and Toxins Regulations include guidance for network security to prevent failure of laboratories, equipment, and access controls to facilities and data.[40] In addition, the U.S. has policies for protecting individual privacy, several of which were described in a 2014 report sponsored by the White House.[41] However, error, carelessness, or negligence by personnel can counteract the benefits afforded by security measures and may lead to devastating consequences if biological data and materials are involved.

Although policies for protecting biological data from cyberattack are limited, policies that govern data access and sharing are prevalent. These top-down, data access policies intend to protect individual rights and/or prevent sharing or distribution of data, including biological data. Examples of recent policies include: (a) the 2018 update of the European Union General Data Protection Regulation[42], which strengthened the European Union's rules for protecting personal data of individuals, in part by giving its citizens “more control over their personal data”; (b) the 2018 Chinese Personal Information Security Specification, which is one system under the Chinese Cybersecurity law, involves the “collection, storage, use, sharing, transfer, and disclosure of personal information,” and enables companies operating in China to access data to “not hamper the development of fields like AI”[43]; (c) the 2018 General Data Protection Law in Brazil, which provides a framework for the use of personal data in Brazil[44]; and (d) the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), which promotes the protection of privacy and security of patient health information in the United States.[45] At the same time, the U.S. has issued policies governing data generation, access, and sharing to promote information-sharing and transparency of government-sponsored research.[46] Internationally, the Nagoya Protocol of the Convention on Biodiversity[47] promotes governance on access to and fair, equitable sharing of the benefits from the use of non-human biological data. However, questions exist about whether the Nagoya Protocol focuses more on biological samples that provide genetic information or the genetic information itself, which ultimately affects national-level efforts for codifying the international agreement.[48] Despite these activities, protection of some data, such as personal health data, may not extend beyond a country's borders and may apply only to data collected by certain entities. Furthermore, data protection polices do not extend to information that already has been stolen. Taken together, these national, regional, and international level policies for data protection may not prevent the inappropriate or unauthorized acquisition of data to different actors, the consequences of which are unclear for biotechnology data.


References

  1. Accenture (2015). "The Future of Applications in Life Sciences" (PDF). Accenture. https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_20/Accenture-15-1429U-FutureOfApps-LSCS-v5-web.pdf. 
  2. Bajema, N.E.; DiEuliis, D.; Lutes, C.; Lim, Y.-B. (2018). "The digitization of biology: Understanding the new risks and implications for governance". Emergence & Convergence: 3. https://wmdcenter.ndu.edu/Media/News/Article/1569559/the-digitization-of-biology-understanding-the-new-risks-and-implications-for-go/. 
  3. Olena, A. (1 June 2018). "Bringing the Internet of Things into the Lab". The Scientist. https://www.the-scientist.com/bio-business/bringing-the-internet-of-things-into-the-lab-64265. 
  4. Chapman, T. (2003). "Lab automation and robotics: Automation on the move". Nature 421 (6923): 661, 663, 665–6. doi:10.1038/421661a. PMID 12571603. 
  5. Agapakis, C.M. (2014). "Designing synthetic biology". ACS Synthetic Biology 3 (3): 121–8. doi:10.1021/sb4001068. PMID 24156739. 
  6. Carbonell, P.; Jervis, A.J.; Robinson, C.J. et al. (2018). "An automated Design-Build-Test-Learn pipeline for enhanced microbial production of fine chemicals". Communications Biology 1: 66. doi:10.1038/s42003-018-0076-9. PMC PMC6123781. PMID 30271948. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6123781. 
  7. Thurow, K.; Göde, B.; Dingerdissen, U. Stoll, N. (2004). "Laboratory Information Management Systems for Life Science Applications". Organic Process Researh & Development 8 (6): 970–982. doi:10.1021/op040017s. 
  8. Walpole, J.; Papin, J.A.; Peirce, S.M. (2013). "Multiscale computational models of complex biological systems". Annual Review of Biomedical Engineering 15: 137–54. doi:10.1146/annurev-bioeng-071811-150104. PMC PMC3970111. PMID 23642247. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3970111. 
  9. Service, R.F. (2 March 2017). "DNA could store all of the world's data in one room". Science. doi:10.1126/science.aal0852. https://www.sciencemag.org/news/2017/03/dna-could-store-all-worlds-data-one-room. 
  10. Anderson, L.A.; Islam, M.A.; Prather, K.L.J. (2018). "Synthetic biology strategies for improving microbial synthesis of "green" biopolymers". Journal of Biological Chemistry 293 (14): 5053-5061. doi:10.1074/jbc.TM117.000368. PMC PMC5892568. PMID 29339554. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5892568. 
  11. Patel, P. (20 February 2018). "DNA Data Storage Gets Random Access". IEEE Spectrum. https://spectrum.ieee.org/the-human-os/biomedical/devices/dna-data-storage-gets-random-access. 
  12. von Krogh, G.; Battistini, B.; Pachidou, F.; Baschera, P. (2012). "The changing face of corporate venturing in biotechnology". Nature Biotechnology 30 (10): 911–5. doi:10.1038/nbt.2383. PMID 23051802. 
  13. Cha, A.E. (18 January 2015). "Crowdfunding propels scientific research". The Washington Post. https://www.washingtonpost.com/national/health-science/crowdfunding-propels-scientific-research/2015/01/18/c1937690-9758-11e4-8005-1924ede3e54a_story.html?utm_term=.734eb498edb5. 
  14. Mervis, J. (9 March 2017). "Data check: U.S. government share of basic research funding falls below 50%". Science. doi:10.1126/science.aal0890. https://www.sciencemag.org/news/2017/03/data-check-us-government-share-basic-research-funding-falls-below-50. 
  15. U.S. Government (March 2012). "United States Government Policy for Oversight of Life Sciences Dual Use Research of Concern" (PDF). http://www.phe.gov/s3/dualuse/Documents/us-policy-durc-032812.pdf. 
  16. U.S. Government (September 2014). "United States Government Policy for Institutional Oversight of Life Sciences Dual Use Research of Concern" (PDF). http://www.phe.gov/s3/dualuse/Documents/durc-policy.pdf. 
  17. National Research Council (2004). Biotechnology Research in an Age of Terrorism. National Academies Press. doi:10.17226/10827. ISBN 9780309166874. https://www.nap.edu/catalog/10827/biotechnology-research-in-an-age-of-terrorism. 
  18. Lord, R.; Forbes Technology Council (15 December 2017). "The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards". Forbes. https://www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-is-in-your-medical-records-not-credit-cards/#445711491b59. 
  19. Souza, C. (10 December 2018). "Lessons for Pharma from the Merck Cyber Attack". PharmExec.com 38 (12). http://www.pharmexec.com/lessons-pharma-merck-cyber-attack. Retrieved 21 January 2019. 
  20. Ward, A. (11 December 2018). "SIS's Use of Social Media Still Poses a Threat to Stability in the Middle East and Africa". The RAND Blog. https://www.rand.org/blog/2018/12/isiss-use-of-social-media-still-poses-a-threat-to-stability.html. Retrieved 21 January 2019. 
  21. Friedman, A.A. (25 September 2013). "Cyber Theft of Competitive Data: Asking the Right Questions". Brookings. The Brookings Institution. https://www.brookings.edu/research/cyber-theft-of-competitive-data-asking-the-right-questions/. 
  22. Bogle, A. (7 June 2018). "Healthcare data a growing target for hackers, cybersecurity experts warn". ABC.net.au. https://www.abc.net.au/news/science/2018-04-18/healthcare-target-for-hackers-experts-warn/9663304. Retrieved 23 November 2018. 
  23. Cohen, J. (23 March 2018). "Massive cyberhack by Iran allegedly stole research from 320 universities, governments, and companies". Science. doi:10.1126/science.aat6849. https://www.sciencemag.org/news/2018/03/massive-cyber-hack-iran-allegedly-stole-research-320-universities-governments-and. 
  24. Healthcare IT News Staff (2018). "The biggest healthcare data breaches of 2018 (so far)". Healthcare IT News. https://www.healthcareitnews.com/projects/biggest-healthcare-data-breaches-2018-so-far. Retrieved 23 November 2018. 
  25. Huang, E.; Steger, I. (29 October 2018). "China Is Secretly Enrolling Military Scientists in Western Universities". Defense One. https://www.defenseone.com/threats/2018/10/china-secretly-enrolling-military-scientists-western-universities/152383/. Retrieved 23 November 2018. 
  26. Keown, A. (18 September 2018). "Second Scientist Pleads Guilty to Stealing GlaxoSmithKline Trade Secrets". BioSpace. https://www.biospace.com/article/-jc1n-second-scientist-pleads-guilty-to-stealing-glaxosmithkline-trade-secrets/. Retrieved 23 November 2018. 
  27. Lynch, D.J. (2017). "Biotechnology: the US-China Dispute over Genentic Data". Financial Times. https://www.ft.com/content/245a7c60-6880-11e7-9a66-93fb352ba1fe. Retrieved 23 November 2018. 
  28. 28.0 28.1 Rappeport, A. (10 October 2018). "In New Slap at China, U.S. Expands Power to Block Foreign Investments". The New York Times. https://www.nytimes.com/2018/10/10/business/us-china-investment-cfius.html. Retrieved 23 November 2018. 
  29. Bloomberg News (19 April 2018). "Chinese funds pour US$1.4b into US biotechnology firms in the first three months of the year". South China Morning Post. https://www.scmp.com/business/global-economy/article/2142351/chinese-funds-pour-us14b-us-biotechnology-firms-first-three. Retrieved 23 November 2018. 
  30. Respaut, R.; Zhu, J. (23 September 2018). "As China builds biotech sector, cash floods U.S. startups". Reuters. https://www.reuters.com/article/us-biotech-china-investment/as-china-builds-biotech-sector-cash-floods-u-s-startups-idUSKCN1M400G. Retrieved 23 November 2018. 
  31. Bai, G.; Jiang, J.X.; Flasher, R. (2017). "Hospital risk of data breaches". JAMA Internal Medicine 1777 (6): 878-880. doi:10.1001/jamainternmed.2017.0336. PMC PMC5818824. PMID 28384777. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5818824. 
  32. Michigan State University (19 November 2018). "Healthcare providers -- not hackers -- leak more of your data". EurekAlert!. https://eurekalert.org/pub_releases/2018-11/msu-hp-111618.php. Retrieved 23 November 2019. 
  33. BioSpace (21 October 2015). "WuXi Healthcare Invests In US Genomics Testmaker 23andMe". BioSpace. https://www.biospace.com/article/releases/-b-wuxi-healthcare-b-invests-in-us-genomics-testmaker-23andme-/. 
  34. Mui, Y.Q. (30 December 2016). "China’s $9 billion effort to beat the U.S. in genetic testing". The Washington Post. https://www.washingtonpost.com/news/wonk/wp/2016/12/30/chinas-9-billion-effort-to-beat-the-u-s-in-genetic-testing/?noredirect=on&utm_term=.8586cdbf28b8. 
  35. Baker, M. (2012). "China buys U.S. sequencing firm". Nature 489 (7417): 485–6. doi:10.1038/489485a. PMID 23018943. 
  36. Genome Web Staff Reporter (17 September 2012). "Complete Genomics, BGI Agree to $117.6M Merger". Genome Web. https://www.genomeweb.com/clinical-sequencing/complete-genomics-bgi-agree-1176m-merger#.XEqIOFxKiUl. Retrieved 24 January 2019. 
  37. Bontrager, P.; Roy, A.; Togelius, J. et al. (18 October 2018). "DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution". arXiv.org. https://arxiv.org/abs/1705.07386. 
  38. NYU Tandon School of Engineering (20 November 2018). "Machine Learning Masters the Fingerprint to Fool Biometric Systems". PR Newswire. https://www.prnewswire.com/news-releases/machine-learning-masters-the-fingerprint-to-fool-biometric-systems-300753375.html. 
  39. U.S. Congress (2018). "S. 2098 (115th): Foreign Investment Risk Review Modernization Act of 2018". govtrack. https://www.govtrack.us/congress/bills/115/s2098. 
  40. CDC, USDA (2017). "Information Systems Security Control Guidance". Federal Select Agent Program. https://www.selectagents.gov/isg-intro.html. 
  41. Big Data and Privacy Working Group (February 2015). "Big Data: Seizing Opportunities, Preserving Values" (PDF). U.S. Government. https://obamawhitehouse.archives.gov/sites/default/files/docs/20150204_Big_Data_Seizing_Opportunities_Preserving_Values_Memo.pdf. 
  42. European Commission (2018). "2018 reform of EU data protection rules". https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en. 
  43. {{cite web |url=https://www.csis.org/analysis/chinas-emerging-data-privacy-system-and-gdpr |title=China’s Emerging Data Privacy System and GDPR |author=Sacks, S. |work=Center for Strategic & International Studies |date=09 March 2018||
  44. Soares, E. (28 August 2018). "Brazil: Personal Data Protection Law Enacted". Global Legal Monitor. https://www.loc.gov/law/foreign-news/article/brazil-personal-data-protection-law-enacted/. 
  45. U.S. Department of Health and Human Services (26 July 2013). "Summary of the HIPAA Security Rule". https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. 
  46. Van Noorden, R. (22 February 2013). "White House announces new US open-access policy". Nature NewsBlog. http://blogs.nature.com/news/2013/02/us-white-house-announces-open-access-policy.html. Retrieved 23 November 2018. 
  47. United Nations Environment Programme. "About the Nagoya Protocol". Convention on Biological Diversity. https://www.cbd.int/abs/about/. 
  48. dos S. Ribeiro, C.; Koopmans, M.P.; Haringhuizen, G.B. (26 October 2018). "Threats to timely sharing of pathogen sequence data". Science. doi:10.1126/science.aau5229. https://science.sciencemag.org/content/362/6413/404. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The two footnotes in the original material were turned into inline references for this version.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:National_and_transnational_security_implications_of_asymmetric_access_to_and_use_of_biological_data&oldid=35623"