17 April 2019
While the vast majority of our genetic code is shared between every individual on the planet, no two human genomes are exactly the same. Even identical twins demonstrate epigenomic and environmental discrepancies. As a result, our DNA is fundamentally an operator of personal identification, presenting entirely new challenges to the data security field.
Jean-Pierre Hubaux, a Full Professor at École polytechnique fédérale de Lausanne (EPFL) and lead of the Data Protection in Personalized Health (DPPH) initiative in Switzerland, and David Bernick, Chief Information Security Officer at the Broad Institute of MIT and Harvard plan to address these challenges as they take on leadership of the GA4GH Data Security Work Stream. Bernick and Hubaux will replace Dixie Baker of Martin, Blanck and Associates and Paul Flicek of EMBL’s European Bioinformatics Institute (EMBL-EBI), who have led the GA4GH security strategy since the organization was founded in 2013.
Under Baker and Flicek’s leadership, the Work Stream has made significant contributions in guiding technology standards and best practices for protecting data and services, including the development of the first versions of the security technology infrastructure document, which suggests a set of security and architectural standards and guidelines for implementing and operating a trustworthy genomic data sharing ecosystem. A new version of this document is expected soon. Together with Hubaux, Baker has also co-led the annual Genome Privacy and Security (GenoPri) conference for the past two years, which is held in conjunction with the GA4GH Plenary Meeting.
Hubaux and Bernick aim to build upon the existing goals of the Work Stream, which aims to protect genomic and health-related data and ensure that the standards produced by the GA4GH Technical Work Streams are developed within a sound risk-management framework. The Leads also plan to further development of the GA4GH Breach Response protocol and Authentication and Authorization Infrastructure (AAI).
“We don’t want to just address today’s security needs but look at future security needs,” said Bernick. “The goal is to provide a framework so other [GA4GH] Work Streams can ‘self-service’ security and start their posture from a place of maintaining proper confidentiality without having to play catch-up after-the-fact.”
Hubaux adds that historically, there has been a gap between biomedicine and information security. With personalized health introducing an unparalleled level of identifiability, the practice arguably raises some of the most formidable privacy and security challenges to date. “Data protection in personalized health is a dramatically under-researched topic,” he said. “Hopefully, the activities of the [Data Security Work Stream] will encourage more researchers to address this challenge.”
Bernick and Hubaux hope to work closely with other GA4GH Work Streams, such as the Regulatory and Ethics and Cloud Work Streams, to help tackle these questions and define the overall GA4GH privacy and security doctrine. The Data Security Work Stream also plans to leverage existing technology such as conventional encryption, homomorphic encryption, secure multi-party computation, trusted execution environments, and differential privacy.
“But technology alone will not solve the problem,” said Hubaux. “The contribution of policy-makers, ethicists, and the whole medical sector is crucial for the success of this worthy endeavor. No less than the trustworthiness of modern medicine is at stake.”