Cyber threat analysis relevant to next generation sequencing in public health

Cyber threat analysis relevant to next generation sequencing in public health

Source publication
Article
Full-text available
Next generation sequencing (NGS) is becoming the new gold standard in public health microbiology. Like any disruptive technology, its growing popularity inevitably attracts cyber security actors, for whom the health sector is attractive because it combines mission-critical infrastructure and high-value data with cybersecurity vulnerabilities. In th...

Contexts in source publication

Context 1
... bioinformatics analysis usually involves an output or end result, which is interpreted and communicated to relevant stakeholders [20]. Table 1 describes the different attack vectors and methods applicable to a generic NGS process. An adversary can attack at multiple stages of the NGS pipeline, with different attacks requiring different access levels (e.g. ...
Context 2
... analysis highlights the need for policymakers to employ cyber security best practices throughout the NGS diagnostic cycle, starting from the acquisition of biological material and ending in cloud-based bioinformatic applications. The analysis shown in Table 1 is generic -different NGS platforms use a variety of technologies and architectures, making some of the threats relevant only to a subset of currently available platforms. All stages of the NGS process, from sample preparation to post-sequencing bioinformatics analysis, could be vulnerable to cyber attacks. ...

Citations

... The researchers identified that malware such as trojans could infect microf luidic biochips used in DNA sequencers, and the trojan is then used in various ways such as leaking or modifying information. Fayans et al. [34] pointed out that it is common for staff to use their office hardware for personal use, hence increasing the chance of picking up malware that can only target and infect medical types of equipment that are not as protected as standard IT equipment. The researchers also point out the possibility sequencing machine can also be compromised at the time of manufacturing. ...
... These languages are known to be vulnerable to a buffer overflow flaw [37]. Fayans et al. [34] highlight that vulnerabilities with the genomic software could be exploited to gain unauthorised access to the computer or network Table 1. Sample software which is used in DNA analysis that was found to have insecure function call or static buffer declaration, the number has been normalised by the number of appearance to 1000 lines of code [30] (1) (27) 3.526 (24) 0 (0) 0 (0) 7.787 (53) resources and can also be used to leak information, crash or disrupt various services, especially if the software is running with higher privileges. ...
Article
DNA sequencing technologies have advanced significantly in the last few years leading to advancements in biomedical research which has improved personalised medicine and the discovery of new treatments for diseases. Sequencing technology advancement has also reduced the cost of DNA sequencing, which has led to the rise of direct-to-consumer (DTC) sequencing, e.g. 23andme.com, ancestry.co.uk, etc. In the meantime, concerns have emerged over privacy and security in collecting, handling, analysing and sharing DNA and genomic data. DNA data are unique and can be used to identify individuals. Moreover, those data provide information on people’s current disease status and disposition, e.g. mental health or susceptibility for developing cancer. DNA privacy violation does not only affect the owner but also affects their close consanguinity due to its hereditary nature. This article introduces and defines the term ‘digital DNA life cycle’ and presents an overview of privacy and security threats and their mitigation techniques for predigital DNA and throughout the digital DNA life cycle. It covers DNA sequencing hardware, software and DNA sequence pipeline in addition to common privacy attacks and their countermeasures when DNA digital data are stored, queried or shared. Likewise, the article examines DTC genomic sequencing privacy and security.
... In recent years DNA-based biotechnology and molecular systems more generally have begun to get more attention from the computer security community. DNA sequencers in particular have gotten significant scrutiny because they play a crucial role in genomics and have complex hardware and software threat surfaces [10,42]. DNA itself has even been shown to be a vector for possible computer attacks [33]. ...
Article
Full-text available
DNA sequencing is the molecular-to-digital conversion of DNA molecules, which are made up of a linear sequence of bases (A,C,G,T), into digital information. Central to this conversion are specialized fluidic devices, called sequencing flow cells, that distribute DNA onto a surface where the molecules can be read. As more computing becomes integrated with physical systems, we set out to explore how sequencing flow cell architecture can affect the security and privacy of the sequencing process and downstream data analysis. In the course of our investigation, we found that the unusual nature of molecular processing and flow cell design contributes to two security and privacy issues. First, DNA molecules are ‘sticky’ and stable for long periods of time. In a manner analogous to data recovery from discarded hard drives, we hypothesized that residual DNA attached to used flow cells could be collected and re-sequenced to recover a significant portion of the previously sequenced data. In experiments we were able to recover over 23.4% of a previously sequenced genome sample and perfectly decode image files encoded in DNA, suggesting that flow cells may be at risk of data recovery attacks. Second, we hypothesized that methods used to simultaneously sequence separate DNA samples together to increase sequencing throughput (multiplex sequencing), which incidentally leaks small amounts of data between samples, could cause data corruption and allow samples to adversarially manipulate sequencing data. We find that a maliciously crafted synthetic DNA sample can be used to alter targeted genetic variants in other samples using this vulnerability. Such a sample could be used to corrupt sequencing data or even be spiked into tissue samples, whenever untrusted samples are sequenced together. Taken together, these results suggest that, like many computing boundaries, the molecular-to-digital interface raises potential issues that should be considered in future sequencing and molecular sensing systems, especially as they become more ubiquitous.
... Although the results highlight the use of the most important reactive risk assessment tools in the healthcare sector such as Incident Reporting [80,81,88], Root Cause Analysis [31,69], and Failure Mode and Effect Analysis [16], it describes not enough studies useful to investigate this topic. Furthermore, the results describe the main cyber risks applied at the management of electronic medical records [33,41,62], electronic health records [26,55,71,89], telemedicine devices [16], and mobile health [38,40,62,83]. The literature analyzed calls for studies to other subject areas such as Business, Management and Accounting; Social Science; and Mathematics. ...
... to examine parent perspectives about electronic consultations, including perceived benefits and risks, anticipated informational needs, and preferences for parent engagement with electronic consultations [94] 2.2 to explain like biosecurity can be dangerous for data breaches and disruption of operations at biological facilities from cyber-attacks [88] 2.2 to explore cybersecurity aspects of microbial NGS and to discuss the motivations and objectives for such as attack, its feasibility and implications, and highlight policy considerations aimed at threat mitigation [89] 2.2 to present a risk assessment feature integrated into the Socio-Technical Risk-Adaptable Access Control model, as well as the operationalization of the related mobile health decision policies [18] 2.2 to present a deep recurrent neural network solution as a stacked long short-term memory with a pre-training as a regularization method to avoid random network initialization [95] 2.2 to explain like physical systems are influenced by dynamic and evolving technologies, environments, and attack mechanisms with rapidly changing and difficult to detect and manage the vulnerabilities [70] 3.2 to examine the potential cyber risks arising from the application of IoT deviceslinked insurance [71] 3.2 to report on an internal evaluation targeting hospital staff and summarize peerreviewed literature regarding phishing and healthcare [24] 1.2 ...
Preprint
Full-text available
The current world challenges include issues such as infectious disease pandemics, environmental health risks, food safety, and crime prevention. Through this article, a special emphasis is given to one of the main challenges in the healthcare sector during the COVID-19 pandemic, the cyber risk. Since the beginning of the Covid-19 pandemic, the World Health Organization has detected a dramatic increase in the number of cyber-attacks. For instance, in Italy the COVID-19 emergency has heavily affected cybersecurity; from January to April 2020, the total of attacks, accidents, and violations of privacy to the detriment of companies and individuals has doubled. Using a systematic and rigorous approach, this paper aims to analyze the literature on the cyber risk in the healthcare sector to understand the real knowledge on this topic. The findings highlight the poor attention of the scientific community on this topic, except in the United States. The literature lacks research contributions to support cyber risk management in subject areas such as Business, Management and Accounting; Social Science; and Mathematics. This research outlines the need to empirically investigate the cyber risk, giving a practical solution to health facilities. Keywords: cyber risk; cyber-attack; cybersecurity; computer security; COVID-19; coronavirus;information technology risk; risk management; risk assessment; health facilities; healthcare sector;systematic literature review; insurance
... Synthetic biology has great potential to revolutionize many industries, but designer microbes can also be generated with CRISPR-Cas and other techniques that present global health and national security concerns (Salerno and Koelm, 2002;Chosewood and Wilson, 2009;Berger and Roderick, 2014;Werner, 2019). Microbiological genetic information systems are considered critical public health infrastructure (Fayans et al., 2020), plants can be manipulated to create potential health hazards (Mueller, 2019a), and methods for tracking genetically modified organisms can be exploited if appropriate techniques are not used (Mueller, 2019b). Sensitive genetic data of humans and other entities and their respective systems must be secured to prevent private to global risks (Jordan et al., 2020;Sawaya et al., 2020). ...
... Extensive work has been published surrounding the security of genetic information, highlighting that, as a newly developing field, cyberbiosecurity will require continuous assessment of risks as they emerge . Genetic information security is considered a critical aspect to comprehensive cyberbiosecurity and the bioeconomy (Institute of Medicine and National Research Council, 2006;Murch et al., 2018;Berger and Schneck, 2019;Murch and DiEuliis, 2019;Reed and Dunaway, 2019;Fayans et al., 2020;Jordan et al., 2020;National Academies of Sciences, Engineering, and Medicine, 2020;Sawaya et al., 2020). Multi-stakeholder and interdisciplinary collaboration, improved understanding of the security risks to biotechnology, characterization of biotechnology ecosystems, and assessment frameworks specific to biotechnology sectors and facility types will all be required in order to develop appropriate cyberbiosecurity countermeasures Millett et al., 2019;Schabacker et al., 2019). ...
... Toward the above issues and goals, this paper expands upon a previous microbiological genetic information system assessment (Fayans et al., 2020) by including a broader range of genetic information and system components, as well as novel concepts and additional vulnerabilities and threats to the ecosystem. Herein, genetic information systems are characterized from a security perspective, and the foundation for future assessments of these ecosystems has been established for which improvement and further development will be needed. ...
Article
Full-text available
Genetic information is being generated at an increasingly rapid pace, offering advances in science and medicine that are paralleled only by the threats and risk present within the responsible systems. Human genetic information is identifiable and contains sensitive information, but genetic information security is only recently gaining attention. Genetic data is generated in an evolving and distributed cyber-physical system, with multiple subsystems that handle information and multiple partners that rely and influence the whole ecosystem. This paper characterizes a general genetic information system from the point of biological material collection through long-term data sharing, storage and application in the security context. While all biotechnology stakeholders and ecosystems are valuable assets to the bioeconomy, genetic information systems are particularly vulnerable with great potential for harm and misuse. The security of post-analysis phases of data dissemination and storage have been focused on by others, but the security of wet and dry laboratories is also challenging due to distributed devices and systems that are not designed nor implemented with security in mind. Consequently, industry standards and best operational practices threaten the security of genetic information systems. Extensive development of laboratory security will be required to realize the potential of this emerging field while protecting the bioeconomy and all of its stakeholders.
... Understanding the impact of cyber threats on biosecurity is extremely important. Cyber attacks are considered a potential threat to the security and privacy of genomic data [12,27] and the analysis of genetic material [22]. A recent biodefense report [50] mentions cyber threats with respect to identifying potential targets and the development of bioweapons. ...
Preprint
Full-text available
Today arbitrary synthetic DNA can be ordered online and delivered within several days. In order to regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders. A weakness in the Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA allows screening protocols based on this guidance to be circumvented using a generic obfuscation procedure inspired by early malware obfuscation techniques. Furthermore, accessibility and automation of the synthetic gene engineering workflow, combined with insufficient cybersecurity controls, allow malware to interfere with biological processes within the victim's lab, closing the loop with the possibility of an exploit written into a DNA molecule presented by Ney et al. in USENIX Security'17. Here we present an end-to-end cyberbiological attack, in which unwitting biologists may be tricked into generating dangerous substances within their labs. Consequently, despite common biosecurity assumptions, the attacker does not need to have physical contact with the generated substance. The most challenging part of the attack, decoding of the obfuscated DNA, is executed within living cells while using primitive biological operations commonly employed by biologists during in-vivo gene editing. This attack scenario underlines the need to harden the synthetic DNA supply chain with protections against cyberbiological threats. To address these threats we propose an improved screening protocol that takes into account in-vivo gene editing.
... Although the results highlight the use of the most important reactive risk assessment tools in the healthcare sector such as Incident Reporting [80,81,88], Root Cause Analysis [31,69], and Failure Mode and Effect Analysis [16], it describes not enough studies useful to investigate this topic. Furthermore, the results describe the main cyber risks applied at the management of electronic medical records [33,41,62], electronic health records [26,55,71,89], telemedicine devices [16], and mobile health [38,40,62,83]. The literature analyzed calls for studies to other subject areas such as Business, Management and Accounting; Social Science; and Mathematics. ...
... to examine parent perspectives about electronic consultations, including perceived benefits and risks, anticipated informational needs, and preferences for parent engagement with electronic consultations [94] 2.2 to explain like biosecurity can be dangerous for data breaches and disruption of operations at biological facilities from cyber-attacks [88] 2.2 to explore cybersecurity aspects of microbial NGS and to discuss the motivations and objectives for such as attack, its feasibility and implications, and highlight policy considerations aimed at threat mitigation [89] 2.2 to present a risk assessment feature integrated into the Socio-Technical Risk-Adaptable Access Control model, as well as the operationalization of the related mobile health decision policies [18] 2.2 to present a deep recurrent neural network solution as a stacked long short-term memory with a pre-training as a regularization method to avoid random network initialization [95] 2.2 to explain like physical systems are influenced by dynamic and evolving technologies, environments, and attack mechanisms with rapidly changing and difficult to detect and manage the vulnerabilities [70] 3.2 to examine the potential cyber risks arising from the application of IoT deviceslinked insurance [71] 3.2 to report on an internal evaluation targeting hospital staff and summarize peerreviewed literature regarding phishing and healthcare [24] 1.2 ...
Article
Full-text available
The current world challenges include issues such as infectious disease pandemics, environmental health risks, food safety, and crime prevention. Through this article, a special emphasis is given to one of the main challenges in the healthcare sector during the COVID-19 pandemic, the cyber risk. Since the beginning of the Covid-19 pandemic, the World Health Organization has detected a dramatic increase in the number of cyber-attacks. For instance, in Italy the COVID-19 emergency has heavily affected cybersecurity; from January to April 2020, the total of attacks, accidents, and violations of privacy to the detriment of companies and individuals has doubled. Using a systematic and rigorous approach, this paper aims to analyze the literature on the cyber risk in the healthcare sector to understand the real knowledge on this topic. The findings highlight the poor attention of the scientific community on this topic, except in the United States. The literature lacks research contributions to support cyber risk management in subject areas such as Business, Management and Accounting; Social Science; and Mathematics. This research outlines the need to empirically investigate the cyber risk, giving a practical solution to health facilities.
... Multi-stakeholder involvement and improved understanding of the security risks to biotechnology are required in order to develop appropriate countermeasures (Millett et al., 2019). Towards these goals, this paper expands upon a microbiological genetic information system assessment by Fayans et al. (Fayans et al., 2020) to include a broader range of genetic information, as well as novel concepts and additional threats to the ecosystem. ...
... Confidentiality, integrity, and availability are the core principles governing the secure operation of a system (Fayans et al., 2020;International Organization for Standardization, 2012). Confidentiality is the principle of ensuring access to information is restricted based upon the information's sensitivity. ...
... Much genetic data is already publicly available via open and semi-open databases, and dissemination practices are not properly addressed by regulations. There are wide-ranging motives behind adversaries targeting non-public genetic information (Fayans et al., 2020). Numerous stakeholders, personnel, and insecure devices are relied upon from the path of sample collection to data dissemination. ...
Preprint
Full-text available
Genetic information is being generated at an increasingly rapid pace, offering advances in science and medicine that are paralleled only by the threats and risk present within the responsible ecosystem. Human genetic information is identifiable and contains sensitive information, but genetic data security is only recently gaining attention. Genetic data is generated in an evolving and distributed cyber-physical ecosystem, with multiple systems that handle data and multiple partners that utilize the data. This paper defines security classifications of genetic information and discusses the threats, vulnerabilities, and risk found throughout the entire genetic information ecosystem. Laboratory security was found to be especially challenging, primarily due to devices and protocols that were not designed with security in mind. Likewise, other industry standards and best practices threaten the security of the ecosystem. A breach or exposure anywhere in the ecosystem can compromise sensitive information. Extensive development will be required to realize the potential of this emerging field while protecting the bioeconomy and all of its stakeholders.
Article
The gut microbiota can change to varying degrees because of changes in the environment. In the present study, we performed microbial amplicon sequencing on the feces of people who had long-term exposure to swine farms (F) and that of people living in normal environments (S) to investigate the impact of the environment on the human gut microbiota. A total of 1,283,503 high-quality ordered sequences were obtained, which provided different levels of microbial classification and statistics. We found that different environments did not alter the richness and diversity of the microbial communities in participants, but caused significant changes in the proportion of some bacteria. The main bacterial phyla found in group F participants were Firmicutes (69.44–89.03%), Actinobacteria (1.7–18.95%), and Bacteroidetes (1.17–22.35%); those found in group S participants were Firmicutes (49.93–95.04%), Bacteroidetes (0.62–39.59%), and Proteobacteria (0.98–11.95%). Additionally, because of changes in phylum proportions, the Bugbase phenotypic classification predicted an increase in the proportion of Gram-positive bacteria in group F and an increase in the proportion of Gram-negative bacteria in group S. In conclusion, our findings suggest that human exposure to swine farms can reshape the gut microbiota, resulting in changes in the microbial abundances. This change can potentially reduce the odds of developing bowel disease and contribute to the prevention of intestinal diseases, providing a theoretical basis for improving human health.