The following is a guest article by Bruno Kurtic, Co-Founder, President, and CEO at Bedrock Security
It’s becoming increasingly evident that the U.S. BIOSECURE Act will soon become the law of the land. The U.S. House of Representatives recently passed the bill with strong bipartisan support, highlighting escalating national security concerns, particularly those related to cybersecurity and the protection of core intellectual property. As the government seeks to address those concerns, it’s worth considering where the BIOSECURE Act misses the mark, particularly in terms of protecting U.S. citizens and their DNA data. Undeniably, the Chinese government poses a broad and growing threat to critical infrastructure, which includes healthcare and the public health sector, and the sensitive data of American citizens. Through this Act, Congress is seeking to control pharmaceutical supply chain threats, largely by prohibiting federal agencies from engaging with biotechnology companies of concern. Whether it achieves this goal remains up for debate.
Where the BIOSECURE Act Falls Short
According to the House Select Committee on the Strategic Competition Between the U.S. and the Chinese Communist Party (CCP) and House Select Subcommittee on the Coronavirus Pandemic, the BIOSECURE Act is intended to control the biotech supply chain and secure citizens’ genetic data. Yet it targets specific companies without the broader context of looking at how companies collect or maintain personal genetic data. The CCP’s national security laws require Chinese firms to share any data requested, which includes the biotech companies that collect, test, and store American genetic data. That’s any Chinese firm, not a select few — therefore, the focus of the Act fails to address many real sources of potential data security risks. To effectively protect DNA data, the nation needs a comprehensive approach that creates uniform standards, considers all entities with access to genetic information, and coordinates internationally on biosecurity measures.
The Imperative of Securing Personal DNA Data
DNA data is uniquely sensitive information that contains very intimate details about an individual’s health, ancestry, and genetic predispositions. While there are many types of sensitive information, DNA data is far more uniquely personal and revealing than most other types of data. Unlike exposed passwords or credit card numbers, for example, a person’s genetic code never changes. Once it is exposed, this personal biological information remains vulnerable forever.
DNA data also has serious potential for misuse; much like any health data, genetic information may enable discrimination in terms of getting health insurance or setting premiums, finding or retaining employment, denying loans or charging higher interest rates for financial services, or in a variety of other ways. DNA data can be used in healthcare, research, forensics, and other fields, reinforcing why it must be protected against misuse across many domains. With this indisputable commercial value, hackers are likely to find DNA data an attractive target, while such breaches will erode public trust in genetic testing and research, potentially hindering scientific progress.
Given the far-reaching implications of unauthorized access to genetic data, the government should require robust security measures for all entities handling DNA data rather than focusing on a few companies. Protecting genetic data is necessary to safeguard individual privacy, maintain public trust, and still enable the responsible advancement of genomic science and its many possible applications.
Implementing Appropriate Data Controls
Regardless of when the BIOSECURE Act ultimately becomes law, both the public sector and private organizations must adopt measures that ensure sensitive data is appropriately secured. There is a real and pressing need for frameworks that mitigate data exposure risks. Such frameworks must include effective data controls that enable researchers to use data responsibly while still prioritizing personal privacy.
President Biden’s Executive Order 14028, one of many aimed at improving the nation’s cybersecurity, focuses on Zero Trust Architecture (ZTA) as an important way to minimize access to resources and continuously authenticate and authorize identity. This includes:
- Limiting data access to specific individuals or accounts through role-based access controls (RBAC)
- Enabling only the lowest necessary level of access at all times
- Using strong passwords and encryption for all accounts and devices
- Auditing and authorizing account permissions regularly
These measures should be accompanied by data de-identification efforts, such as removing or encrypting personal identifiers to protect DNA data while still allowing for analysis. In addition, identifiers, data, and encryption keys should be stored separately in encrypted files and locations.
Securing sensitive data also requires careful management of how data is shared, such as data use agreements to specify allowed uses and protections, sharing the data through controlled-access repositories, and ensuring researchers understand both personal privacy and intellectual property considerations of sharing such data.
Reducing the Risk of Data Exposure
There are multiple steps organizations can take to reduce the risk of exposing sensitive data. Robust access controls can significantly reduce risk, particularly when accompanied by encryption and de-identification measures. Enhanced authentication measures, such as adopting multi-factor authentication, following strong password policies, requiring regular password changes, and requiring reauthorization or re-identification periodically also reduce these risks.
Another essential step is implementing a comprehensive and quick data identification and classification system that analyzes structured and unstructured data to identify and appropriately protect diverse types of information. This enables organizations to apply stricter access controls to highly sensitive or regulated data, particularly DNA and protected health information. It also supports data minimization practices by helping to identify shadow data, by making it simpler to review stored data and securely dispose of information that’s no longer needed, and by helping organizations ensure that only necessary data is collected and retained.
When accompanied by other cybersecurity best practices, these measures can help organizations significantly reduce their risk of data exposure and demonstrate a commitment to protecting confidential health information, including DNA data. Cyber threats continue to evolve, and nation-state actors are playing a larger role than ever before, increasing risks to American citizens and their data. Organizations must take the responsibility for safeguarding sensitive information seriously now, whether it’s mandated by legislative requirements or not.
About Bruno Kurtic
Bruno Kurtic is a highly accomplished entrepreneur with 30 years of experience in building and leading high-growth technology companies. As Co-Founder, President, and CEO of Bedrock Security, Bruno leads the company’s vision and strategic direction.
Before founding Bedrock, Bruno co-founded Sumo Logic, where he crafted the company’s product and strategy, leading it from inception to a successful IPO. During his decade-long tenure as Head of Product, he established strategic partnerships with industry giants like AWS, Akamai, Crowdstrike, and Google Cloud, positioning Sumo Logic as a market leader. His hands-on approach in go-to-market activities and securing multiple patents helped the company raise over $346 million in funding from top-tier investors, including Greylock Partners and Sequoia Capital. Following the IPO, Bruno served as Chief Strategy Officer, continuing to guide the company’s strategic direction.
Bruno earned his undergraduate degree in Quantitative Methods and Computer Science from the University of Saint Thomas, followed by an MBA from MIT.
No comments:
Post a Comment