Security specialist: Genomic data requires strong protections

Strong security protections will be required for genomic data as it's increasingly used to provide personalized medicine, says security specialist Dixie Baker, senior partner at consultancy Martin, Blanck & Associates.

Baker is a member of the Health Information Technology Standards Committee and chairs its Privacy and Security Workgroup. Neither has specifically addressed the protection of genomic data, she says in an interview at Healthcare Info Security.

So far, genomic test results are stored and protected as any other test results within EHRs, she said. Patients might want varying levels of privacy for genetic information. A person sensitive to the blood thinner Warfarin, for instance, might want that information on a wrist band readily available to ambulance crews, while a person might not want to broadcast other genetic information related to chemotherapy.

A whole genome sequence, meanwhile, requires about 150 gigabytes of storage, so it's impractical to store than in a typical EHR repository; rather, it's more likely to be kept as a separate file linked to the repository, similar to the way images are stored using a PAC system.

"A whole genome sequence requires more discretion and a higher level of protection," she said.

Whole genome sequences should be encrypted both at rest and in transmission, and access severely limited to need.

Researchers have shown recently that patients can be identified from whole genome sequences even in anonymous public databases. A Harvard study found that patients can be identified with just three pieces of information--ZIP code, date of birth and gender--combined with other publicly available data such as voter rolls.

Researchers from the Whitehead Institute for Biomedical Research in Cambridge, Mass., said patients need to be better informed that their supposedly anonymous data can reveal information not just about them, but also their relatives.

Baker mentioned two types of technology that will better protect genomic data. Federated query, she explained, allows a single response from multiple data stores without giving the researcher direct access to the data. She also cited the importance of technology for managing consumer preferences for data sharing. That was a key point in Rand Corp. recommendations for the Department of Defense.

For every provider to collect signatures that are then filed way and disconnected from the patient's electronic records is unsustainable, Baker said. Faxing of consent forms with each exchange is impractical, and consumers are demanding more control over their data. She pointed to the disease registry Reg4All, which puts patients in control of how their data is shared.

To learn more:
- find the Healthcare Info Security interview