Source: Getty Images
– Researchers at Sandia National Laboratories have discovered a vulnerability in personalized medicine software used for genomic analysis.
The vulnerability could open DNA-based medical diagnostic tools to a “man-in-the-middle” attack, in which a hacker intercepts communication between two parties either to eavesdrop or modify communications between them.
In this case, the two parties are a remote government server with standardized human genome data and a user of the Burrows-Wheeler Aligner (BWA) program, which is popular among personalized genomics researchers.
Sandia Labs explained that personalized genomics research involves a two-step process: sequencing the entire genetic content from a patient’s cells and comparing that sequence to a standardized human genome.
By comparing those results, physicians can identify genetic changes in a patient that are linked to a particular disease.
The researchers found the vulnerability at the point where the BWA program imports the standardized genome from government servers, resulting in the sequence traveling over insecure communications channels.
In the hypothetical attack, a hacker could intercept the standard genome sequence and then transmit it to a BWA user along with malware that alters the genetic information. The malware could then change a patient’s genetic data during genome mapping, corrupting the final analysis. This could result in a physician, based on an incorrect genetic analysis, prescribing a drug that could be ineffective or even toxic to a patient.
“Once we discovered that this attack could change a patient’s genetic information, we followed responsible disclosure,” said Corey Hudson, a bioinformatics researcher at Sandia who headed that team that uncovered the flaw.
The Sandia researchers then contacted the open source developers, who issued a patch to fix the problem. They also contacted public agencies, including the U.S. Computer Emergency Readiness Team (US-CERT).
Hudson and his colleagues recommended that personalized genomics researchers use the latest version of BWA, transmit data over encrypted channels, and use software that protects sequencing data from being changed.
They also encouraged security researchers who analyze open source software for weaknesses to examine genomics programs. This practice is common for software used in critical infrastructure but would be a new area for genomics security, according to Hudson.
“Our goal is to make systems safer for people who use them by helping to develop best practices,” he concluded.
