Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Are the gains from gain-of-function research worth the risks?
Scientists have long argued that gain-of-function research, which can make viruses and other infectious agents more contagious or more deadly, was necessary to develop therapies and vaccines to counter the pathogens in case they were used for biological warfare. As the SARS-CoV-2 origins are being investigated, one prominent theory suggests it had leaked from a biolab that conducted gain-of-function research, causing a global pandemic that claimed nearly 6.9 million lives. Now some question the wisdom of engaging in this type of research, stating that the risks may far outweigh the benefits.
“Gain-of-function research means genetically changing a genome in a way that might enhance the biological function of its genes, such as its transmissibility or the range of hosts it can infect,” says George Church, professor of genetics at Harvard Medical School. This can occur through direct genetic manipulation as well as by encouraging mutations while growing successive generations of micro-organism in culture. “Some of these changes may impact pathogenesis in a way that is hard to anticipate in advance,” Church says.
In the wake of the global pandemic, the pros and cons of gain-of-function research are being fiercely debated. Some scientists say this type of research is vital for preventing future pandemics or for preparing for bioweapon attacks. Others consider it another disaster waiting to happen. The Government Accounting Office issued a report charging that a framework developed by the U.S. Department of Health & Human Services (HHS) provided inadequate oversight of this potentially deadly research. There’s a movement to stop it altogether. In January, the Viral Gain-of-Function Research Moratorium Act (S. 81) was introduced into the Senate to cease awarding federal research funding to institutions doing gain-of-function studies.
While testifying before the House COVID Origins Select Committee on March 8th, Robert Redfield, former director of the U.S. Centers for Disease Control and Prevention, said that COVID-19 may have resulted from an accidental lab leak involving gain-of-function research. Redfield said his conclusion is based upon the “rapid and high infectivity for human-to-human transmission, which then predicts the rapid evolution of new variants.”
“It is a very, very, very small subset of life science research that could potentially generate a potential pandemic pathogen,” said Gerald Parker, associate dean for Global One Health at Texas A&M University.
“In my opinion,” Redfield continues, “the COVID-19 pandemic presents a case study on the potential dangers of such research. While many believe that gain-of-function research is critical to get ahead of viruses by developing vaccines, in this case, I believe that was the exact opposite.” Consequently, Redfield called for a moratorium on gain-of-function research until there is consensus about the value of such risky science.
What constitutes risky?
The Federal Select Agent Program lists 68 specific infectious agents as risky because they are either very contagious or very deadly. In order to work with these 68 agents, scientists must register with the federal government. Meanwhile, research on deadly pathogens that aren’t easily transmitted, or pathogens that are quite contagious but not deadly, can be conducted without such oversight. “If you’re not working with select agents, you’re not required to register the research with the federal government,” says Gerald Parker, associate dean for Global One Health at Texas A&M University. But the 68-item list may not have everything that could possibly become dangerous or be engineered to be dangerous, thus escaping the government’s scrutiny—an issue that new regulations aim to address.
In January 2017, the White House Office of Science and Technology Policy (OSTP) issued additional guidance. It required federal departments and agencies to follow a series of steps when reviewing proposed research that could create, transfer, or use potential pandemic pathogens resulting from the enhancement of a pathogen’s transmissibility or virulence in humans.
In defining risky pathogens, OSTP included viruses that were likely to be highly transmissible and highly virulent, and thus very deadly. The Proposed Biosecurity Oversight Framework for the Future of Science, outlined in 2023, broadened the scope to require federal review of research “that is reasonably anticipated to enhance the transmissibility and/or virulence of any pathogen” likely to pose a threat to public health, health systems or national security. Those types of experiments also include the pathogens’ ability to evade vaccines or therapeutics, or diagnostic detection.
However, Parker says that dangers of generating a pandemic-level germ are tiny. “It is a very, very, very small subset of life science research that could potentially generate a potential pandemic pathogen.” Since gain-of-function guidelines were first issued in 2017, only three such research projects have met those requirements for HHS review. They aimed to study influenza and bird flu. Only two of those projects were funded, according to the NIH Office of Science Policy. For context, NIH funded approximately 11,000 of the 54,000 grant applications it received in 2022.
Guidelines governing gain-of-function research are being strengthened, but Church points out they aren’t ideal yet. “They need to be much clearer about penalties and avoiding positive uses before they would be enforceable.”
What do we gain from gain-of-function research?
The most commonly cited reason to conduct gain-of-function research is for biodefense—the government’s ability to deal with organisms that may pose threats to public health.
In the era of mRNA vaccines, the advance preparedness argument may be even less relevant.
“The need to work with potentially dangerous viruses is central to our preparedness,” Parker says. “It’s essential that we know and understand the basic biology, microbiology, etc. of some of these dangerous pathogens.” That includes increasing our knowledge of the molecular mechanisms by which a virus could become a sustained threat to humans. “Knowing that could help us detect [risks] earlier,” Parker says—and could make it possible to have medical countermeasures, like vaccines and therapeutics, ready.
Most vaccines, however, aren’t affected by this type of research. Essentially, scientists hope they will never need to use it. Moreover, Paul Mango, HSS former deputy chief of staff for policy, and author of the 2022 book Warp Speed, says he believes that in the era of mRNA vaccines, the advance preparedness argument may be even less relevant. “That’s because these vaccines can be developed and produced in less than 12 months, unlike traditional vaccines that require years of development,” he says.
Can better oversight guarantee safety?
Another situation, which Parker calls unnecessarily dangerous, is when regulatory bodies cannot verify that the appropriate biosafety and biosecurity controls are in place.
Gain-of-function studies, Parker points out, are conducted at the basic research level, and they’re performed in high-containment labs. “As long as all the processes, procedures and protocols are followed and there’s appropriate oversight at the institutional and scientific level, it can be conducted safely.”
Globally, there are 69 Biosafety Level 4 (BSL4) labs operating, under construction or being planned, according to recent research from King’s College London and George Mason University for Global BioLabs. Eleven of these 18 high-containment facilities that are planned or under construction are in Asia. Overall, three-quarters of the BSL4 labs are in cities, increasing public health risks if leaks occur.
Researchers say they are confident in the oversight system for BSL4 labs within the U.S. They are less confident in international labs. Global BioLabs’ report concurs. It gives the highest scores for biosafety to industrialized nations, led by France, Australia, Canada, the U.S. and Japan, and the lowest scores to Saudi Arabia, India and some developing African nations. Scores for biosecurity followed similar patterns.
“There are no harmonized international biosafety and biosecurity standards,” Parker notes. That issue has been discussed for at least a decade. Now, in the wake of SARS and the COVID-19 pandemic, scientists and regulators are likely to push for unified oversight standards. “It’s time we got serious about international harmonization of biosafety and biosecurity standards and guidelines,” Parker says. New guidelines are being worked on. The National Science Advisory Board for Biosecurity (NSABB) outlined its proposed recommendations in the document titled Proposed Biosecurity Oversight Framework for the Future of Science.
The debates about whether gain-of-function research is useful or poses unnecessary risks to humanity are likely to rage on for a while. The public too has a voice in this debate and should weigh in by communicating with their representatives in government, or by partaking in educational forums or initiatives offered by universities and other institutions. In the meantime, scientists should focus on improving the research regulations, Parker notes. “We need to continue to look for lessons learned and for gaps in our oversight system,” he says. “That’s what we need to do right now.”
The rise of remote work is a win-win for people with disabilities and employers
Disability advocates see remote work as a silver lining of the pandemic, a win-win for adults with disabilities and the business world alike.
Any corporate leader would jump at the opportunity to increase their talent pool of potential employees by 15 percent, with all these new hires belonging to an underrepresented minority. That’s especially true given tight labor markets and CEO desires to increase headcount. Yet, too few leaders realize that people with disabilities are the largest minority group in this country, numbering 50 million.
Some executives may dread the extra investments in accommodating people’s disabilities. Yet, providing full-time remote work could suffice, according to a new study by the Economic Innovation Group think tank. The authors found that the employment rate for people with disabilities did not simply reach the pre-pandemic level by mid-2022, but far surpassed it, to the highest rate in over a decade. “Remote work and a strong labor market are helping [individuals with disabilities] find work,” said Adam Ozemik, who led the research and is chief economist at the Economic Innovation Group.
Disability advocates see this development as a silver lining of the pandemic, a win-win for adults with disabilities and the business world alike. For decades before the pandemic, employers had refused requests from workers with disabilities to work remotely, according to Thomas Foley, executive director of the National Disability Institute. During the pandemic, "we all realized that...many of us could work remotely,” Foley says. “[T]hat was disproportionately positive for people with disabilities."
Charles-Edouard Catherine, director of corporate and government relations for the National Organization on Disability, said that remote-work options had been advocated for many years to accommodate disabilities. “It’s a little frustrating that for decades corporate America was saying it’s too complicated, we’ll lose productivity, and now suddenly it’s like, sure, let’s do it.”
The pandemic opened doors for people with disabilities
Early in the pandemic, employment rates dropped for everyone, including people with disabilities, according to Ozemik’s research. However, these rates recovered quickly. In the second quarter of 2022, people with disabilities aged 25 to 54, the prime working age, are 3.5 percent more likely to be employed, compared to before the pandemic.
What about people without disabilites? They are still 1.1 percent less likely to be employed.
These numbers suggest that remote work has enabled a substantial number of people with disabilities to find and retain employment.
“We have a last-in, first-out labor market, and [people with disabilities] are often among the last in and the first out,” Olzemik says. However, this dynamic has changed, with adults with disabilities seeing employment rates recover much faster. Now, the question is whether the new trend will endure, Olzemik adds. “And my conclusion is that not only is it a permanent thing, but it’s going to improve.”
Gene Boes, president and chief executive of the Northwest Center, a Seattle organization that helps people with disabilities become more independent, confirms this finding. “The new world we live in has opened the door a little bit more…because there’s just more demand for labor.”
Long COVID disabilities put a premium on remote work
Remote work can help mitigate the impact of long COVID. The U.S. Centers for Disease Control and Prevention reports that about 19 percent of those who had COVID developed long COVID. Recent Census Bureau data indicates that 16 million working age Americans suffer from it, with economic costs estimated at $3.7 trillion.
Certainly, many of these so-called long-haulers experience relatively mild symptoms - such as loss of smell - which, while troublesome, are not disabling. But other symptoms are serious enough to be disabilities.
According to a recent study from the Federal Reserve Bank of Minneapolis, about a quarter of those with long COVID changed their employment status or working hours. That means long COVID was serious enough to interfere with work for 4 million people. For many, the issue was serious enough to qualify them as disabled.
Indeed, the Federal Reserve Bank of New York found in a just-released study that the number of individuals with disabilities in the U.S. grew by 1.7 million. That growth stemmed mainly from long COVID conditions such as fatigue and brain fog, meaning difficulties with concentration or memory, with 1.3 million people reporting an increase in brain fog since mid-2020.
Many had to drop out of the labor force due to long COVID. Yet, about 900,000 people who are newly disabled have managed to continue working. Without remote work, they might have lost these jobs.
For example, a software engineer at one of my client companies has struggled with brain fog related to long COVID. With remote work, this employee can work during the hours when she feels most mentally alert and focused, even if that means short bursts of productivity throughout the day. With flexible scheduling, she can take rests, meditate, or engage in activities that help her regain focus and energy. Without the need to commute to the office, she can save energy and time and reduce stress, which is crucial when dealing with brain fog.
In fact, the author of the Federal Reserve Bank of New York study notes that long COVID can be considered a disability under the Americans with Disability Act, depending on the specifics of the condition. That means the law can require private employers with fifteen or more staff, as well as government agencies, to make reasonable accommodations for those with long COVID. Richard Deitz, the author of this study, writes in the paper that “telework and flexible scheduling are two accommodations that can be particularly beneficial for workers dealing with fatigue and brain fog.”
The current drive to return to the office, led by many C-suite executives, may need to be reconsidered in light of legal and HR considerations. Arlene S. Kanter, director of the disability law and policy program at the Syracuse University College of Law, said that the question should depend on whether people with disabilities can perform their work well at home, as they did during Covid outbreaks. “[T]hen people with disabilities, as a matter of accommodation, shouldn’t be denied that right,” Kanter said.
But companies shouldn’t need to worry about legal regulations. It simply makes dollars and sense to expand their talent pool by 15% of an underrepresented minority. After all, extensive research shows that improving diversity boosts both decision-making and financial performance.
Companies that are offering more flexible work options have already gained significant benefits in terms of diverse hires. In its efforts to adapt to the post-pandemic environment, Meta, the owner of Facebook and Instagram, decided to offer permanent fully remote work options to its entire workforce. And according to Meta chief diversity officer Maxine Williams, the candidates who accepted job offers for remote positions were “substantially more likely” to come from diverse communities: people with disabilities, Black, Hispanic, Alaskan Native, Native American, veterans, and women. The numbers bear out these claims: people with disabilities increased from 4.7 to 6.2 percent of Meta’s employees.
Having consulted for 21 companies to help them transition to hybrid work arrangements, I can confirm that Meta’s numbers aren’t a fluke. The more my clients proved willing to offer remote work, the more staff with disabilities they recruited - and retained. That includes employees with mobility challenges. But it also includes employees with less visible disabilities, such as people with long COVID and immunocompromised people who feel reluctant to put themselves at risk of getting COVID by coming into the office.
Unfortunately, many leaders fail to see the benefits of remote work for underrepresented groups, such as those with disabilities. Some even say the opposite is true, with JP Morgan CEO Jamie Dimon claiming that returning to the office will aid diversity.
What explains this poor executive decision making? Part of the answer comes from a mental blindspot called the in-group bias. Our minds tend to favor and pay attention to the concerns of those in the group of people who seem to look and think like us. Dimon and other executives without disabilities don’t perceive people with disabilities to be part of their in-group. They thus are blind to the concerns of those with disabilities, which leads to misperceptions such as Dimon’s that returning to the office will aid diversity.
In-group bias is one of many dangerous judgment errors known as cognitive biases. They impact decision making in all life areas, ranging from the future of work to relationships.
Another relevant cognitive bias is the empathy gap. This term refers to our difficulty empathizing with those outside of our in-group. The lack of empathy combines with the blindness from the in-group bias, causing executives to ignore the feelings of employees with disabilities and prospective hires.
Omission bias also plays a role. This dangerous judgment error causes us to perceive failure to act as less problematic than acting. Consequently, executives perceive a failure to support the needs of those with disabilities as a minor matter.
The failure to empower people with disabilities through remote work options will prove costly to the bottom lines of companies. Not only are limiting their talent pool by 15 percent, they’re harming their ability to recruit and retain diverse candidates. And as their lawyers and HR departments will tell them, by violating the ADA, they are putting themselves in legal jeopardy.
By contrast, companies like Meta - and my clients - that offer remote work opportunities are seizing a competitive advantage by recruiting these underrepresented candidates. They’re lowering costs of labor while increasing diversity. The future belongs to the savvy companies that offer the flexibility that people with disabilities need.