A security framework for population-scale genomics analysis

Biobanks store genomic material from identifiable individuals. Recently many population-based studies have started sequencing genomic data from biobank samples and cross-linking the genomic data with clinical data, with the goal of discovering new insights into disease and clinical treatments. However, the use of genomic data for research has far-reaching implications for privacy and the relations between individuals and society. In some jurisdictions, primarily in Europe, new laws are being or have been introduced to legislate for the protection of sensitive data relating to individuals, and biobank-specific laws have even been designed to legislate for the handling of genomic data and the clear definition of roles and responsibilities for the owners and processors of genomic data. This paper considers the security questions raised by these developments. We introduce a new threat model that enables the design of cloud-based systems for handling genomic data according to privacy legislation. We also describe the design and implementation of a security framework using our threat model for BiobankCloud, a platform that supports the secure storage and processing of genomic data in cloud computing environments.

[1]  Erwin Laure,et al.  Privacy-Preservation for Publishing Sample Availability Data with Personal Identifiers , 2015 .

[2]  Adam Molyneaux,et al.  Privacy-Preserving Processing of Raw Genomic Data , 2013, DPM/SETOP.

[3]  Gail-Joon Ahn,et al.  Towards scalable authentication in health services , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[4]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[5]  Emiliano De Cristofaro,et al.  The Chills and Thrills of Whole Genome Sequencing , 2013, Computer.

[6]  TemplMatthias Statistical Disclosure Control for Microdata Using the R-Package sdcMicro , 2008 .

[7]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[8]  Jens Laage-Hellman,et al.  Biobanks in Europe: Prospects for Harmonisation and Networking , 2010 .

[9]  Anil K. Jain,et al.  Large-scale evaluation of multimodal biometric authentication using state-of-the-art systems , 2005, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[10]  Siani Pearson,et al.  Privacy, Security and Trust in Cloud Computing , 2013 .

[11]  Roberto Di Pietro,et al.  A two-factor mobile authentication scheme for secure financial transactions , 2005, International Conference on Mobile Business (ICMB'05).

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[14]  M. E. Kabay,et al.  Writing Secure Code , 2015 .

[15]  Jaap-Henk Hoepman,et al.  Privacy and Identity Management for Emerging Services and Technologies , 2013, IFIP Advances in Information and Communication Technology.

[16]  David W. Chadwick,et al.  Experiences of using a PKI to access a hospital information system by high street opticians , 2003, Comput. Commun..

[17]  Mikhail J. Atallah,et al.  Secure Biometric Authentication for Weak Computational Devices , 2005, Financial Cryptography.

[18]  Yue Chen,et al.  Stakeholder Value Driven Threat Modeling for Off the Shelf Based Systems , 2007, 29th International Conference on Software Engineering (ICSE'07 Companion).

[19]  Bruce Schneier Threat Modeling and Risk Assessment , 2000 .

[20]  Zahir Tari,et al.  On the Move to Meaningful Internet Systems. OTM 2018 Conferences , 2018, Lecture Notes in Computer Science.

[21]  Erwin Laure,et al.  Privacy Threat Modeling for Emerging BiobankClouds , 2014, EUSPN/ICTH.

[22]  Jung-Soo Han,et al.  Security Threat Modeling and Requirement Analysis Method Based on Goal-Scenario , 2011, ICITCS.

[23]  Jennifer Harris,et al.  Genomic cloud computing: legal and ethical points to consider , 2014, European Journal of Human Genetics.

[24]  Mark I. McCarthy,et al.  SAIL—a software system for sample and phenotype availability across biobanks and cohorts , 2010, Bioinform..

[25]  Dennis P. Mirante,et al.  Understanding Password Database Compromises , 2013 .

[26]  Michael Naehrig,et al.  Private Computation on Encrypted Genomic Data , 2014, LATINCRYPT.

[27]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[28]  Jim Dowling,et al.  Scaling HDFS with a Strongly Consistent Relational Model for Metadata , 2014, DAIS.

[29]  Beth Kapes Ethics and Regulations , 2003 .

[30]  W. Marsden I and J , 2012 .

[31]  André Zúquete,et al.  Authentication Architecture for eHealth Professionals , 2007, OTM Conferences.

[32]  Jin H. Im,et al.  Privacy , 2002, Encyclopedia of Information Systems.