How is healthcare information guaranteed to remain safe and not used for non-medical purposes? There are “bad actors” — such as hackers — that are after personal data, but there are also potential breaches in privacy that can include police officers, tax offices, employers, and more.
And now, as organisations such as the UK Biobank start collecting genetic information for the purpose of providing a public database on diseases, how can you guarantee that your very own DNA won’t get into the hands of “bad actors?” How can healthcare technology be used for good without opening up new vulnerabilities?
Looking at both the latest advancements in genomic research and the loopholes they create, how can the UK healthcare system work in favour of the populace without potentially exposing the private information of individuals?
Genomics and Genetics in UK Healthcare
Many of the latest developments in healthcare are happening on a microscopic level, through the researching of human DNA. Both human genomics and genetics have been getting increased international attention as of late. The World Health Organization (WHO) explains how the two work together:
“The main difference between genomics and genetics is that genetics scrutinizes the functioning and composition of the single gene whereas genomics addresses all genes and their inter relationships in order to identify their combined influence on the growth and development of the organism.”
The Human Genome Project, an international effort to map and sequence human DNA, was one of the firsts attempts at understanding human genetics, and it took from 1984 until 2003 before it was finally completed.
In the present day, genetics are taking on a whole new role: changing from research to proactive medical care through the growth of genomic research and information. Health practitioners and nurses can use the genetic and genomic information of patients to try to determine predisposition to diseases, significant genetic markers, and asses other health risks — all through the analysis of a simple cheek swab. Even mental health concerns and mental health medication can be assessed through genetic tests such as GeneSight.
Unfortunately, healthcare innovation on a governmental level is rather slow, often being blocked by bureaucracy and years of testing and trials before receiving government approval. Many innovators within healthcare are trying to improve these processes through interdisciplinary collaboration with patients, administrators, nurses, and doctors — not only to improve patient experiences, but to keep up with the latest technologies — and the latest threats to those technologies.
However, private companies are taking interest in further mapping and understanding the human genome, and many of these private companies can innovate at a much faster rate than government health organizations. Unfortunately, unlike government regulated programs, the priorities of these companies can be hidden from patients that are eager to utilise their services.
With the popularity of companies such as 23andMe in the United States and the United Kingdom, the general public is both excited at the opportunities and cautious of the potential wealth of information these companies now possess. Since 23andMe, specifically, considers themselves an “information product” and not a medical product, could they possibly have more freedoms with medical information? Without protections in place to guard personal information, it’s far too easy for these companies to collect and potentially sell their database of genes. But how can you put a price on personal genetic information?
Threats to genetic and genomic information
Although storing health information online is almost becoming common practice, the introduction of new genetic material, combined with the introduction of open-source DNA searches such as the UK Biobank, raises new concerns. What guarantees do you have as a UK citizen that your genetic information won’t be used against you for employment purposes, tax decisions, or in police investigations?
According to the UK Biobank’s website, their 500,000 medical records were collected by volunteers agreeing to provide DNA samples, medical records, test results, and psychological assessments. By 2020, the organisation is hoping to list all of those records available to the public — but they also guarantee anonymity to the program volunteers. Scientists, research institutions, and pharmaceutical companies are some of the most eager groups to get their hands on this wealth of information, as it can hold thousands of samples of how genomic connections can lead to life-threatening diseases, which they can then potentially utilise to find a cure.
The UK Biobank has also insisted that their services are used solely for healthcare purposes, and note in their FAQ: “ … insurance companies and employers will not be allowed to access the Resource to look at information, samples or test results for any identifiable participants. Nor will UK Biobank allow access by the police, security services or other law enforcement agencies, unless it is forced to do so by the courts. UK Biobank is prepared to take all necessary actions, including (where appropriate) recourse to legal proceedings, in order to prevent such attempted access.”
Additionally, many UK citizens can rest at ease with the recent implementation of the General Data Protection Regulation (GDPR) in May of this year, which provides some of the strictest data protection rules in the world for all personal information: from bank accounts to medical history and genetic screenings. This EU law places the burden on companies to heighten security to prevent malware, hacks, and other data breaches. If a company falls short and data is stolen, they could face expensive fines of over 20 million Euros. Even Brexit won’t stop the GDPR from going and staying in effect in the U.K. over the coming years.
Unfortunately for US citizens across the pond, many of these same protections are not provided — unless, of course, they are also doing business with EU citizens. Of course, businesses in the U.S. rarely are, and many U.S. healthcare organisations are constantly playing catch-up with preventing cyberattacks on their patient’s data. Although many people may not be worried about having their medical history stolen, other information — such as their Social Security number, name, address, and date of birth — are all tied with medical information, making it extremely easy for hackers to steal identities for self-gain.
However, those aren’t the only protections that U.S. citizens have to be concerned about. Companies such as GEDMatch — a website that allows you to upload your DNA profile from Ancestry.com or 23andMe — provide an “open data personal genomics” database that can be used by both users that submit their DNA, as well as anyone else that utilizes the platform. This is how the infamous California serial killer, The Golden State Killer, was recently identified through a fourth cousin who had uploaded her own DNA to the GEDMatch service in hopes of finding lost relatives. Little did this cousin know at the time that her own DNA sample would help crack a decade’s old case for police in another state.
In this case, the DNA information was used to help detain a terrible individual responsible for multiple murders, but who’s to say that this same information couldn’t be used for more nefarious, Orwellian-esque purposes?
Advancements with patient security in mind
There are many ways in which healthcare technology is growing and evolving in a positive way, and luckily services such as the UK Biobank can help advance even more knowledge surrounding life-threatening diseases and their treatment. Although many U.K. citizens are cautiously optimistic of these advancements, the protections provided by the GDPR place the burden on companies — instead of individuals — to keep personal, genetic information safe from “bad actors.”
In other countries such as the U.S., however, protection is often limited, and many companies are prioritised over individuals and the collective needs of the populace. Additionally, collaborative innovation is slow, and oftentimes the voice of companies can overpower the voice of patients who may be affected by healthcare changes. When equitable access and public welfare is not of the utmost concern for these companies, then individuals may be at risk to having a price tag placed on their personal genetic information.