Open Source Genomic Analysis Software Flaw Patched
Do Data Integrity Security Concerns Pose Potential Patient Safety Worries?
“The possible impact is serious – if someone could successfully pull off a ‘man-in-the-middle’ attack,” says Tom Walsh, president of consulting firm tw-Security.
“In my opinion, to be successful, the attacker would have to have some understanding about genomic information to alter the data just enough to keep from raising suspicion with the researcher. A novice attacker may not understand the impact if they just randomly altered the data. It comes down to a researcher doing their due diligence validating the data and running more than one analysis before making a crucial conclusion that could impact a human life or ruin the researcher’s professional career.”
Walsh contends that it’s highly unlikely a hacker could manipulate genomic data for a targeted attack.
“What would be the motivation for an attacker to spend the amount of time and effort in setting up a ‘man-in-the-middle’ attack and altering the genomic information about an individual?” he asks. An attack of that nature would likely require involvement of an insider with specific knowledge about the targeted patient, he adds. And targeted attacks involving sensitive research-related data are made even more difficult because in healthcare, he contends, because much of that data is de-identified.
… Walsh says that encryption is the best way to preserve data integrity for data in transit and data at rest. “However, encryption is sometimes viewed as an inconvenience by researchers because it can slow down data transmission and data analysis,” he notes. “Time involved to conduct a test or analyze the data is one of the reasons why research is conducted on high performance and/or supercomputing environments.”
… Walsh contends that open source software is not necessarily more at risk than commercial software.
“In general, open source code is as secure or maybe a bit more secure than commercially developed software,” Walsh says. “Open source code is supported by a group or community of users that can dig deep into the code. Lots of different eyes on the source code means an increased likelihood of finding vulnerabilities and getting them fixed. There is no motivation to ignore vulnerabilities.”
Commercially developed software relies on the company that developed the code to do a self-check for vulnerabilities or to hire a third party to do a security code review, Walsh notes.
“A for-profit company is under pressure to quickly get the software program to market and make money. Often we find the ‘ship now; fix later’ mentality from commercially developed software. Also, vendors tend to be protective of their intellectual property, which means fewer eyes looking at the source code – therefore, less likelihood of finding all of the vulnerabilities in the code.”