By Rebecca Harper, Head of Cybersecurity at ISMS.online
A recent data breach at a prominent genetic testing company has sparked widespread concern among experts and consumers, exacerbated by its insistence that its customers were squarely to blame. The breach at San Franciso-based 23andMe exposed sensitive information, prompting the company to deflect the blame to the victims in a letter sent to affected customers.
According to the letter, “Users negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe. Therefore, the incident did not result from 23andMe’s alleged failure to maintain reasonable security measures.” Security specialists unanimously agree that this finger-pointing underscores the urgent need for strong cybersecurity measures in consumer DNA testing and health companies.
Here are four crucial elements DNA testing and health companies must address to fortify their defences against data breaches:
Upholding Regulatory Frameworks and Data Security Standards
The 23andMe data breach underscores the importance of stringent regulatory frameworks governing highly sensitive genetic information storage and utilisation. Mishandling or unauthorised access to this data can have severe consequences for privacy and confidentiality. Therefore, organisations handling DNA and health data must adhere to comprehensive regulations and maintain the highest data security standards.
Fundamentally, companies in this sector should adhere to privacy laws such as HIPAA and GDPR, which mandate stringent protections for medical and genetic data. However, legal adherence is not enough. Organisations must espouse a culture of data security, ensuring encryption, access controls, vulnerability testing, and other best practices are baked into their systems.
Adopting a framework like ISO 27001, for example, enables organisations to take a systematic best practice approach across all information security processes - from assessing risks to incident response. It also ensures security controls are robust, auditable, and aligned with leading industry norms.
For consumer health and DNA testing companies handling large volumes of sensitive medical and genetic data, obtaining ISO 27001 certification also validates that rigorous cyber protections are in place. Ultimately, it builds customer trust by providing evidence of robust control over consumer information.
Defending Against Password Vulnerabilities and Intrusions
While passwords remain a standard first line of defence, over-reliance on lone passwords embraces illusion over safety. Easily circumvented and eroded over time, they represent a baseline control rather than an adaptive barrier. Organisations that stake data protection primarily on basic password policies give hackers an open door.
And, yes, while individuals should practice secure password management, it is equally important for companies to address weak passwords and potential intrusions proactively. They should introduce a strong password policy encouraging employees to adopt secure passwords.
Fostering a culture of security via ongoing awareness training is also essential. This means informing staff on emerging social engineering techniques, requiring strong password hygiene, and responding promptly to phishing attempts.
Companies can reduce cybersecurity risks and safeguard operations by implementing zero-trust principles and following recognised best practices. Comprehensive identity and access management (IAM) provides a layered defence that evolves with threats and ensures the right people have access at the right time through enforcing multi-factor authentication, password managers, access reviews, activity monitoring, and automated provisioning/de-provisioning based on user roles.
By coupling technological controls with vigilant human oversight, organisations can shut the windows left open by overreliance on lone passwords. IAM, or Zero Trust, verifies all users, devices and transactions before granting least-privilege access. It protects customers and systems from intrusion while enabling productivity and growth.
In the case of the 23andMe breach, the initial intrusion should not have resulted in a widespread compromise of customer accounts. Employing multi-layered access controls and activity monitoring can prevent or halt unauthorised access to accounts and data.
Making Multi-factor Authentication the Standard
In light of the growing targeting of sensitive records like health data, multi-factor authentication (MFA) should be regarded as the minimum requirement for authentication. This multi-layered approach improves identity verification and makes unauthorised access more difficult. A fundamental advantage of MFA is its appreciation of the human factor in cybersecurity, acknowledging that individuals may be susceptible to unintentional security mistakes or social engineering tactics.
Consumer DNA testing and health companies should not offer MFA as an option – as had been the case with 23andMe – but make it mandatory for all accounts. Implementing heightened login security by default significantly reduces the risk of unauthorised access through compromised credentials. Companies with sensitive data have no excuse for not adopting MFA as a standard practice. Following the breach incident, 23andMe realised this and acted by resetting all customer passwords and requiring all users to implement two-factor authentication.
Safeguarding the Sensitivity of Genetic and Health Data
The 23andMe breach underscores the profound sensitivity of consumer genetic and health data. While exposed records avoided containment of personal identifiers, the potential for identity compromise, fraud and extortion exists. DNA testing and health technology companies must treat privacy as more than compliance - but as a moral and strategic imperative.
This incident issues an urgent wake-up call. Information security demands proactive investment, not reactive response. It requires embedding robust protocols in advance rather than admitting breach trauma was the catalyst. Firms within this sector must establish an open and pre-emptive approach to cybersecurity threats and execute protective measures to safeguard client data.
DNA testing and health entities can more reliably shield consumer data from continuously advancing threats by adopting layered security strategies, compulsory multi-factor authentication (MFA), and forward-thinking protective actions.