EE595PMP:
SecurityandPrivacyofBiomedical
Cyber-PhysicalSystems
Spring2016
Tamara Bonaci
[email protected]
TheStoryofHenrieIaLacks
Picturecredit:wikipedia.org
EE 595, Spring 2016 - Lecture 10
2
WhatisGeneNc/GenomicTest?
•  GeneNc/genomictestsmayinclude:
–  AnalysesofhumanDNA,RNA,andchromosomes
todetectheritableoracquireddisease-related:
• 
• 
• 
• 
Genotypes
MutaNons
Phenotypes
Karyotypes
–  Analysesofhumanproteinsandmetabolitesused
predominantlytodetectinbornerrorsof:
•  Metabolism
•  Heritablegenotypes
•  MutaNons
EE 595, Spring 2016 - Lecture 10
3
WhatCareAboutGeneNc/GenomicTests?
•  Gene>c/genomicinforma>onmayinform:
1.  DeterminaNonofdiseaserisk
2.  Appropriatedrugdosingtoavoidadverse
events/effects
3.  SelecNonof(themost)effecNvemedical
treatment
EE 595, Spring 2016 - Lecture 10
4
GeneNcExcepNonalism
ShouldgeneNc/genomicinformaNon
betreateddifferentlyfromother
healthinformaNonforpurposesof
dataaccessandpermissibleuse?
EE 595, Spring 2016 - Lecture 10
5
(Unique)CharacterisNcsofGeneNc/GenomicData
•  Uniqueness
– EachindividualhasuniquegeneNc/genomiccode
– Problem1:consolidateddatabasesofgeneNc/
genomicinformaNoncouldpossiblybemindedfor
idenNficaNonpurposes
– Problem2:(ever)increasingabilitytoaccurately
predictanindividual’sphysicalcharacterisNcs
fromtheirDNAsequence
EE 595, Spring 2016 - Lecture 10
6
(Unique)CharacterisNcsofGeneNc/GenomicData
•  PredicNveCapabiliNes
–  SomegeneNc/genomicinformaNoncanbeusedto
predictthelikelihoodofdevelopingadiseaseorthe
responsetoaspecificdrug
–  Pro:intheabsenceofothercorroboraNngclinical
symptoms,geneNcdatacanbeusedtoinformhealth
caremanagementdecisions
–  Con:AvailableinformaNoncanbeusedto
discriminatebasedonpredisposiNon
EE 595, Spring 2016 - Lecture 10
7
(Unique)CharacterisNcsofGeneNc/GenomicData
•  Immutability
–  Anindividual’sinheritedinformaNondoesnotchange
throughoutlife
–  Problem:publicdisclosureofpersonalgeneNc/
genomicinformaNoncouldcreatelong-lasNngand
unpredictableeffects
–  Knowexamplesofmisuses:
•  PromoNonofeugenicsiniNaNves
•  DiscriminaNonininsuranceandatworkplaces,
•  Unauthorizedaccesstoindividuals’medicalhistories
EE 595, Spring 2016 - Lecture 10
8
(Unique)CharacterisNcsofGeneNc/GenomicData
•  ImpactonFamily
– GermlinemutaNons(mutaNonscontained
inthespermoreggthatmaybepassedto
offspring)mayrevealinformaNonabout
medicalriskstoblood-relaNves
EE 595, Spring 2016 - Lecture 10
9
(Unique)CharacterisNcsofGeneNc/GenomicData
•  UbiquityandEaseofProcurement
–  Anindividual’sgenomicinformaNoncanbeeasily
obtainedwithouthis/herknowledgeorpermission
from:
•  Saliva
•  Blood
•  Hair
•  OtherdepositedNssues
EE 595, Spring 2016 - Lecture 10
10
GeneNcExcepNonalismRevisited
ExcepNonalismwithRespecttoDataAccess
– GeneNcinformaNonprobablygenerallydoes
notrequiremoreprotecNonthanother
sensi,veinforma,on(e.g.,HIVstatus,
mentalhealth,ordrugabuse)
– Possibleapproach:Datamaskingor
controlleddataaccess
– Problem:possiblenegaNveimpactofdata
maskingonpaNentshealthcare
EE 595, Spring 2016 - Lecture 10
11
GeneNcExcepNonalismRevisited
ExcepNonalismwithRespecttoDataUse
–  ProtecNonsagainstthemisuseofgeneNc/genomictest
data(e.g.,discriminaNon)
–  Is data predictive and/or immutable?
–  Has it been historically misused?
–  Does access to that information normally requires testing to be carried
out?
–  RegulaNonsregardingtheuseofgeneNcdataforresearch
purposes(e.g.,properdisclosureoftheriskofpersonal
idenNficaNonandtheneedtoprohibitdataminingand
aggregaNngtechniquesdesignedspecificallytocircumvent
individualprivacyprotecNon)
EE 595, Spring 2016 - Lecture 10
12
ExisNngPrivacyProtecNonMechanisms
ExisNngmechanismstoprotectprivacyof
geneNc/genomicdatainclude:
1.  AnonymiziaNon
àShowntobeineffecNveforgeneNc/genomicdata
2.  AddingnoisetopublishedgeneNc/genomicdata
(differenNalprivacyguarantees)
àAlsoineffecNve
3.  ComputaNonalparNNoning
4.  Cryptography
EE 595, Spring 2016 - Lecture 10
13
ExisNngPrivacyProtecNonMechanisms-Cryptography
CryptographicMechanisms
–  Usedtopreserveconfiden,alityandu,lityofdata
–  Relyoncomputa>onallimita>onsofadversaries
àTypicallys>llvulnerabletobrute-forceaJacks
Giventhelongevityofgene>c/genomic
data,currentlyassumedcomputa>onal
limita>onsmaybecomeincorrectorerode
over>me
EE 595, Spring 2016 - Lecture 10
14
HoneyEncrypNon(HE)
•  PropertyofHoneyEncrypNon:
– Whenciphertextisdecryptedwithan
incorrectkey,theresultissNllaplausiblelookingyetincorrectplaintext
àHEgivenanaddiNonallayerofprotecNon
againstbrute-forceaIacks
EE 595, Spring 2016 - Lecture 10
15
HEandDistribuNonTransformingEncoder(DTE)
•  DistribuNonTransformingEncoder(DTE)
– TransformsapotenNallynon-uniformspace
ofallowedmessagesMintoauniformlydistributedseedspaceS
– Formally,DTEisapairofalgorithms,
DTE:=(encode,decode)
EE 595, Spring 2016 - Lecture 10
16
HEandDistribuNonTransformingEncoder(DTE)
•  Formally,DTEisapairofalgorithms,DTE:=
(encode,decode)
•  encodetakesamessagemfromsetMasinputand
probabilisNcallyoutputsciphertextsfromS
•  decodetakesasinputciphertextsfromSandoutputs
amessagemfromM
•  IfthekeyusedfordecrypNoniscorrect,outpuIedm
isthecorrectm
•  Otherwise,outpuIedmisincorrect,butplausible
looking
EE 595, Spring 2016 - Lecture 10
17
PersonalizedMedicineandPharmacogeneNcs
•  PharmacogeneNcmodels:
– Typicallyconstructedusingsupervisedmachine
learningoverlargepaNentdatabases
containingclinicalandgenomicdata
– Datasetstypicallykeptprivate,butthemodels
learnedfromthemaremadepublic
EE 595, Spring 2016 - Lecture 10
18
ExperimentalStudy:PersonalizedWarfarinDosage
•  Warfarin–ananNcoagulantwidelyusedtohelpprevent
strokesinpaNentssufferingfromatrialfibrillaNon
–  Knowntoexhibitacomplexdose-responserelaNonship
affectedbymul,plegene,cmarkers
–  Improperdosingcanleadtoincreasedriskofstrokeor
uncontrolledbleeding
•  Interna,onalWarfarinPharmocogene,csConsor,um(IWPC)
collecteddataaboutclinicalhistory,demographicsand
genotypefromthousandsofWarfarinusersaroundtheworld
•  BasedondatafromIWPCdataset,alinearregression
mathema>calmodeldevelopedtoaccuratelypredictan
WarfarindoseforanindividualpaNent
EE 595, Spring 2016 - Lecture 10
19
ExperimentalStudy:PersonalizedWarfarinDosage
•  Ques>on:towhichdegreedoesthelinearregressionbasedWarfarindosagemodelleaksensi>veinforma>on
aboutapa>ent’sgenotype?
•  Answer:ModelInversionAJack
–  GivenamodeltrainedtopredictaspecificiniNaldosefora
singlepaNent,anaIackerusesittomakeinferencesabout
sensiNveaIributesusedasinputtothemodel
•  ModelinversionaJackstakeadvantageofcorrela>on
betweenthetarget,knownaJributes(inourcase,
demographicinforma>on)andthemodeloutput(warfarin
dosage)
EE 595, Spring 2016 - Lecture 10
20
References
• 
ArtCaplan:NIHFinallyMakesGoodwithHenrieAaLacks’Family--andit'saboutTime,
EthicistSays,nbcnews.com,August7,2013,online:
hIp://www.nbcnews.com/health/nih-finally-makes-good-henrieIa-lacks-family-its-aboutNme-6C10867941
• 
AmyL.McGuire,RebeccaFisher,PaulCusenza,KathyHudson,MarkA.Rothstein,Deven
McGraw,StephenMaIeson,JohnGlaser,andDouglasE.Henley,Confiden,ality,Privacy,and
SecurityofGene,candGenomicTestInforma,oninElectronicHealthRecords:Pointsto
Consider,Gene,csinMedicine(2008)10,495–499.
• 
ZhicongHuang,ErmanAyday,JacquesFellay,Jean-PierreHubaux,AriJuels,GenoGuard:
Protec,ngGenomicDataagainstBrute-ForceAAacks,theProceedingsoftheIEEE
SymposiumonSecurityandPrivacy2015.
• 
MaIhewFredrikson,EricLantz,andSomeshJha,SimonLin,DavidPageandThomas
Ristenpart,PrivacyinPharmacogene,cs:AnEnd-to-EndCaseStudyofPersonalizedWarfarin
Dosing,theProceedingsofthe23rdUSENIXSecuritySymposium,2014.
EE 595, Spring 2016 - Lecture 10
21