A Safe (and Compliant) Haven for Genomic Data in the Cloud

Despite a general comfort with putting personal information on Facebook or LinkedIn or plugging our credit card numbers into websites to book travel, buy birthday presents or rent movies, one of the earliest and most lasting concerns raised about storing genomic data in the cloud has been whether the data are secure.

And rightfully so. Data security isn’t a “nice-to-have” when it comes to personally-identifiable DNA sequence data; it’s essential. With genomic sequencing emerging as essential to clinical development and the delivery of both diagnostics and therapies, compliance with regulations that apply to the handling of genetic data and its subsequent integration into other medical data systems are equally critical. As raw data are converted into more meaningful information, they become an asset as valuable and sensitive as any other personal information, currency, or intellectual property.

We’ve taken a very proactive approach to security and compliance at DNAnexus. Just as hospitals put the highest possible premium on security of their data, so too do cloud platform providers — because their entire business rides on utilizing best-in-class measures to assure the security, integrity and availability of their customers’ data. Our platform was developed from the ground up with this in mind and includes a number of features that allow each user to create a secure and compliant environment that will meet their unique needs today and in the future.

More specifically, the DNAnexus platform was developed with the internationally accepted ISO 27002 controls for best practices in information security and includes a number of features to ensure the highest level of data security for both research and clinical use, including:

  • Data integrity:
    • SAS-70 and PCI certified physical security of data centers
    • Data encryption (with full-disk AES-256 for data storage and SSL/TLS for data transport)
    • Third-party security audit
  • Access control:
    • Member administrators control access and retention policies
    • Passwords must be complex and periodically changed
    • Accounts timeout when idle, and lock when unused, and after too many incorrect login attempts
  • Administrator restrictions:
    • Two-factor authentication required
    • All administrative access is controlled and logged
  • API access restrictions:
    • API key required and limited to a validity period

To provide additional assurance to our users, we received an independent auditors’ certification of our compliance with ISO-27001 with respect to the management of our information systems.

To comply with clinical requirements relating to data integrity and reproducability, DNAnexus supports data logging and auditability for 6 years, and versioned and reproducible analysis tools and results.  Collectively, the security and compliance features implemented in our platform enable compliance with HIPAA, CLIA, Good Clinical Practice (GCP), 21 CFR Parts 11, 58, 42 CFR part 493, European Data Privacy laws and regulations (EU Directive 95/46/EC) and dbGaP Best Practices. For additional details please review our following white papers on our security and compliance practices:

We also work closely with our partners at Amazon Web Services to develop and deploy security strategies that are often far more sophisticated than those used in, or even available to, most premises-based data centers. Whether your data is at rest or in motion as you share it across your project group, you can be sure it’s protected within the DNAnexus platform.

If you are interested in learning more about our security and compliance measures, please visit dnanexus.com.

Security Advisory: Response to Heartbleed Vulnerability

On April 7, 2014, a serious vulnerability known as Heartbleed (CVE-2014-0160) was disclosed in the OpenSSL cryptography library, affecting many popular software packages and Internet services. The vulnerability could potentially be exploited to steal sensitive data such as encryption keys and user passwords. We have no evidence that any DNAnexus customer data or credentials were compromised using this vulnerability. However, out of an abundance of caution, we have taken the following steps below and will continue to implement security actions in response to this event.

At DNAnexus, the security of our clients is our top priority. As soon as the vulnerability was disclosed, we started identifying services on our platform that were affected. All such services were patched to eliminate the vulnerability within 8 hours after it was initially disclosed. After this initial response, we started a thorough analysis of how our systems and the security of our clients could have been affected.

At this time, we have no reason to believe any customer data or credentials were compromised using this vulnerability. Moreover, none of our services that handle genomic data were directly vulnerable. However, services that handle credential information were affected. The nature of this attack makes it hard to detect, and therefore we have decided to take the following precautions:

  • We have updated our affected SSL certificates, to eliminate the possibility that our private SSL keys were compromised.
  • Existing browser-based login sessions initiated before the patch date have been terminated, so you will need to log in again the next time you use the platform.
  • We have triggered early expiration of DNAnexus passwords set before the patch date, so the next time you log in to the platform, you will be prompted to reset your password.
  • The next time you log in, you will also see a security alert advising you to update any API keys that you may have issued on the platform.

To minimize the risk of compromise of your account from possible attacks including this one, we also recommend turning on Two-Factor Authentication (2FA) on the DNAnexus platform, or cycling it if it was already on. Follow these steps:

  • Log in to https://platform.dnanexus.com/
  • Select your name on the upper right and pull down the “Profile” menu item
  • Select the Account tab and click Security
  • If 2FA was previously on, turn it off using your current password and a 2FA Code
  • Turn on Two-Factor Authentication and link your account and authenticator application
  • Verify access using your current password and a Two-Factor Authentication Code, being sure to save your backup codes before pressing “Continue”

We welcome customer feedback – if you have any questions or comments about our security practices, please reach us at support@dnanexus.com.


Keep Your HIPAA-Protected Data Safer with Cloud Computing

hipaa complianceIf you’ve been considering the implications of cloud computing when it comes to HIPAA compliance, a new article in Healthcare IT News is worth a read.

The article, penned by our own general counsel Lee Bendekgey, is entitled “Cloud computing reduces HIPAA compliance risk in managing genomic data.” In it, Lee looks at the massive computational infrastructure required for handling new health data, such as genome sequences. “The resources required to process, analyze, and manage petabytes of genomic information represent a huge burden for even the largest academic research facility or healthcare institution,” Lee writes.

While it may seem counterintuitive, he adds, moving data to a cloud environment can actually improve data security. Lee considers HIPAA requirements and historic breaches of HIPAA-secured data, looking at what factors may have improved security in those situations where personal health information was put at risk.

Breaches tend to occur on items that are portable — flash drives and laptops, for instance — so keeping data in the cloud means that sensitive data never actually lives on one of these easily stolen or lost devices. Cloud computing providers routinely encrypt data while it’s in transit and at rest, adding to high-grade security. Medical organizations considering this route should ensure that a cloud provider guarantees security audits, certifications, and assessments associated with HIPAA compliance.

“By using a cloud-based service with an appropriate security and compliance infrastructure, an organization can significantly reduce its compliance risk,” Lee writes.