What happens when the companies holding your most sensitive data start to falter? Sarah is joined by Drex to dive into the alarming challenges facing 23andMe and Atlas Biomed, two major players in genetic testing. Explore the intersection of data privacy, financial instability, and the unique risks of DNA testing. From data breaches to the ethical implications for health systems, this episode uncovers why the stakes are higher than ever for healthcare leaders.
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today in Health IT, we are discussing DNA firm holding highly sensitive data that vanishes without warning and DNA testing site 23andMe fighting for survival. You get a twofer today. And my name is Sarah Richardson. I'm a former CIO for several healthcare systems, most notably within HC and Optum, and now president of the This Week Health 229 Executive Development Community, where we host a set of channels and events dedicated to transforming healthcare, one connection at a time.
And I am joined by Drex Ford, president of our 229 Cyber and Risk Community. Drex, welcome to the show. It's always so amazing and awesome to be here with thank you. And I said, it's a twofer happy Friday. It's two of us and two articles yeah, amazing. And you covered this topic in last week's two minute drill, and we're going to dive into it a little bit deeper.
I want to start with a 23andMe one. They were a leading DNA testing firm with celebrity endorsements, millions of users, and now they find themselves struggling and their share price has gone from 321 to under five. Yeah. It's really all about being an unsustainable business model, delayed profitability from drug research, et cetera.
With the departure of most of its board, Takeover rumors. It has an uncertain future. And then the unique sensitivity of genetic data does raise concerns about privacy and security, especially given a past data breach and potential risks if the company folds or is sold. What are your thoughts on this one?
Holy cow. There's so much there to unpack. Talked about in the two minute drill. I was one of the folks who took the DNA test really early on. I met somebody at a conference. They'd given me a basically a free pass. to do the DNA test. I got the little tube. I'm trying to remember if I swabbed my cheek, or if I spit into a tube, or what the situation was.
But anyway, I sent it in and I got a bunch of great information back. It was, mostly fun stuff, right? There were a couple of genetic markers that I was interested in, like Alzheimer's, what, do I have the marker for that? And I didn't. And then, there were other obviously really interesting things in too, about
My background.
I'm way more Irish than I, We was ever told in my family, we thought they, they always said they were there was a lot of French background in our, the last name to Ford, you would think that would be the case, but it turned out to be a lot more Irish.
And then, over time you start to realize that you've given away a really valuable thing. for a little bit of information. And that is not necessarily the best decision that I had ever made. The more, this is one of those things too, where I'd done a story at one point on the Two Minute Drill about quantum computing.
And I talked about Lance Armstrong and this idea that they didn't catch Lance Armstrong cheating in the Tour de France. during his writing days. They caught him later because the technology got better and better and they were able to test his, the extra samples they had taken from him during his writing days.
And that's when they figured out oh wait, look, he's positive for EPO and all these other things. This is the same thing that's happening with DNA. When I first took the test, there was like, eight things they could tell you. And now, I get an email almost every day about, DNA testing or something that tells me there's a new marker, there's a new thing they can do.
And this is from my old original DNA sample. The further we go, the more interesting it becomes with DNA. What they can figure out from that sample and what they can do with it. And that can be bad for me, right? Especially when you get into these companies. I'm on a, I'm on a roll here.
Especially when you get into these companies that start to have financial situations and financial challenges and they start to disappear from the market, and you ask the question, one of the companies is a company in Britain that the story's written about they start to disappear from the market, and you can't get a hold of them, and of course, you start to wonder What's happening to my DNA sample?
What's happening to the data that they have on me? Have they sold it to someone? Is someone going to buy the company? So it's all that. And and there have been data breaches, obviously 23andMe's been breached and they've settled a big class action lawsuit in the past. And and they're struggling now trying to figure out what they're going to do next.
The CEO says they want to take the company private. The board has resigned because a lot of the people on the board didn't want to do that. It's a really interesting and tough situation, I think, for a lot of people who have submitted their DNA samples for a little bit of cool information and now are like how do I get out of it?
Yeah, because if we talk about the other company, the Atlas Biomed, which was a London based DNA testing company, ceased operations, people can't get their genetic reports, and who has this highly sensitive DNA data? These are the customers paid for personalized reports, and now they've had no communication, no transparency about where the data has gone, and no one's returning any of the calls or outreaches patients or consumers that utilized their services.
I think about highlighting the potential risk of DNA going to private firms. And you have no control over the fate of a company if it dissolves. And when we consider DNA data is uniquely sensitive and it doesn't reveal your individual health information. Also genetic links to your family. So all the fun that we have, hey, ancestry.
com and finding long lost cousins, a thing. There's also that space that says, I literally just gave up a very unique code to my entire family tree. Especially if you have some really unique marker. And all that information can be in the hands of the bad guys who are thinking about this stuff all of the time.
This really, Drex, underscores the need for data protection and transparency when handling sensitive patient information, especially DNA and other biometric data. So we know that genomic testing and markers are things that are some of the advanced technologies that health care systems are pursuing for all of the right reasons.
But a health care CIO prioritizes really stringent data security measures, transparent data governance policies to protect patients privacy and ensure their trust. How is that conversation unfolding or should it unfold in the boardroom, with the C suite, with partners? Because it ends up potentially being seen as another block in the efficiency of actually implementing the right technologies.
And yet, These cases remind us patient data is a long term responsibility, inclusive of data retention, transfer policies, if a company faces financial challenges or even closures. Like software code, get your code in escrow. Know ahead of time, what happens if that company goes out of business and your system is running on their software platform, that's the same as if, Oh my gosh, now I have all of these patients DNA.
How should that conversation be unfolding? Think. a lot of this is again, a risk conversation. I think on the consumer side, we do a lot of things like sign those terms and conditions or check that box. And we don't really read it. I think in health systems, sometimes there's some of that same sort of thing that goes on, especially now with software as a service, there's so many things that we can do and so many things we can get access to.
We can do it so easily and we can almost pay for it with a credit card. And there's a lot of terms and conditions that we may just accept. But we don't really ask those questions. So in the interest of I'm trying to get things done right now. Often what happens is that we sign these things and we don't think about what really happens to that data 10 years from now?
Like what happens, like you said, if that company goes out of business, but, it's a good reminder, I think, to dig into this, be really clear when you sign those agreements. about what that data can be used for. There's a lot of concern, a lot of consternation right now about data being used to train AI models, for example, and I don't want my data to be used for that.
Or as a health system, maybe you do and maybe you don't, and maybe you only want it to be used for that for certain situations. Be clear about that kind of stuff in the contract. This is gets into a third party risk management conversation. How long should that data be retained? Some of that is the question of exposure, right?
If that company gets breached and all their data is taken, there's a big difference between you saying to that third party partner, Yes. Because of the work we're doing together, come in, you can take all of our data and you can keep it forever, versus saying, here's the 42 data elements that we're going to give you, and you can only have it for one year, and then you have to delete it.
And then, of course, the question is, And we need an attestation from you every month that says you've deleted the, the 13 month data from both your primary system databases and your backups, because those backups get stolen too. So it's all those kinds of things. I think that, are the things that we should be writing into third party risk management, writing into our contracts anyway, to protect ourselves.
But it does protect our data and by our data, the patients and families data. And that's really what we're supposed to be doing, taking care of those families and taking care of the things that they give us to look out for them. But super. important in all of this is that role of data in the organization and the data teams and the ownership and the stewardship.
And to your point that the protocols, the regulatory requirements, how we're handling sensitive data, how we're talking about data ethics with our patients and what their consumer consent may look like, how we're transferring it, and then really continue to build that trust and understanding that we may use cybersecurity in a facility.
As a differentiator, because for us, how we handle your data is an asset to help build a stronger brand, a greater layer of connectivity to a degree with your patients, because this may be Thank you. a partner that is out of the country. And so you're tackling what requirements could be and from a global perspective and healthcare is local, yet the systems we use may not be and often are not local.
But I really do consider what that means as a patient, you trust your hospital and your doctor to take care of your body and your information with equal amounts of care and concern. There's so much that goes into it because Having established several data programs in my career, you have as well.
There's sometimes this expectation that once it's established, it no longer needs the same lens or the level of funding that it has in the past. It goes back to things that you and I have talked about in terms of meaningful use type of requirements in cybersecurity. Getting there is only part of the journey.
Staying there. Can be as expensive and arduous as it was to get there in the first place, yet you never get to take the gas off of that pedal, nor should you. And honestly, I had so many conversations and fighting for funding for the data programs after they were established, that sometimes I felt like, how could I make it any more obvious that we need to keep doing the right thing in a way that, is beneficial to the organization.
You don't just get there and you're done. It's like getting in shape. Getting in shape is really hard. Staying in shape is just as hard. That's good. That's a really good analogy. And I think this idea too of using for partners, The idea that being able to explain what you do from a cyber security perspective, what you've done to get into shape from a cyber security and what you're doing to stay in shape from a cyber security perspective can give some vendors a competitive advantage When it comes to the buying process, right?
If I'm a CISO or CIO at a health system and I'm buying something new to support our data program, and I have to ask a hundred questions over and over to try to clarify, to make sure that you are doing all the things that you should do to run a good program. And then somebody shows up with basically a suitcase or something that kind of explains everything that is happening in their organization from their cyber perspective.
program perspective, where they're short, where they're challenged. We don't expect you to be perfect. We just want to make sure that you are exercising regularly and that you're figuring out how to stay fit, right? To continue that analogy. And if you're doing that's great. We can probably work with that.
But if you're just, we, we got these certificates and that's the end of it for us. That's going to be a problem. So the world changes, the tech changes. The bad guys change, they come up with new techniques. There's new problems with software. There's new issues with with networks that pop up every day, zero days that are happening more often than ever before, so you have to exercise regularly, to use your analogy, like you got to lift those weights and stay in shape if you're going to fight these bad just like by getting in, staying in shape. Weightlifting, strength training is the fountain of youth. You can do cardio all day long, but if you're not adding in things like strength training and hydration and sleep and nutrition, then you're going to have gaps in your personal care. And that's going to be the same thing of like your, of your security programs and the fabric for your data.
And these are the articles I'd be bringing forward to the board, or at least posing as a question to my C suite peers of what is our plan for genetic data protection? What is our ethical responsibility? Because here's what could happen. What's interesting too is that same level of rigor that goes into having Preemptive conversations about genetic data protection as an example.
Even if you're not doing that yet, you likely will be in your healthcare facility or be given that type of information via interoperability. And this is our responsibility. Here's how we're going to do it. When you're planning for something that hasn't happened yet, or you're thinking about it when it does happen, you're already ahead of the game.
In a game, it's pretty hard to ever be ahead of anymore. Cyber is that space where I feel like you're always, you're chasing the dime. You're always looking for that opportunity to stay ahead. And at least in this conversation, you can be informed. So you're taking the right next steps Yeah, I think that's the difference between, being reactive and just buying things because it's the hot thing in the market today versus actually having a program that is risk based and you're actually figuring out how to do the right things to reduce the most risk in the organization.
That's a good program and it's a framework that you can work with. to build a better program that stays a better program over time. So it's Friday. And if you're more Irish than you thought, does this mean that there's a pint of Guinness in your future? There might very well be. Yeah, there's a little place, a couple of blocks from the house that I hang out.
Probably. I should lift weights actually is what I should do now that I've heard this from you as opposed to lifting Guinness. But yeah, you never know. If you go lift the weights, then lifting the Guinness is the reward at the end. It's the thing that you chase down that actually is waiting for you.
I like it. That journey. Carbo loading. Yes. Always so much fun to chat with you, especially on a Friday. I feel like we get to be a little more open and share ideas in a little bit more depth. That's also allows us to show the fun side of things that are tough to be doing every day as a practitioner.
Yeah, we're super lucky. We're super lucky we get to work with all the, our heroes, all the people that, that work in the health systems and actually do the really hard work. We learn a lot from them every day. I feel like we built something here that lets us be a conduit between those people.
We're like networking routers in a lot of ways. We help connect people. We give them a good information and I, we've talked about this before, but we're just super lucky to be doing what we're doing right now and just helping the industry better. Couldn't agree more. And if there's a topic that our listeners want us to cover that they know that they need to hear more about.
Everybody, y'all know where to find us. So remember to share this podcast with a friend or a colleague. Use it as a foundation for daily or 📍 weekly discussions on the topics that are relevant to you and the industry. You can subscribe wherever you listen to podcasts. Thanks for listening. That's all for now.