The genetic data of millions of Americans could fall into foreign hands if the government doesn't improve its security practices according to the US' Government Accountability Office (GAO).

GAO said the country's Department of Health and Human Services (DHHS) and its research bodies' lack of oversight on access to genomic data repositories posed a national security risk thanks to the threat of "improper use" of the data by "foreign regimes" including China.

Following an executive order in 2024, the national auditor published a report finding DHHS and the National Institutes of Health (NIH) were not "proactively" auditing researcher compliance with security requirements "such as data encryption".

It said: "Centre for Disease Control (CDC) officials stated that not all its centres that have repositories conduct oversight of whether funding recipients comply with data management or security measures for safeguarding health data.”

Citing research such as the All of Us project, which created a repository of genomic data from one million Americans, GAO chastised the government for failing to act on concerns from experts and two public warnings by the Office of the Director of National Intelligence in 2021 and 2022

See also: How to build a National Data Library

GAO said the NIH had recorded 40 policy violations relating to genomic data between July 2018 and March 2024, including seven compromised server incidents, three unapproved data access violations, and three reported failures to remove data identifiers.

While the auditor recognised the NIH's policies and powers to limit access or develop remediation plans, it warned the NIH had not appeared to properly scrutinise access requests from "countries of concern", though it's guidance is now to reject these requests. However, GAO also said the NIH's limited oversight on the issue meant it may "be missing violations … that go unreported by researchers."

Notably, ODNI’s 2021 warning singled out China as having “collected large healthcare data sets from the US and nations around the globe” for years and the office reported at least one Chinese genomics company accessed US data through research partnerships.

GAO recommends…

The accountability office recommended four courses of action to the DDHS’s Office of National Security, NIH and CDC in response to its investigations.

For the former, that included developing training and guidance on supply chain risk to ensure operating divisions would “implement effective risk management for genomic data security.”

GAO also told the NIH it should “proactively and comprehensively” monitor compliance with data management and security measures, as well as systematically track how genetic services are used by internal and external researchers at institutions it funded and partnered with.

Finally, for the CDC, the office recommended similar procedures to restrict access to repositories of human genomic information and a proactive and comprehensive monitoring programme for researcher compliance.

Data management issues extend beyond healthcare

It’s not just genetic personal data GAO is concerned about, the office also published a report into the US’ oversight of so-called smart cities, warning it could see little benefit for citizens in the amount of personal data collected by smart city technology.

Despite claims from city officials that smart cities were alleviating transportation and law enforcement issues, GAO said assessments of the alleged benefits “are difficult to develop.”

Though many law enforcement agencies espoused the benefits of smart technology for number plate recognition and gunshot detection, GAO also heard it was “unclear whether the use of these technologies resulted in less crime.”

Instead, it said it saw some benefits in using data for actions such as identifying and recovering stolen property, but officials also warned gun shot detection systems “may not reduce gun crime in the city but only shift it to another area.”

See also: Cyberattack disrupts 911 emergency services in California

As in its genomic data report, GAO’s assessment also criticised the management of data collected by smart city technology and said people should ideally be able to consent to use of their data, something that would be very hard to do on a large scale.

At the very least then, GAO recommended increased transparency when city governments procured smart technologies and said they should “develop and share effective data governance” standards to protect individuals and anonymise their data.

The office also highlights the cybersecurity risks of smart cities and warned recent ransomware attacks on local governments in California showed the need for cybersecurity standards, including the NIST Cybersecurity Framework, to become mandatory for smart technologies.

The link has been copied!