Hagestedt, Inken; Zhang, Yang; Humbert, Mathias; Berrang, Pascal; Haixu, Tang; XiaoFeng, Wang; Backes, Michael: MBeacon: Privacy-Preserving Beacons for DNA Methylation Data. NDSS 2019, 2019. (Type: Journal Article | Abstract | BibTeX)@article{hagestedt2018mbeacon,
title = {MBeacon: Privacy-Preserving Beacons for DNA Methylation Data},
author = {Hagestedt, Inken and Zhang, Yang and Humbert, Mathias and Berrang, Pascal and Haixu, Tang and XiaoFeng, Wang and Backes, Michael},
year = {2019},
date = {2019-02-28},
journal = {NDSS 2019},
abstract = {The advancement of molecular profiling techniques fuels biomedical research with a deluge of data. To facilitate data sharing, the Global Alliance for Genomics and Health established the Beacon system, a search engine designed to help researchers find datasets of interest. While the current Beacon system only supports genomic data, other types of biomedical data, such as DNA methylation, are also essential for advancing our understanding in the field. In this paper, we propose the first Beacon system for DNA methylation data sharing: MBeacon. As the current genomic Beacon is vulnerable to privacy attacks, such as membership inference, and DNA methylation data is highly sensitive, we take a privacy-by-design approach to construct MBeacon. First, we demonstrate the privacy threat, by proposing a membership inference attack tailored specifically to unprotected methylation Beacons. Our experimental results show that 100 queries are sufficient to achieve a successful attack with AUC (area under the ROC curve) above 0.9. To remedy this situation, we propose a novel differential privacy mechanism, namely SVT^2, which is the core component of MBeacon. Extensive experiments over multiple datasets show that SVT^2 can successfully mitigate membership privacy risks without significantly harming utility. We further implement a fully functional prototype of MBeacon which we make available to the research community.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The advancement of molecular profiling techniques fuels biomedical research with a deluge of data. To facilitate data sharing, the Global Alliance for Genomics and Health established the Beacon system, a search engine designed to help researchers find datasets of interest. While the current Beacon system only supports genomic data, other types of biomedical data, such as DNA methylation, are also essential for advancing our understanding in the field. In this paper, we propose the first Beacon system for DNA methylation data sharing: MBeacon. As the current genomic Beacon is vulnerable to privacy attacks, such as membership inference, and DNA methylation data is highly sensitive, we take a privacy-by-design approach to construct MBeacon. First, we demonstrate the privacy threat, by proposing a membership inference attack tailored specifically to unprotected methylation Beacons. Our experimental results show that 100 queries are sufficient to achieve a successful attack with AUC (area under the ROC curve) above 0.9. To remedy this situation, we propose a novel differential privacy mechanism, namely SVT^2, which is the core component of MBeacon. Extensive experiments over multiple datasets show that SVT^2 can successfully mitigate membership privacy risks without significantly harming utility. We further implement a fully functional prototype of MBeacon which we make available to the research community. |
Erlich, Yaniv; Shor Tal; Pe’er, Itsik; Carmi, Shai;: Identity inference of genomic data using long-range familial searches. Science, 2018. (Type: Journal Article | Abstract | Links | BibTeX)@article{10.1126/science.aau4832,
title = {Identity inference of genomic data using long-range familial searches},
author = {Erlich, Yaniv; Shor Tal; Pe’er, Itsik; Carmi, Shai;},
url = {http://science.sciencemag.org/content/early/2018/10/10/science.aau4832},
year = {2018},
date = {2018-10-11},
journal = {Science},
abstract = {Consumer genomics databases have reached the scale of millions of individuals. Recently, law enforcement authorities have exploited some of these databases to identify suspects via distant familial relatives. Using genomic data of 1.28 million individuals tested with consumer genomics, we investigated the power of this technique. We project that about 60% of the searches for individuals of European-descent will result in a third cousin or closer match, which can allow their identification using demographic identifiers. Moreover, the technique could implicate nearly any US-individual of European-descent in the near future. We demonstrate that the technique can also identify research participants of a public sequencing project. Based on these results, we propose a potential mitigation strategy and policy implications to human subject research.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Consumer genomics databases have reached the scale of millions of individuals. Recently, law enforcement authorities have exploited some of these databases to identify suspects via distant familial relatives. Using genomic data of 1.28 million individuals tested with consumer genomics, we investigated the power of this technique. We project that about 60% of the searches for individuals of European-descent will result in a third cousin or closer match, which can allow their identification using demographic identifiers. Moreover, the technique could implicate nearly any US-individual of European-descent in the near future. We demonstrate that the technique can also identify research participants of a public sequencing project. Based on these results, we propose a potential mitigation strategy and policy implications to human subject research. |
Asharov, G., Halevi, S., Lindell, Y., & Rabin, T. : Privacy-Preserving Search of Similar Patients in Genomic Data. Proceedings on Privacy Enhancing Technologies, 2018(4), pp. 104-124., 2018. (Type: Journal Article | Abstract | BibTeX)@article{asharov2018privacy,
title = {Privacy-Preserving Search of Similar Patients in Genomic Data},
author = {Asharov, G., Halevi, S., Lindell, Y., & Rabin, T. },
year = {2018},
date = {2018-07-13},
journal = {Proceedings on Privacy Enhancing Technologies, 2018(4)},
pages = {104-124.},
abstract = {The growing availability of genomic data holds great promise for advancing medicine and re- search, but unlocking its full potential requires adequate methods for protecting the privacy of individuals whose genome data we use. One example of this tension is run- ning Similar Patient Query on remote genomic data: In this setting a doctor that holds the genome of his/her patient may try to find other individuals with “close" genomic data, and use the data of these individuals to help diagnose and find effective treatment for that pa- tient’s conditions. This is clearly a desirable mode of operation. However, the privacy exposure implications are considerable, and so we would like to carry out the above “closeness” computation in a privacy preserving manner.
In this work we put forward a new approach for highly efficient secure computation for computing an approx- imation of the Similar Patient Query problem. We present contributions on two fronts. First, an approxi- mation method that is designed with the goal of achiev- ing efficient private computation. Second, further opti- mizations of the two-party protocol. Our tests indicate that the approximation method works well, it returns the exact closest records in 98% of the queries and very good approximation otherwise. As for speed, our pro- tocol implementation takes just a few seconds to run on databases with thousands of records, each of length thousands of alleles, and it scales almost linearly with both the database size and the length of the sequences in it. As an example, in the datasets of the recent iDASH competition, after a one-time preprocessing of around 12 seconds, it takes around a second to find the nearest five records to a query, in a size-500 dataset of length- 3500 sequences. This is 2-3 orders of magnitude faster than using state-of-the-art secure protocols with exist- ing edit distance algorithms.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The growing availability of genomic data holds great promise for advancing medicine and re- search, but unlocking its full potential requires adequate methods for protecting the privacy of individuals whose genome data we use. One example of this tension is run- ning Similar Patient Query on remote genomic data: In this setting a doctor that holds the genome of his/her patient may try to find other individuals with “close" genomic data, and use the data of these individuals to help diagnose and find effective treatment for that pa- tient’s conditions. This is clearly a desirable mode of operation. However, the privacy exposure implications are considerable, and so we would like to carry out the above “closeness” computation in a privacy preserving manner.
In this work we put forward a new approach for highly efficient secure computation for computing an approx- imation of the Similar Patient Query problem. We present contributions on two fronts. First, an approxi- mation method that is designed with the goal of achiev- ing efficient private computation. Second, further opti- mizations of the two-party protocol. Our tests indicate that the approximation method works well, it returns the exact closest records in 98% of the queries and very good approximation otherwise. As for speed, our pro- tocol implementation takes just a few seconds to run on databases with thousands of records, each of length thousands of alleles, and it scales almost linearly with both the database size and the length of the sequences in it. As an example, in the datasets of the recent iDASH competition, after a one-time preprocessing of around 12 seconds, it takes around a second to find the nearest five records to a query, in a size-500 dataset of length- 3500 sequences. This is 2-3 orders of magnitude faster than using state-of-the-art secure protocols with exist- ing edit distance algorithms. |
Nora von Thenen (Bilkent University), Erman Ayday (Bilkent University); A. Ercument Cicek (Bilkent University; CMU): Inference Attacks Against Genomic Data-Sharing Beacons.. Genopri 2017, 2017. (Type: Journal Article | BibTeX)@article{Weidman2017,
title = {Inference Attacks Against Genomic Data-Sharing Beacons.},
author = {Nora von Thenen (Bilkent University), Erman Ayday (Bilkent University) and A. Ercument Cicek (Bilkent University and CMU)},
year = {2017},
date = {2017-10-15},
journal = {Genopri 2017},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
Jake Weidman (The Pennsylvania State University; Technical University of Munich), William Aurite (The Pennsylvania State University); Jens Grossklags (Technical University of Munich): A Vignette Study on Personal and Interdependent Privacy Concerns, and Sharing Intentions for Genetic Data. GenoPri 2017, 2017. (Type: Journal Article | Abstract | BibTeX)@article{Weidman2017b,
title = {A Vignette Study on Personal and Interdependent Privacy Concerns, and Sharing Intentions for Genetic Data},
author = {Jake Weidman (The Pennsylvania State University and Technical University of Munich), William Aurite (The Pennsylvania State University) and Jens Grossklags (Technical University of Munich)},
year = {2017},
date = {2017-10-15},
journal = {GenoPri 2017},
abstract = {Genetics and genetic data have been the subject of recent scholarly work, with significant attention paid towards understanding genetic data consent practices and genetic data security. Attitudes and perceptions concerning the trustworthiness of governmental or national institutions receiving test-taker data have been explored, with varied findings, but no robust models or deterministic relationships have been established that account for these differences. These results also do not explore in detail the perceptions regarding other types of organizations (e.g., private corporations). Further, considerations of privacy interdepen- dence arising from blood relative relationships have been absent from the conversation regarding the sharing of genetic data. This paper reports the results from a factorial vignette survey study in which we investigate how variables of ethnicity, age, genetic markers, and association of data with the individual’s name affect the likelihood of sharing data with different types of organizations. We also investigate elements of personal and interdependent privacy concerns. We document the significant role these factors have in the decision to share or not share genetic data with a third party. We support our findings with a series of regression analyses.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Genetics and genetic data have been the subject of recent scholarly work, with significant attention paid towards understanding genetic data consent practices and genetic data security. Attitudes and perceptions concerning the trustworthiness of governmental or national institutions receiving test-taker data have been explored, with varied findings, but no robust models or deterministic relationships have been established that account for these differences. These results also do not explore in detail the perceptions regarding other types of organizations (e.g., private corporations). Further, considerations of privacy interdepen- dence arising from blood relative relationships have been absent from the conversation regarding the sharing of genetic data. This paper reports the results from a factorial vignette survey study in which we investigate how variables of ethnicity, age, genetic markers, and association of data with the individual’s name affect the likelihood of sharing data with different types of organizations. We also investigate elements of personal and interdependent privacy concerns. We document the significant role these factors have in the decision to share or not share genetic data with a third party. We support our findings with a series of regression analyses. |
Scott Thiebes (University of Kassel), Gregor Kleiber (University of Cologne); Ali Sunyaev (University of Kassel): Cancer Genomics Research in the Cloud: A Taxonomy of Genome Data Sets.. GenoPri 2017, 2017. (Type: Journal Article | Abstract | BibTeX)@article{Thiebes2017,
title = {Cancer Genomics Research in the Cloud: A Taxonomy of Genome Data Sets.},
author = {Scott Thiebes (University of Kassel), Gregor Kleiber (University of Cologne) and Ali Sunyaev (University of Kassel)},
year = {2017},
date = {2017-10-15},
journal = {GenoPri 2017},
abstract = {The adoption of cloud services in genomics is often accompanied by information privacy and information security concerns. While specific infor- mation privacy and information security requirements are recognized to vary de- pending on the underlying genome data sets’ sensitivity, extant research has mostly taken a maximum effort approach to the protection of genome data in cloud computing environments. In this paper, we employ the method of Nicker- son et al. to develop a taxonomy of genome data sets that can aid interested re- searchers in deciding whether to store and process their genome data in the cloud. Our taxonomy consists of the ten dimensions (1) Organism, (2) Access, (3) Iden- tifiable, (4) File size, (5) Processing requirements, (6) Transfer requirements, (7) Mutable, (8) API access, (9) Software availability, and (10) Use restriction. Anal- ysis of our taxonomy and data set classifications from a cloud computing per- spective highlights the existence of diverse factors and contextual influences be- yond just privacy and security concerns that can motivate or discourage cancer genomics researchers to move their genome data to the cloud.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The adoption of cloud services in genomics is often accompanied by information privacy and information security concerns. While specific infor- mation privacy and information security requirements are recognized to vary de- pending on the underlying genome data sets’ sensitivity, extant research has mostly taken a maximum effort approach to the protection of genome data in cloud computing environments. In this paper, we employ the method of Nicker- son et al. to develop a taxonomy of genome data sets that can aid interested re- searchers in deciding whether to store and process their genome data in the cloud. Our taxonomy consists of the ten dimensions (1) Organism, (2) Access, (3) Iden- tifiable, (4) File size, (5) Processing requirements, (6) Transfer requirements, (7) Mutable, (8) API access, (9) Software availability, and (10) Use restriction. Anal- ysis of our taxonomy and data set classifications from a cloud computing per- spective highlights the existence of diverse factors and contextual influences be- yond just privacy and security concerns that can motivate or discourage cancer genomics researchers to move their genome data to the cloud. |
Alexander Senf (European Molecular Biology Laboratory, European Bioinformatics Institute): End-to-end Security for Local and Remote Human Genetic Data Applications at the EGA.. GenoPri 2017, 2017. (Type: Journal Article | Abstract | BibTeX)@article{Senf2017,
title = {End-to-end Security for Local and Remote Human Genetic Data Applications at the EGA.},
author = {Alexander Senf (European Molecular Biology Laboratory, European Bioinformatics Institute)},
year = {2017},
date = {2017-10-15},
journal = {GenoPri 2017},
abstract = {Sensitive genomic data should remain secure – whether on disk for storage or analysis, or in transport. However, secure storage, delivery and usage of genomic data is complicated by the size of files, and diversity of workflows. This paper presents solutions developed by GA4GH and EGA to use customized encryption, encrypted file formats, toolchain integration, and intelligent APIs to help solve this problem},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Sensitive genomic data should remain secure – whether on disk for storage or analysis, or in transport. However, secure storage, delivery and usage of genomic data is complicated by the size of files, and diversity of workflows. This paper presents solutions developed by GA4GH and EGA to use customized encryption, encrypted file formats, toolchain integration, and intelligent APIs to help solve this problem |
Dixie Baker (Martin, Blanck; Associates), Bartha Knoppers ( McGill University), Mark Phillips (McGill University), David van Enckevort (University Medical Center Groningen) , Petra Kaufmann (National Institutes of Health), Hanns Lochmuller (Newcastle University); Domenica Taruscio (Istituto Superiore di Sanità): Privacy-Preserving Linkage of Genomic and Clinical Data Sets.. Genopri 2017, 2017. (Type: Journal Article | Abstract | BibTeX)@article{Baker2017,
title = {Privacy-Preserving Linkage of Genomic and Clinical Data Sets.},
author = {Dixie Baker (Martin, Blanck and Associates), Bartha Knoppers ( McGill University), Mark Phillips (McGill University), David van Enckevort (University Medical Center Groningen) , Petra Kaufmann (National Institutes of Health), Hanns Lochmuller (Newcastle University) and Domenica Taruscio (Istituto Superiore di Sanità)},
year = {2017},
date = {2017-10-15},
journal = {Genopri 2017},
abstract = {A key challenge for the Global Alliance for Genomics and Health (GA4GH) is the capability to link data sets associated with the same individual. This challenge is exacerbated by the facts that the data sets may include both genomic and clinical data and may span multiple ethico-legal jurisdictions, and by the need to enable re- identification when the use of the data lead to medical conclusions that the law permits or requires be communicated back to the individual. Privacy-Preserving Record Link- age (PPRL) methods address these challenges that lie at the intersection of biomedical research and clinical practice. In 2016, the Global Alliance for Genomics and Health (GA4GH) launched a task team to explore ethical questions, regulatory requirements, and technological methods and approaches related to PPRL. The task team is a collab- oration in which the GA4GH (Regulatory and Ethics Work Stream and the Data Se- curity Work Stream) is preparing policy and technology standards, together with the Interdisciplinary Committee of the International Rare Diseases Research Consortium (IRDiRC) to enable highly reliable linking of coded data records associated with the same individual without disclosing the identity of that individual except under condi- tions in which the use of the data has led to information of importance to the individ- ual’s safety or health, and applicable law allows or requires the return of results. The PPRL Task Force has examined the ethico-legal requirements, constraints, and impli- cations of PPRL, and has applied this knowledge to the exploration of technology methods and approaches to PPRL. This paper reports and justifies the findings and recommendations thus far},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
A key challenge for the Global Alliance for Genomics and Health (GA4GH) is the capability to link data sets associated with the same individual. This challenge is exacerbated by the facts that the data sets may include both genomic and clinical data and may span multiple ethico-legal jurisdictions, and by the need to enable re- identification when the use of the data lead to medical conclusions that the law permits or requires be communicated back to the individual. Privacy-Preserving Record Link- age (PPRL) methods address these challenges that lie at the intersection of biomedical research and clinical practice. In 2016, the Global Alliance for Genomics and Health (GA4GH) launched a task team to explore ethical questions, regulatory requirements, and technological methods and approaches related to PPRL. The task team is a collab- oration in which the GA4GH (Regulatory and Ethics Work Stream and the Data Se- curity Work Stream) is preparing policy and technology standards, together with the Interdisciplinary Committee of the International Rare Diseases Research Consortium (IRDiRC) to enable highly reliable linking of coded data records associated with the same individual without disclosing the identity of that individual except under condi- tions in which the use of the data has led to information of importance to the individ- ual’s safety or health, and applicable law allows or requires the return of results. The PPRL Task Force has examined the ethico-legal requirements, constraints, and impli- cations of PPRL, and has applied this knowledge to the exploration of technology methods and approaches to PPRL. This paper reports and justifies the findings and recommendations thus far |
Koki Hamada (NTT Secure Platform Laboratories), Satoshi Hasegawa (NTT Secure Platform Laboratories), Kazuharu Misawa (Tohoku Medical Megabank Organization), Koji Chida (NTT Secure Platform Laboratories), Soichi Ogishima (Tohoku Medical Megabank Organization); Masao Nagasaki (Tohoku Medical Megabank Organization): Privacy-Preserving Fisher's Exact Test for Genome-Wide Association Study. Genopri 2017, 2017. (Type: Journal Article | Abstract | BibTeX)@article{Hamada2017,
title = {Privacy-Preserving Fisher's Exact Test for Genome-Wide Association Study},
author = {Koki Hamada (NTT Secure Platform Laboratories), Satoshi Hasegawa (NTT Secure Platform Laboratories), Kazuharu Misawa (Tohoku Medical Megabank Organization), Koji Chida (NTT Secure Platform Laboratories), Soichi Ogishima (Tohoku Medical Megabank Organization) and Masao Nagasaki (Tohoku Medical Megabank Organization)},
year = {2017},
date = {2017-10-15},
journal = {Genopri 2017},
abstract = {For protecting data privacy in genomic analysis, privacy-preserving data mining for genomic analysis has been actively studied in recent years. Fisher’s exact test is known as an important method for statistical hypothesis testing in genome-wide association studies (GWAS). However, designing a practical privacy- preserving variant of the test for GWAS faces two main problems: (i) It is a dif- ficult task to efficiently execute even a single Fisher’s exact test while preserving privacy. (ii) The entire privacy-preserving GWAS is infeasible because GWAS often involves hypothesis tests for over 1 million inputs.
In this paper, we construct efficient privacy-preserving algorithms for Fisher’s ex- act test for GWAS. To overcome problem (i), we propose a method involving a decision tree that can efficiently conduct a single Fisher’s exact test. We empiri- cally found that the size of the decision tree is approximately proportional to N1.7, where N is the sample size in an input, whereas a naive approach requires a linear scan on a list of Ω(N3) items.
Problem (ii) is solved by filtering some inputs whose outputs are easily deter- mined by a simplified equation that computes a lower bound instead of the orig- inal equation. This filtering drastically reduces the number of inputs that should be evaluated by the original equation. In addition, we used a parallel array ac- cess algorithm to reduce the communication cost of the filtering operation to O((M + N)log(M + N)) whereas a naive approach requires Ω(MN), where M is the number of inputs.
Empirical results show the proposed method takes only 8 minutes for N = 1, 000 and M = 1, 000, 000 cases whereas the naive method is estimated to take over 20 years.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
For protecting data privacy in genomic analysis, privacy-preserving data mining for genomic analysis has been actively studied in recent years. Fisher’s exact test is known as an important method for statistical hypothesis testing in genome-wide association studies (GWAS). However, designing a practical privacy- preserving variant of the test for GWAS faces two main problems: (i) It is a dif- ficult task to efficiently execute even a single Fisher’s exact test while preserving privacy. (ii) The entire privacy-preserving GWAS is infeasible because GWAS often involves hypothesis tests for over 1 million inputs.
In this paper, we construct efficient privacy-preserving algorithms for Fisher’s ex- act test for GWAS. To overcome problem (i), we propose a method involving a decision tree that can efficiently conduct a single Fisher’s exact test. We empiri- cally found that the size of the decision tree is approximately proportional to N1.7, where N is the sample size in an input, whereas a naive approach requires a linear scan on a list of Ω(N3) items.
Problem (ii) is solved by filtering some inputs whose outputs are easily deter- mined by a simplified equation that computes a lower bound instead of the orig- inal equation. This filtering drastically reduces the number of inputs that should be evaluated by the original equation. In addition, we used a parallel array ac- cess algorithm to reduce the communication cost of the filtering operation to O((M + N)log(M + N)) whereas a naive approach requires Ω(MN), where M is the number of inputs.
Empirical results show the proposed method takes only 8 minutes for N = 1, 000 and M = 1, 000, 000 cases whereas the naive method is estimated to take over 20 years. |
Jean Louis Raisaro (EPFL), Juan Ramon Troncoso-Pastoriza (EPFL), Mickaël Misbach (EPFL; Centre Hospitalier Universitaire Vaudois), João Sá Sousa (EPFL), Sylvain Pradervand (Centre Hospitalier Universitaire Vaudois; University of Lausanne), Edoardo Missiaglia (Centre Hospitalier Universitaire Vaudois), Olivier Michielin (Centre Hospitalier Universitaire Vaudois), Bryan Ford (EPFL); Jean-Pierre Hubaux (EPFL): MedCo: Enabling Privacy-Conscious Exploration of Distributed Clinical and Genomic Data.. Genopri 2017, 2017. (Type: Journal Article | Abstract | BibTeX)@article{Raisaro2017b,
title = {MedCo: Enabling Privacy-Conscious Exploration of Distributed Clinical and Genomic Data.},
author = {Jean Louis Raisaro (EPFL), Juan Ramon Troncoso-Pastoriza (EPFL), Mickaël Misbach (EPFL and Centre Hospitalier Universitaire Vaudois), João Sá Sousa (EPFL), Sylvain Pradervand (Centre Hospitalier Universitaire Vaudois and University of Lausanne), Edoardo Missiaglia (Centre Hospitalier Universitaire Vaudois), Olivier Michielin (Centre Hospitalier Universitaire Vaudois), Bryan Ford (EPFL) and Jean-Pierre Hubaux (EPFL)},
year = {2017},
date = {2017-10-15},
journal = {Genopri 2017},
abstract = {Being able to share large amounts of sensitive clinical and genomic data across several institutions is crucial for precision medicine to scale up. Unfor- tunately, existing solutions only partially address this challenge and are still unable to provide the strong privacy and security guarantees required by regulations (e.g., HIPAA, GDPR). As a result, currently only very limited datasets of non-sensitive and moderately useful information can be shared. In this paper, we introduce MedCo, the first operational system that enables an investigator to explore sensi- tive medical information distributed at several sites and protected with collective homomorphic encryption. MedCo builds on top of established and widespread technology from the biomedical informatics community, such as i2b2 and SHRINE, and relies on state-of-the-art secure protocols for processing encrypted distributed data and complying with regulations. As such, MedCo can be easily adopted by clinical sites thus paving the way to new unexplored data-sharing use cases. We tested MedCo in a real network of three institutions (EPFL, UNIL and CHUV) by focusing on an oncology use-case with real somatic mutations and clinical tumor data. The relatively low overhead introduced by MedCo shows that it represents a concrete and scalable solution for sharing privacy-conscious medical data.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Being able to share large amounts of sensitive clinical and genomic data across several institutions is crucial for precision medicine to scale up. Unfor- tunately, existing solutions only partially address this challenge and are still unable to provide the strong privacy and security guarantees required by regulations (e.g., HIPAA, GDPR). As a result, currently only very limited datasets of non-sensitive and moderately useful information can be shared. In this paper, we introduce MedCo, the first operational system that enables an investigator to explore sensi- tive medical information distributed at several sites and protected with collective homomorphic encryption. MedCo builds on top of established and widespread technology from the biomedical informatics community, such as i2b2 and SHRINE, and relies on state-of-the-art secure protocols for processing encrypted distributed data and complying with regulations. As such, MedCo can be easily adopted by clinical sites thus paving the way to new unexplored data-sharing use cases. We tested MedCo in a real network of three institutions (EPFL, UNIL and CHUV) by focusing on an oncology use-case with real somatic mutations and clinical tumor data. The relatively low overhead introduced by MedCo shows that it represents a concrete and scalable solution for sharing privacy-conscious medical data. |
Jagadeesh, Karthik A; Wu, David J; Birgmeier, Johannes A; Boneh, Dan; Bejerano, Gill: Deriving genomic diagnoses without revealing patient genomes. Science, 357 (6352), pp. 692–695, 2017. (Type: Journal Article | Abstract | Links | BibTeX)@article{jagadeesh2017deriving,
title = {Deriving genomic diagnoses without revealing patient genomes},
author = {Jagadeesh, Karthik A and Wu, David J and Birgmeier, Johannes A and Boneh, Dan and Bejerano, Gill},
url = {http://science.sciencemag.org/content/357/6352/692.long},
doi = {10.1126/science.aam9710},
year = {2017},
date = {2017-08-18},
journal = {Science},
volume = {357},
number = {6352},
pages = {692--695},
abstract = {Patient genomes are interpretable only in the context of other genomes; however, genome sharing enables discrimination. Thousands of monogenic diseases have yielded definitive genomic diagnoses and potential gene therapy targets. Here we show how to provide such diagnoses while preserving participant privacy through the use of secure multiparty computation. In multiple real scenarios (small patient cohorts, trio analysis, two-hospital collaboration), we used our methods to identify the causal variant and discover previously unrecognized disease genes and variants while keeping up to 99.7% of all participants' most sensitive genomic information private.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Patient genomes are interpretable only in the context of other genomes; however, genome sharing enables discrimination. Thousands of monogenic diseases have yielded definitive genomic diagnoses and potential gene therapy targets. Here we show how to provide such diagnoses while preserving participant privacy through the use of secure multiparty computation. In multiple real scenarios (small patient cohorts, trio analysis, two-hospital collaboration), we used our methods to identify the causal variant and discover previously unrecognized disease genes and variants while keeping up to 99.7% of all participants' most sensitive genomic information private. |
Lippert, Christoph; Sabatini, Riccardo; Maher, M Cyrus; Kang, Eun Yong; Lee, Seunghak; Arikan, Okan; Harley, Alena; Bernal, Axel; Garst, Peter; Lavrenko, Victor; others: Identification of individuals by trait prediction using whole-genome sequencing data. Proceedings of the National Academy of Sciences, 114 (38), pp. 10166–10171, 2017. (Type: Journal Article | Abstract | Links | BibTeX)@article{lippert2017identification,
title = {Identification of individuals by trait prediction using whole-genome sequencing data},
author = {Lippert, Christoph and Sabatini, Riccardo and Maher, M Cyrus and Kang, Eun Yong and Lee, Seunghak and Arikan, Okan and Harley, Alena and Bernal, Axel and Garst, Peter and Lavrenko, Victor and others},
url = {http://www.pnas.org/content/114/38/10166.full},
doi = {10.1073/pnas.1711125114},
year = {2017},
date = {2017-06-28},
journal = {Proceedings of the National Academy of Sciences},
volume = {114},
number = {38},
pages = {10166--10171},
abstract = {Prediction of human physical traits and demographic information from genomic data challenges privacy and data deidentification in personalized medicine. To explore the current capabilities of phenotype-based genomic identification, we applied whole-genome sequencing, detailed phenotyping, and statistical modeling to predict biometric traits in a cohort of 1,061 participants of diverse ancestry. Individually, for a large fraction of the traits, their predictive accuracy beyond ancestry and demographic information is limited. However, we have developed a maximum entropy algorithm that integrates multiple predictions to determine which genomic samples and phenotype measurements originate from the same person. Using this algorithm, we have reidentified an average of >8 of 10 held-out individuals in an ethnically mixed cohort and an average of 5 of either 10 African Americans or 10 Europeans. This work challenges current conceptions of personal privacy and may have far-reaching ethical and legal implications.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Prediction of human physical traits and demographic information from genomic data challenges privacy and data deidentification in personalized medicine. To explore the current capabilities of phenotype-based genomic identification, we applied whole-genome sequencing, detailed phenotyping, and statistical modeling to predict biometric traits in a cohort of 1,061 participants of diverse ancestry. Individually, for a large fraction of the traits, their predictive accuracy beyond ancestry and demographic information is limited. However, we have developed a maximum entropy algorithm that integrates multiple predictions to determine which genomic samples and phenotype measurements originate from the same person. Using this algorithm, we have reidentified an average of >8 of 10 held-out individuals in an ethnically mixed cohort and an average of 5 of either 10 African Americans or 10 Europeans. This work challenges current conceptions of personal privacy and may have far-reaching ethical and legal implications. |
M. Backes, P. Berrang, M. Bieg, R. Eils, C. Herrmann, M. Humbert; I. Lehmann: Identifying Personal DNA Methylation Profiles by Genotype Inference. 38th IEEE Symposium on Security and Privacy, 2017. (Type: Journal Article | Abstract | BibTeX)@article{backesidentifying,
title = {Identifying Personal DNA Methylation Profiles by Genotype Inference},
author = {M. Backes, P. Berrang, M. Bieg, R. Eils, C. Herrmann, M. Humbert and I. Lehmann},
year = {2017},
date = {2017-05-24},
journal = {38th IEEE Symposium on Security and Privacy},
abstract = {Since the first whole-genome sequencing, the biomedical research community has made significant steps to- wards a more precise, predictive and personalized medicine. Genomic data is nowadays widely considered privacy-sensitive and consequently protected by strict regulations and released only after careful consideration. Various additional types of biomedical data, however, are not shielded by any dedicated legal means and consequently disseminated much less thoughtfully. This in particular holds true for DNA methylation data as one of the most important and well-understood epigenetic element influencing human health.
In this paper, we show that, in contrast to the aforementioned belief, releasing one’s DNA methylation data causes privacy issues akin to releasing one’s actual genome. We show that already a small subset of methylation regions influenced by genomic variants are sufficient to infer parts of someone’s genome, and to further map this DNA methylation profile to the corresponding genome. Notably, we show that such re-identification is possible with 97.5% accuracy, relying on a dataset of more than 2500 genomes, and that we can reject all wrongly matched genomes using an appropriate statistical test. We provide means for countering this threat by proposing a novel cryptographic scheme for privately classifying tumors that enables a privacy-respecting medical diagnosis in a common clinical setting. The scheme relies on a combination of random forests and homomorphic encryption, and it is proven secure in the honest-but-curious model. We evaluate this scheme on real DNA methylation data, and show that we can keep the computational overhead to acceptable values for our application scenario.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Since the first whole-genome sequencing, the biomedical research community has made significant steps to- wards a more precise, predictive and personalized medicine. Genomic data is nowadays widely considered privacy-sensitive and consequently protected by strict regulations and released only after careful consideration. Various additional types of biomedical data, however, are not shielded by any dedicated legal means and consequently disseminated much less thoughtfully. This in particular holds true for DNA methylation data as one of the most important and well-understood epigenetic element influencing human health.
In this paper, we show that, in contrast to the aforementioned belief, releasing one’s DNA methylation data causes privacy issues akin to releasing one’s actual genome. We show that already a small subset of methylation regions influenced by genomic variants are sufficient to infer parts of someone’s genome, and to further map this DNA methylation profile to the corresponding genome. Notably, we show that such re-identification is possible with 97.5% accuracy, relying on a dataset of more than 2500 genomes, and that we can reject all wrongly matched genomes using an appropriate statistical test. We provide means for countering this threat by proposing a novel cryptographic scheme for privately classifying tumors that enables a privacy-respecting medical diagnosis in a common clinical setting. The scheme relies on a combination of random forests and homomorphic encryption, and it is proven secure in the honest-but-curious model. We evaluate this scheme on real DNA methylation data, and show that we can keep the computational overhead to acceptable values for our application scenario. |
Goodman, Deborah; Johnson, Catherine O; Bowen, Deborah; Smith, Megan; Wenzel, Lari; Edwards, Karen: De-identified genomic data sharing: the research participant perspective. Journal of Community Genetics, 8 , pp. 1-9, 2017, ISSN: 1868-6001. (Type: Journal Article | Abstract | Links | BibTeX)@article{goodman2017identified,
title = {De-identified genomic data sharing: the research participant perspective},
author = {Goodman, Deborah and Johnson, Catherine O and Bowen, Deborah and Smith, Megan and Wenzel, Lari and Edwards, Karen},
editor = {Springer},
doi = {10.1007/s1268},
issn = {1868-6001},
year = {2017},
date = {2017-04-05},
journal = {Journal of Community Genetics},
volume = {8},
pages = {1-9},
abstract = {Combining datasets into larger and separate datasets is becoming increasingly common, and personal identifiers are often removed in order to maintain participant anonymity. Views of research participants on the use of de-identified data in large research datasets are important for future projects, such as the Precision Medicine Initiative and Cancer Moonshot Initiative. This quantitative study set in the USA examines participant preferences and evaluates differences by demographics and cancer history. Study participants were recruited from the Northwest Cancer Genetics Registry and included cancer patients, their relatives, and controls. A secure online survey was administered to 450 participants. While the majority participants were not concerned about personal identification when participating in a genetic study using de-identified data, they expressed their concern that researchers protect their privacy and information. Most participants expressed a desire that their data should be available for as many research studies as possible, and in doing so, they would increase their chance of receiving personal health information. About 20% of participants felt that a link should not be maintained between the participant and their de-identified data. Reasons to maintain a link included an ability to return individual health results and an ability to support further research. Knowledge of participants’ attitudes regarding the use of data into a research repository and the maintenance of a link to de-identified data is critical to the success of recruitment into future genomic research projects.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Combining datasets into larger and separate datasets is becoming increasingly common, and personal identifiers are often removed in order to maintain participant anonymity. Views of research participants on the use of de-identified data in large research datasets are important for future projects, such as the Precision Medicine Initiative and Cancer Moonshot Initiative. This quantitative study set in the USA examines participant preferences and evaluates differences by demographics and cancer history. Study participants were recruited from the Northwest Cancer Genetics Registry and included cancer patients, their relatives, and controls. A secure online survey was administered to 450 participants. While the majority participants were not concerned about personal identification when participating in a genetic study using de-identified data, they expressed their concern that researchers protect their privacy and information. Most participants expressed a desire that their data should be available for as many research studies as possible, and in doing so, they would increase their chance of receiving personal health information. About 20% of participants felt that a link should not be maintained between the participant and their de-identified data. Reasons to maintain a link included an ability to return individual health results and an ability to support further research. Knowledge of participants’ attitudes regarding the use of data into a research repository and the maintenance of a link to de-identified data is critical to the success of recruitment into future genomic research projects. |
Humbert, Mathias; Ayday, Erman; Hubaux, Jean-Pierre; Telenti, Amalio: Quantifying Interdependent Risks in Genomic Privacy. ACM Transactions on Privacy and Security (TOPS), 20 (1), pp. 3, 2017. (Type: Journal Article | BibTeX)@article{humbert2017quantifying,
title = {Quantifying Interdependent Risks in Genomic Privacy},
author = {Humbert, Mathias and Ayday, Erman and Hubaux, Jean-Pierre and Telenti, Amalio},
year = {2017},
date = {2017-01-01},
journal = {ACM Transactions on Privacy and Security (TOPS)},
volume = {20},
number = {1},
pages = {3},
publisher = {ACM},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
