Conclusion

The paper provides an example of how a threat modeling process can be employed in a systematic and consistent manner to analyze genomic data threats related to privacy to the Clinical Client, Research Partner, and Genomic Sequencing Service environments. It shows how the process charts, characterizes, and analyzes the dataflows of each use case to identify specific types of potential threats, while describing possible actualizing attacks. It also demonstrates how valid threats can be prioritized and provides an illustrative example of how to identify and select threat-disrupting interventions.

This threat modeling process identified notable genomic data threats and concerns in the use cases examined. One key finding is the limited ability for individuals to exercise informed consent and maintain control over their genomic data as it moves across increasingly complex dataflows. Additionally, the interconnected nature of genomic data introduces the potential for direct subjects’ data to impact indirect subjects, such as relatives, further complicating privacy management.

Additional details regarding our threat modeling approach, methodology, dataflows, mappings, and threat validation can be found in Appendices C-G. The scope of our analysis was constrained to two use cases and focused on dataflows between two organizations. Further analysis could explore the complexities of environments involving multiple entities and more intricate dataflows. Also, the rapidly evolving field of genomics, coupled with dynamic threat landscape, present considerations that could also be analyzed. Expanding the scope could yield additional insights into privacy challenges for genomic data processing. Organizations may also consider approaches for implementing ongoing threat monitoring to supplement threat modeling.