Security and Privacy in Processing and Analysis of Volatile Organic Compounds

Nowadays, the security and privacy of data are becoming more and more important in life science. As a general rule, security refers to preventing the diversion or deliberate misuse of data, materials, or technologies. Providing a well-suited cybersecurity strategy is essential in the whole data lifecycle process. How to do that? Let me describe some regulations and best practices used to deal with the challenge of data protection.

Security and Privacy Challenges

Prior to discussing VOCs, let me introduce some basic security and privacy principles. After covering them, we can take a closer look at specific cases.

Here are a few principles:

• Introduce access control;
• Raise awareness in the organization, but also within the wide spectrum of their clients;
• Implement encryption;
• Anonymise all PII (Personally Identifiable Information) data where you can;
• Create and test the response plans.

Now we know how to take care of security and privacy. But how to ensure them in a particular type of information, VOCs?

What are VOCs, and why are they significant?

VOCs (Volatile Organic Compounds) are chemicals emitted as gases, and they can have harmful effects on human health. You may remember examples of them from school — hydrocarbons like acetone, ethanol, and other alcohols, esters, alkanes, or formaldehyde are the substances we are talking about.

Of course, because they are volatile, they easily get into the air from different sources. To better imagine that, let’s look at two typical indoor sources of VOCs:

• human beings’ emissions, e.g., breath, skin respiration, cosmetics;
• some building materials, furniture, or equipment, e.g., computers, paints, carpets.

Another emission of VOCs comes from vehicles or fuel combustion.

What is interesting from the security perspective is that VOC components can enable the monitoring of certain body processes and the metabolic state of an individual. So this is particularly sensitive information.

Dealing with VOCs

A growing number of companies do research on VOCs due to their plentiful applications. For instance, sensors produced by Honeywell International or Siemens are used to monitor the air quality based on different VOCs: both from human beings’ emissions (VOCs like acetone, alcohols, esters), and equipment or furniture (VOCs like ketones or alkanes).

There are also startups emerging on the market, like VOC Diagnostics, using blood samples (with VOCs) to detect ovarian cancer. Scent Recognition Technology developed by Nanoscent enables the usage of some biological markers and information from the smell in different industries (food and beverage, chemicals and energy, and healthcare). Technology is still developing and lots of new applications appear. This, of course, raises questions about regulations for them.

Regulations to Analyze and Protect the VOCs

Information about particular individuals can be collected by personally owned devices, like smartphones. However, from the security perspective, to analyze the VOCs, for example, in cloud-based systems, we must follow various regulatory requirements. They are created to protect individuals’ data and Personal Health Information (PHI) — the most sensitive data we can imagine.

Various standards and regulations focus on privacy protection and sensitive information handling

There is a need for consistent rules followed by organizations gathering and processing data. Here are a few examples of documents used in different regions:

• HIPAA (Health Insurance Portability and Accountability Act) in the United States;
• HITECH (Health Information Technology for Economic and Clinical Health Act) in the United States;
• GDPR (General Data Protection Regulation) in European Union.

All the privacy-related standards and regulations are grouped in SCF (Secure Controls Framework) under the privacy management section. This framework is refreshed at least annually and is free to use. Essentially, that’s the meta-framework — a framework for security systems, and it was developed to influence safe practices in organizations.

For cloud processing, there are also standards focused on PII (Personal Identifiable Information) secure processing:

• ISO 27018 focused on protecting personal data processed in the cloud;
• and ISO 27017, describing general security requirements for cloud data processing.

2 Ways of Processing Data

To explain how the data are processed, I will introduce the current example. Olfaction data collected by smartphones might contain sensitive information about our bodies, carried by emitted organic compounds.

In general, there are two possible ways of processing this kind of data:

1. Building data models based on geolocated sources of information for statistical purposes.

In this case, there is no need to identify a particular individual and relate the data with the physical persons or smartphone owners. The system shall be designed to handle that type of processing by anonymizing the collected information by default.

This case is regulated by many Regulatory Requirements, like HIPAA or HITECH, and Privacy Laws like GDPR.

2. Relating collected data with the individual itself.

This scenario opens the gate to Personal Health Information processing and requires comprehensive implementation of security controls for data protection.

There are many standards mentioned above that can help handle the data securely. They can cover the scope of the system and organizations for both ways of processing the data.

Building Secure System

Compliance with regulations is essential to collect, storing, managing, and analyzing the data, and we take it into account while working. Nowadays, every company faces rapidly emerging and evolving security threats. That’s why at A4BEE, we help our clients build systems secure by default. To achieve this goal, we support comprehensive security architecture implementation from the idea through the development and deployment phases. We empower companies to tackle security challenges with a business-driven approach that allows them to meet regulatory requirements, mitigate risks, and increase confidence while maintaining the organization’s reputation.

Summary

New science areas come with new challenges with the security of the data. Thanks to the various existing regulations (like HIPAA, HITECH, or ISO standards), companies are obliged to use the information from VOCs safely, so we don’t need to wait for dedicated principles.

Authors: Wojciech Kudlaszyk, Ewa Weremko

— — — —

Do you like our article? Click 👍 and go to a4bee.com for more.