The intersection of cyberbiosecurity and HIPAA

What is cyberbiosecurity?

Cyberbiosecurity addresses security risks at the intersection of biological data, medical sciences, and digital infrastructure.

More specifically, Frontiers in Bioengineering and Biotechnology defines cyberbiosecurity as "understanding the vulnerabilities to unwanted surveillance, intrusions, and malicious and harmful activities which can occur within or at the interfaces of comingled life and medical sciences, cyber, cyber-physical, supply chain and infrastructure systems, and developing and instituting measures to prevent, protect against, mitigate, investigate and attribute such threats as it pertains to security, competitiveness, and resilience."

Ultimately, with more industries, like healthcare, biotechnology, and biomedical research, relying on digital technologies, these industries must safeguard individuals’ sensitive data.

Applications in healthcare, biotech, and biomedical research

Cyberbiosecurity applies to various aspects of the healthcare and biotech industries, where data-driven processes form part of patient care, genetic research, and drug development. 

• Hospitals and healthcare organizations rely on electronic health records (EHRs), connected medical devices, and cloud-based systems that transmit patient data. 
• Biotech firms working on genetic engineering, synthetic biology, and personalized medicine manage large volumes of biological data.
• In biomedical research, sequencing facilities, biopharmaceutical companies, and bioinformatics platforms generate and analyze massive datasets that require strict security measures. 

Overall, cyberbiosecurity is “the protection of biological systems, data, and technologies from cyber threats and is becoming increasingly important as biotechnology research and development continue to advance,” explains Dr. Mrinmayee Bhushan, a fellow at the Strategic Research And Growth Foundation.

Related: How HIPAA supports health research

Why cyberbiosecurity matters in healthcare and biomedical research

“As the bioeconomy expands, so do cyber threats targeting biological data and medical systems,” the Frontiers study states. 

Healthcare and biotech organizations have become major targets for cybercriminals due to the high value of their data. According to the Department of Health and Human Services (HHS), there has been a 256% increase in major data breaches reported over the past five years. 

“These attacks cause distress for patients who will not have access to their medical records, therefore they may not be able to make the most accurate decisions concerning their health and well-being,” explains Office for Civil Rights (OCR) Director Melanie Fontes Rainer in an archived press release in February 2024. 

Additionally, malicious actors could manipulate or disrupt healthcare systems given the digitization of biomedical research, EHRs, and pharmaceutical supply chains.

Researchers at the Pentagon’s Networks & Digital Warfare division point out, “Cyber can now create biowarfare effects, without a bioweapon.” 

For example, a cyberattack on a pharmaceutical company's clinical trial database could manipulate drug efficacy data, leading to the approval of ineffective or harmful treatments, mimicking the impact of a bioweapon without physical pathogens.

Therefore, healthcare organizations must prevent data breaches, cyber-enabled bioterrorism, and misinformation campaigns that could undermine medical treatments. 

These organizations must also comply with federal regulations such as HIPAA and implement additional cyberbiosecurity measures to protect patient information and mitigate the risk of cyber threats.

How HIPAA safeguards PHI

HIPAA requires covered entities to implement safeguards to maintain the confidentiality of PHI. Recently, the National Human Genome Research Institute (NHGRI) stated that HIPAA's Privacy Rule protects individually identifiable health information, including genetic data, when used in healthcare settings. This includes genetic data, which was integrated into HIPAA protections in 2013 following the Genetic Information Nondiscrimination Act. 

However, HIPAA does not mandate encryption or data security measures for genomic data collected during research. Additionally, the Privacy Rule limits PHI use but does not apply to de-identified data.

So, despite these protections, “the Rule does not mandate any kind of encryption or protection of human genomic data collected during research; nor does it regulate data technologies that identify patients,” clarifies a scientific report on Biodata Risks and Synthetic Biology: A Critical Juncture.

The oversight leaves genetic data vulnerable to cyber threats, like unauthorized access or manipulation, which could potentially compromise patient privacy and research integrity.

In summary, HIPAA protects PHI, but it does not specifically address the cybersecurity needs of genomic data used in research. These create vulnerabilities that cyberbiosecurity measures must address to prevent unauthorized access and ensure the integrity of sensitive biological information.

Go deeper: The intersection of HIPAA, GINA, and secure communication

Where cyberbiosecurity and HIPAA overlap

Cyberbiosecurity extends HIPAA's security provisions to cover biological data not explicitly protected by HIPAA, such as synthetic biology and genetic data used in research. 

As advanced biomedical research progresses, such research requires more of these enhanced security procedures to address risks inherent in sensitive biological information beyond HIPAA's traditional domain. That way, research data is still safeguarded against future cyber threats.

Protecting genetic, biometric, and bioinformatics data under HIPAA

While HIPAA does protect 18 types of personally identifiable information (PII), human genomic data are not included. Cyberbiosecurity strategies, therefore, are necessary to safeguard sensitive biological information that could be exploited for malicious purposes.

These strategies fill the regulatory gaps so emerging biotechnologies and genetic research remain protected according to modern security needs.

Encryption

To address additional cyberbiosecurity risks, organizations must encrypt their healthcare and biotech devices or systems containing PHI according to HIPAA's encryption requirements.

For example, the abovementioned scientific report suggests, “current encryption methods may provide some protections; for example, fragmented encryption could be applied during genomic sequencing and continued when transferring data.” 

It can also affect information sharing when technologies like synthetic biology and AI-driven diagnostics become more prevalent in healthcare.

Synthetic biology, which designs and constructs new biological systems, presents new challenges in biosecurity. Despite the potential of these technologies in advancing healthcare, they are not explicitly protected under HIPAA, leaving them exposed to cyber threats. 

Similarly, AI-driven diagnostics, which analyze large datasets for disease identification, handle vast amounts of personal health data that may not fall under HIPAA protections, especially when data is processed outside traditional healthcare settings. 

Therefore, “while HIPAA enforces privacy within the US, such requirements no longer apply once patient files leave national custody.”

Preventing insider threats 

Cyberbiosecurity practices can help mitigate these risks with tools such as multi-factor authentication and anomaly detection, which align with HIPAA’s access control requirements to secure PHI.

Additionally, organizations should implement and monitor role-based access controls (RBAC) to prevent unauthorized access to sensitive biological data. 

For example, organizations can implement RBAC to restrict access to genomic databases so only authorized genetic researchers can retrieve or modify sensitive biodata. If an unauthorized attempt is detected, the system can trigger an alert and automatically revoke access until further verification is completed.

The way forward

Preventing cyberattacks requires stronger regulations, improved cybersecurity tools, and collaboration between biotech companies, healthcare institutions, and government agencies.

Initiatives like ARPA-H’s Advancing Clinical Trial Readiness (ACTR) program recognize these challenges and aim to build “a nationwide, decentralized infrastructure that would enable 90% of eligible Americans to participate in clinical trials within 30 minutes of their home.” 

However, while decentralization improves accessibility, it also introduces new security vulnerabilities and requires advanced cybersecurity frameworks to prevent data breaches and manipulation.

Moving forward, healthcare leaders must improve cybersecurity. OCR Director Melanie Fontes Rainer warns that healthcare providers “must have practices in place to ensure patients’ [PHI] is not subjected to cyber-attacks such as ransomware.” 

To achieve this, organizations must improve their security protocols and threat detection while maintaining regulatory compliance.

Ultimately, aligning cybersecurity measures with HIPAA compliance and emerging regulations can help healthcare and biotech sectors better protect patients, researchers, and the future of medicine.

Related: Aligning clinical trial innovation with HIPAA standards

FAQs

Does HIPAA cover genomic and synthetic biology data?

No, HIPAA doesn’t fully cover genomic, synthetic biology, or AI-driven medical research data, creating gaps in security and making biotech firms and research institutions vulnerable to cyber threats.

Can a cyberattack on biotech companies result in HIPAA violations?

Yes. If a healthcare provider, biotech startup, or research institution suffers a breach exposing patient data, it could face HIPAA violations, penalties, and legal consequences.

What are the penalties for violating HIPAA or GINA?

​As of March 2025, HIPAA violations will incur fines from $141 to $2,134,831 per violation, depending on culpability. 

Tier 1 penalties apply to unintentional violations ($141–$35,581), while Tier 2 covers breaches due to reasonable cause ($1,424–$71,162). Tier 3 applies to willful neglect corrected within 30 days ($14,232–$71,162), and Tier 4 penalizes uncorrected willful neglect with the highest fines ($71,162–$2,134,831). 

These fines adjust annually for inflation, and severe cases may result in criminal charges, reputational harm, and mandatory corrective actions. 

For GINA violations, penalties typically involve civil fines. Violators may be required to pay damages and legal fees and undertake corrective actions, such as job reinstatement and payment of back wages, to remedy discriminatory practices based on genetic information. 

Go deeper: The complete guide to HIPAA violations