A New Level in Security: ISO 27001:2013

DNAnexus is pleased to announce it has updated its Information Security Management System (ISMS) to comply with the current ISO/IEC 27001:2013 standard. DNAnexus cloud-based services for secure genomic information management and analysis are implemented and delivered within the framework of this updated internationally recognized security standard.

In recent years, ISO/IEC 27001 and accompanying ISO/IEC 27002 (information security management controls) have been revised. The new version ISO/IEC 27001:2013 is the first revision since ISO/IEC 27001:2005 and puts more emphasis on measuring and evaluating how well an organization’s ISMS is performing.

DNAnexus has always taken a proactive approach to security and compliance. With the updated ISO 27001:2013 security standard, regulatory compliance has never been more robust, providing customers with the highest level of data security for both research and clinical use.

Interested in learning more about ISO 27001 or the DNAnexus platform’s compliance with HIPAA, CLIA, dbGaP, and EU Privacy? A number of detailed white papers on the subject are provided on the DNAnexus website.

Security Update: GHOST Vulnerability

On January 27, 2015, a security vulnerability known as GHOST (CVE-2015-0235) was disclosed, impacting many Linux systems. The vulnerability could potentially be exploited to steal sensitive data such as encryption keys and user passwords. We have no evidence that any DNAnexus customer data or credentials were compromised using this vulnerability, and an in-depth analysis of the vulnerability attack vectors indicates that such a compromise was unlikely.

At DNAnexus, the security of our clients is our top priority. As soon as the vulnerability was disclosed, we started identifying services on our platform that were affected. All such services were patched to eliminate the vulnerability within 5 hours after it was initially disclosed. After this initial response, we started a thorough analysis of how our systems and the security of our clients could have been affected. The analysis found no indications of exploit, and we were able to exclude large portions of our systems from the hypothetical risk of attack. However, due to the scope of the vulnerability, we are continuing the analysis and will update here if any additional information is found.

We welcome customer feedback – if you have any questions or comments about our security practices, please reach us at support@dnanexus.com.

Security Advisory: Response to Heartbleed Vulnerability

On April 7, 2014, a serious vulnerability known as Heartbleed (CVE-2014-0160) was disclosed in the OpenSSL cryptography library, affecting many popular software packages and Internet services. The vulnerability could potentially be exploited to steal sensitive data such as encryption keys and user passwords. We have no evidence that any DNAnexus customer data or credentials were compromised using this vulnerability. However, out of an abundance of caution, we have taken the following steps below and will continue to implement security actions in response to this event.

At DNAnexus, the security of our clients is our top priority. As soon as the vulnerability was disclosed, we started identifying services on our platform that were affected. All such services were patched to eliminate the vulnerability within 8 hours after it was initially disclosed. After this initial response, we started a thorough analysis of how our systems and the security of our clients could have been affected.

At this time, we have no reason to believe any customer data or credentials were compromised using this vulnerability. Moreover, none of our services that handle genomic data were directly vulnerable. However, services that handle credential information were affected. The nature of this attack makes it hard to detect, and therefore we have decided to take the following precautions:

  • We have updated our affected SSL certificates, to eliminate the possibility that our private SSL keys were compromised.
  • Existing browser-based login sessions initiated before the patch date have been terminated, so you will need to log in again the next time you use the platform.
  • We have triggered early expiration of DNAnexus passwords set before the patch date, so the next time you log in to the platform, you will be prompted to reset your password.
  • The next time you log in, you will also see a security alert advising you to update any API keys that you may have issued on the platform.

To minimize the risk of compromise of your account from possible attacks including this one, we also recommend turning on Two-Factor Authentication (2FA) on the DNAnexus platform, or cycling it if it was already on. Follow these steps:

  • Log in to https://platform.dnanexus.com/
  • Select your name on the upper right and pull down the “Profile” menu item
  • Select the Account tab and click Security
  • If 2FA was previously on, turn it off using your current password and a 2FA Code
  • Turn on Two-Factor Authentication and link your account and authenticator application
  • Verify access using your current password and a Two-Factor Authentication Code, being sure to save your backup codes before pressing “Continue”

We welcome customer feedback – if you have any questions or comments about our security practices, please reach us at support@dnanexus.com.