The online health revolution and your DNA: It's a trust issue

23andMe, a Web-based service that allows you to understand your DNA, officially launched Monday and for $999 you can order a saliva kit, send your genes to the company and then get a hosted account with all of your genetic information for analysis.

23andMe said in a statement it is offering its services in the U.S. and will allow customers to analyze their genome and compare it to relatives who participate. "We believe this information provides intriguing insights into an individual's genetics, with the goal of expanding the collective knowledge base by enabling active participation in research," said Anne Wojcicki, co-founder of 23andMe. There's a Webcast at 2 p.m. EST today.

The company, which actually launched over the weekend, is garnering a good bit of attention because Wojcicki is Sergey Brin's wife. Google is also an investor in 23andMe. Those facts may get 23andMe some initial press, but the service will carry the day. And I do think 23andMe is onto something big here. Sure, uploading your genetic information to a startup's Web site may creep some people out, but I must admit I'm a lot more curious than I thought I'd be about 23andMe's service.

Here's the process:

• 23andMe sends individuals a saliva kit containing a barcoded tube for saliva collection. Customers then use the enclosed mailing materials to send their samples to 23andMe's contracted laboratory. The DNA is then extracted and exposed to a microchip-like device made by Illumina, a leading developer of genetic analysis tools, that reads more than half a million points in the individual's genome, including a proprietary set chosen by 23andMe scientists, to produce a detailed genetic profile.
• Once the analysis has been completed, individuals will be able to use their own private login to access their data via 23andMe's secure website. Using 23andMe's tools, individuals can explore their ancestry, see what genetics research means for them and compare themselves to friends and family members.
• Ultimately, they will become part of a community that works together to advance the overall understanding of the human genome.

At this juncture, I don't have the $999 lying around just to figure out my gene pool. I'm also not convinced I want to know that much about my DNA. I already know I'm predisposed to be chunky if I don't workout like a madman. There are some cholesterol issues in my family. And I have the gene that means I run slower than molasses running uphill on a cold day. What else is there to know?

Aside from the price and curiosity issue there's another hurdle that really is the linchpin of 23andMe's business and the entire online health information revolution: Trust.

Can you trust the company holding your gene pool, medical records and other critical data?

Consider the following: 23andMe gets my DNA. I'm uploaded to a secure server that's private. I'm the only one with access to my data and I discover all sorts of information about my ancestry, tendencies and some insight to cancer rates in my family. That's worth $999 easy. And then 23andMe becomes such a hit that United Healthcare buys the company. I trusted 23andMe the startup. I don't trust 23andMe, the unit of a health insurance company.

If you think that putting your corporate data in the cloud comes down to trust just imagine the mental hurdles involved with putting your gene pool in someone else's data center. For me, this data security issue is arguably the biggest hurdle for online health records of any sort. Yes, I realize paper is inefficient, but somehow it's comforting.

Microsoft HealthVault launched in October with an impressive lineup of partners. Technically, HealthVault isn't a personal health record, but a way to straddle numerous health records and combine them in one place. Microsoft understands the trust issue and spends a good amount of time talking about privacy. Here's the privacy statement. From an FAQ:

Q: What is Microsoft’s approach to privacy for the HealthVault platform?

A: People willing to try Microsoft’s HealthVault must trust that their data will not be lost or misused by us or anyone else. Microsoft designed and built HealthVault with a strong foundation of security and privacy while consulting with experts inside and outside the company to augment our significant expertise in these areas. HealthVault’s privacy principles show that we’re committed to putting people in control of their health information:

1. The Microsoft HealthVault record you create is controlled by you.
2. You decide what information goes into your HealthVault record.
3. You decide who can see and use your information on a case-by-case basis.
4. We do not use your health information for commercial purposes unless we ask and you clearly tell us we may.

Q: How can you promise consumers that their data will be safe? What measures have been taken to protect data “in the cloud?”

A: HealthVault was developed using Microsoft’s Security Development Lifecycle, which means security concerns have been factored into every stage of the development process and our work has been subjected to internal and external security testing. HealthVault grants access to partner programs only to the extent a user allows such access. A partner program cannot access a user’s HealthVault record without the permission of a record custodian.

Microsoft’s systems operate with extra precautions. With HealthVault we isolated traffic onto a virtually separate network and located our servers in physically separate, locked cages. All data that moves among our systems is encrypted, including all traffic to and from HealthVault, its users and its partners. Access to HealthVault data by Microsoft employees is tightly controlled and extremely limited to a small group of personnel necessary to perform essential operations.

All of our back up data is encrypted, and every stage of its transportation is logged. We also log every time records are created, changed or read, leaving a clear audit trail.

Is that enough to win me over? Probably not yet. And I generally trust Microsoft with my data.

Will Google Health be any different when it lands? I doubt it. I'm well aware that Google scans my Gmail for advertising purposes and nothing bad has happened.I'm also aware that Google claims to do no evil. I trust Google too. But do I want my health data stored on Google? Probably not.

It's a mental hurdle I have--and it's one a lot of other people have. Maybe if HIPAA applied somehow I'd feel better. Today there is a trust issue I assume I'll get over. After all, much of your financial history can be swiped in a crafty phishing attack but it's not like you put your money in the mattress.

But medical information is different.As 23andMe tagline proclaims: Genetics just got personal. That's part of the problem. When you store your medical history, DNA and tendencies for heart disease in someone's cloud trust is everything.

Other 23andMe items worth a read:

• Wired: 23AndMe Will Decode Your DNA for $1,000. Welcome to the Age of Genomics.
• New York Times: My Genome, Myself: Seeking Clues in DNA.
• Dana Blankenhorn's health IT blog.