Securance logo

WMDA & Securance

WMDA collaborated with Securance to protect one of the world’s largest stem cell donor databases

WMDA id0 S7e Y Rgb 1

How World Marrow Donor Association and Securance strengthened trust in international stem cell exchange

Every day, dozens of patients around the world are diagnosed with blood-related cancers that may require a stem cell transplant. For most of them, a matching family donor simply doesn’t exist. Their only chance lies somewhere beyond their own borders, in a global pool of unrelated volunteers.

Behind that search stands the World Marrow Donor Association (WMDA).

WMDA hosts and maintains the international database that makes cross-border stem cell matching possible. Today, that database contains more than 44 million donor records from across the world. Not names and addresses, but highly sensitive, pseudonymized genetic data that allows transplant physicians to search for a compatible match.

When you operate at that scale, and with data that sensitive cybersecurity is existential.

We spoke with Alicia Venter, Project Coordinator at WMDA, to understand how they safeguard one of the world’s largest stem cell donor databases, and what cybersecurity means in a life-saving ecosystem.

Effortless security

“What does WMDA actually do?”

At its core, WMDA connects the world’s stem cell registries and cord blood banks. National registries recruit volunteer donors, collect DNA samples (often via cheek swab or blood test), code the genetic markers, and store them locally.

But genetic diversity and global mobility have changed the landscape. In many countries, the likelihood of finding a suitable donor within national borders is limited. So instead of transplant physicians contacting dozens of registries manually, WMDA enables a single international search.

Their systems include:

  • A global donor database
  • A search platform that functions like a “Google for donors”
  • A registry-to-registry communication system (Match Connect)
  • Applications for quality control and biovigilance reporting

All of this infrastructure supports one goal: making sure patients can find a match quickly, reliably, and safely.

But harmonizing hundreds of registries worldwide requires more than technical coordination.

WMDA standardizes terminology through a global data dictionary, enforces strict XML/JSON schemas for data submission, aligns with WHO genetic nomenclature updates several times per year, and operates an ISO-accredited certification body that defines best practices for donor recruitment, collection, transport, ethics, and reimbursement.

It is governance, quality control, ethics, and technology, combined.

Seamless software testing Expert guidance & flexibility

“Why is cybersecurity so critical in this environment?”

The short answer: trust.

The longer answer is that large genetic databases are increasingly attractive targets for malicious actors. WMDA operates under GDPR and manages pseudonymized genetic data, data that can never be fully anonymous because it is biologically unique.

As Alicia Venter from WMDA explains, their mindset is pragmatic:

It is not a question of if, but when.

A breach would not only create regulatory consequences. It would damage trust among member registries. If members no longer believe their data is safe, the entire system of international stem cell exchange could weaken. Registries might revert to manual processes, paper forms, or fragmented communication.

For an organization coordinating life-saving matches across borders, that risk is unacceptable.

Start Security Testing now Avoid future problems

“What triggered the collaboration with Securance?”

The turning point came when WMDA developed its registry-to-registry communication platform, a digital API-based system designed to replace paper and email exchanges.

For many members, this platform became business-critical. It was essentially:

Members were enthusiastic, but cautious. A key concern surfaced: could a relatively small nonprofit guarantee enterprise-level security?

WMDA’s response was proactive. They committed to strengthening their security framework, aligning with ISO 27001 principles, and implementing structured governance. Penetration testing became a central component of that journey.

To execute this properly, they needed an experienced partner.

“What were the results?”

Two in-house applications were tested:

  • The registry-to-registry communication platform (new, production-level)
  • A mature biovigilance reporting tool containing clinical information

The outcome was reassuring:

  • No major findings
  • One minor finding
  • Several informational observations

For the newly launched communication platform, this was its first full production penetration test. The results confirmed that secure development practices had been embedded correctly from the beginning.

For the mature application, the absence of significant issues validated WMDA’s update cycles and maintenance discipline.

The testing did not expose structural weaknesses. It validated the robustness of the systems.

“Is penetration testing enough?”

No, and WMDA does not treat it as a standalone solution.

Their security structure includes:

  • A virtual CISO
  • A Data Protection Officer
  • Dedicated IT leadership
  • Senior developers responsible for dependency updates
  • Ongoing phishing awareness training across the organization

Security awareness is not confined to IT. It is embedded in culture.

Because WMDA is a nonprofit, they operate penetration testing on a two-year cycle across applications, balancing budget realities with risk management. But even within those constraints, testing provides concrete value: visibility into gaps, prioritization of actions, and documented accountability toward members.

It supports informed decision-making.

Start Security Testing now Avoid future problems

“What advice would WMDA give other global nonprofits?”

Her answer is simple, and pragmatic:

Start small, but start!

Security frameworks like ISO 27001 can feel overwhelming. But breaking them down into manageable actions changes the dynamic. Identify two or three accountable people. Meet regularly. Build a risk register. Document vulnerabilities. Take incremental steps.

Penetration testing, in particular, is often more accessible than organizations expect. Even if results are not perfect, they provide clarity and direction.

Waiting until an incident occurs is not a strategy.

National cancer institute 2g9u I Me V Kvk unsplash

Being secure for younger generations

Younger generations are increasingly skeptical about sharing personal data, which makes handling health and genetic information even more essential. 

WMDA cannot promise that a breach will never occur. No organization can. But they can demonstrate that security is actively managed, continuously evaluated, and independently validated. And that, in this case, assurance strengthens donor trust in how their data is handled, ultimately contributing to improving patients’ chances of survival.

A shared responsibility

Stem cell transplantation is one of the few cancers for which a cure pathway already exists. But that cure depends on global cooperation, and global cooperation depends on secure digital infrastructure.

The collaboration between WMDA and Securance is not just about passing a penetration test. It is about reinforcing the digital backbone of international stem cell exchange.