As the White House continues to build out the details for the Precision Medicine Initiative (“PMI”), on May 25, 2016 it released a final set of principles on data security. In a document that “provides a broad framework for protecting participants’ data and resources in an appropriate and ethical manner,” eight overarching data security policy principles and a framework are outlined to guide PMI organizations in developing and implementing an organization-specific security plan. These principles and framework are further described below.
President Obama announced the launching of the PMI last year in his State of the Union address. The initiative aims to move the nation’s health care towards individualized and patient-tailored medical treatments, by providing tools to gather and utilize unique patient characteristics, such as genome sequence, microbiome composition, health history, lifestyle and diet. Individualized and tailored approaches would help doctors to develop improved treatment plans for each patient.
Because the PMI’s success depends, in part, on the ability to effectively collect and exchange data across a variety of platforms and organizations, as with any effort to collect and exchange large amounts of health information, a critical aspect of the PMI’s data sharing effort is to establish security principles and a framework to protect the privacy of collected patient data. For example, the use of genomic data presents unique risks; such data includes sensitive health information not only about the individual patient, but also about the patient’s family members or other genetic relatives.
The finalized PMI data security principles focus on building trust among the primary users of PMI data, including individual participants, researchers, developers, vendors, physicians and other health care providers, as well as effectively identifying and addressing data security risks and breaches. The overarching principles guide PMI organizations to, at a minimum:
- Strive to build a system that participants trust by adopting a “participant first” approach in identifying and addressing data security risks;
- Treat security as a core element of the organizational culture and ensure that security processes and controls are adaptable and updatable;
- Seek to preserve data integrity;
- Identify key risks and develop evaluation and management plans to identify and address those risks;
- Provide participants and other relevant parties with clear expectations and transparency into security processes;
- Use security practices and controls to protect data, but without denying a patient access to his or her data, or as an excuse to limit research uses of the data,
- Seek to minimize exposure of patient data, and communicate with participants if there has been a breach in data; and
- Share experiences and challenges, allowing organizations to learn from each other.
PMI organizations may adopt these principles using a variety of different frameworks to organize their data security programs. The final PMI guidance offers a framework based on the one adopted by the National Institute for Standards and Technology (“NIST”) for improving cybersecurity infrastructure. The NIST framework was developed through collaboration among a variety of affected departments and agencies, including but not limited to, the U.S. Department of Health and Human Services, the Federal Trade Commission, National Security Council, National Institutes of Health, the Food and Drug Administration, and the Centers for Medicare & Medicaid Services. Data security programs organized under this framework would perform five continuous core functions to assess cybersecurity and data security: “Identify, Protect, Detect, Respond, and Recover.” The PMI guidance details the activities and policies that organizations should implement under each of these five core functions. (More detailed guidance on the NIST cybersecurity framework is expected to be released by December 2016, and can be found here.)
PMI organizations should strive to adopt the guidance as current best practices. Sensitive data is already being shared among PMI organizations through contractual agreements, but without uniform security standards, practices and breach modification procedures. Organization level implementation of the final PMI principles and framework promises to address some of the uniformity issues, as well as other major concerns about sharing sensitive data. This also may reduce transaction costs. In addition, because technology in the area continues to evolve quickly, PMI organizations will need to build flexible security processes and controls that can adapt quickly to changes.