White House Announces Data Security Policy Principles for Precision Medicine Initiative

May 25, 2016

By Bio-IT World Staff

May 25, 2016 The White House announced the final Data Security Policy Principles and Framework (Security Framework) for the Precision Medicine Initiative (PMI) this afternoon. Sylvia Mathews Burwell, Secretary of Health and Human Services; and Lisa O. Monaco, Assistant to the President for Homeland Security and Counterterrorism, laid out a security framework for institutions who participate in the PMI and provides a risk management approach to achieving those principles. Federal PMI agencies have committed to integrate the framework throughout all PMI activities.

President Obama announced the Precision Medicine Initiative at the beginning of 2015. Last September, the Precision Medicine Initiative Working Group released a report to lay out a blueprint for the initiative. Security concerns were paramount. The Working Group recommended that patients should have access to their own medical data, and be significantly involved in decisions about data return.

The Security Framework released today embodies those recommendations: “Nothing in this document is intended to preclude the public posting of appropriate non-identifiable, non-individual level information, such as aggregate research data, research findings, and information about ongoing research studies.”

At only ten pages, the framework is not expansive. And that’s by design. There is no “one size fits all” approach to managing data security, the authors write. Instead the document is meant to offer, “broad framework for protecting participants’ data and resources in an appropriate and ethical manner that can be tailored to meet organization-specific requirements.”

Topping the data security principles outlined in the framework is engendering trust and having a participant first orientation. “Participants are the foundational stakeholders of all research activities,” the framework emphasizes.

Next on the list, the authors acknowledge that security, medicine, and technology are all evolving quickly and security policies must be adaptable and updatable, while preserving data integrity.

The PMI’s security framework is based on one developed by the National Institute for Standards and Technology (NIST) that aims to achieve, “five simultaneous and continuous functions—Identify, Protect, Detect, Respond, and Recover—to assess cybersecurity and data security performance, as well as physical and environmental controls.”

The framework recommends that PMI institutions develop an overall security plan that is transparent and risk-based and includes third-party review. Data protection policies should include access control; training for both PMI participants and data users; encryption and physical security features; and life cycle management of both data and systems.

User access and behavior should be audited so that threats are quickly detected. The authors recommend that PMI institutions, participate in relevant threat information sharing forums, and include ways for users to report potential threats. Security frameworks should include detailed plans to respond to security incidents, assess severity, and manage a breach, including plans for notifying individuals whose data were compromised.

Finally, institutions should have in place an incident and breach recovery plan. They should conduct root cause analysis, identify areas needing improvement, and update security plans based on those lessons learned and, if appropriate, share the lessons with other institutions.

“Our greatest asset in PMI is the data that participants contribute, and we want to make sure participants know that their data is protected,” said Burwell and Monaco in the blog announcing the framework. “The Security Framework we are releasing today builds on the existing PMI Privacy and Trust Principles and ensures we put the security of participants’ information first.”