The White House has released the final Precision Medicine Initiative security framework, which should be used by participating institutions to achieve the principles laid down in the Obama Administration’s Precision Medicine Initiative.
The precision medicine initiative security framework contains a set of risk management guidelines which can be used to protect sensitive data and preserve data integrity. The 10-page framework may not be perfect, but it does allow institutions to address a range of privacy and security concerns and better safeguard sensitive patient data.
Precision Medicine Initiative Security Framework Developed to be Adaptable to the Needs of Each Organization
The Precision Medicine Initiative security framework expands on the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) and includes policy principles to guide organizations and help them develop an appropriate data security plan.
It would not be possible to develop a rigid data security framework that is ideal for all participating organizations. Consequently, a broad framework has been developed that can be easily adapted and tailored to meet the needs of each organization.
Policy principles are divided into five different categories: Identify, protect, detect, respond, recover. Organizations must develop an overall security plan, protect data using access controls and improve awareness through training. Organizations must conduct audits, log security events, and report anomalies. They must respond to security incidents and notify individuals, and be able to rapidly implement a breach recovery plan. Participating organizations must also share data on events and implement enhanced protections to prevent future breaches.
Organizations must accept that threats are constantly changing, as are medical technologies, and implement policies and procedures that are adaptable. Data security policies must therefore be at the heart of each organization, and policies and procedures must be able to evolve to cope with new technology and the changing threat landscape.
It is essential that policies and procedures are developed to preserve data integrity to ensure researchers and healthcare providers can trust PMI data. Any risks to data security must be assessed and risk management plans developed to address any security vulnerabilities that are discovered. While security practices must be used to protect data, participants must not be prevented from gaining access to their data, should they so wish.
Efforts need to be made to minimize data exposure and in the event of a data breach, participants must be made aware of the data elements that have been exposed or compromised. Security processes must also be transparent and clear expectations provided to participants and other parties.
Transparency Essential to the Success of the Precision Medicine Initiative
Over 1 million patients will be enrolled and will share their data under the PMI. It may prove difficult to enroll patients if they have doubts about data security. It is therefore essential that patients are assured that their data will be secured and kept private, and that appropriate protections are put in place to prevent access by unauthorized individuals. Since genetic data will be supplied by patients, it is not only the individuals participating in the scheme that will be at risk in the event of a data breach. Other family members are also likely to be impacted. IT is therefore essential to the success of the initiative that a system is developed that patients trust, and for that to happen, transparency is essential.
The precision medicine initiative security framework can be viewed on the following link.