White House Outlines Data Security Principles for Precision Medicine

President Obama’s Precision Medicine Initiative (PMI) cannot work if patients do not feel comfortable sharing healthcare data. On Wednesday, the White House released a security framework—a set of principles to govern data sharing, which will be followed by more specific set of guidelines before the president leaves office.

HHS Secretary Sylvia Mathews Burwell announced the principles in a blog post, stating, “Our greatest asset in PMI is the data that participants contribute, and we want to make sure participants know that their data is protected.”

Burwell said the security framework is based on the Cybersecurity Framework of the National Institute of Standards and Technology (NIST). According to the blog post, the Office of the National Coordinator for Health Information Technology, led by Karen DeSalvo, MD, MPH, MSc, will be charged with convening NIST, related federal agencies and key stakeholders to flesh out the framework with specific guidelines for protecting data in precision medicine by December 2016.

Data sharing in precision medicine has not been without controversy. While many academic researchers chastise those in industry who decline to share data—even accusing them of “hoarding” patient information—some genetic testing companies say security on public databases is flawed, and patients who decide to share their genetic and other healthcare data should understand the risks. Just last week, a disagreement arose between the ACLU and Myriad Genetics, a 25-year-old molecular diagnostics company that declines to share data due to patient privacy and intellectual property concerns.

The White House document calls for data sharing in PMI to recognize the unique issues with patient data, and that sharing ultimately depends on trust that information is being used responsibly. While most patient data used by researchers is de-identified, the document warns, “no de-identification process guarantees that individuals can never be re-identified. Therefore, PMI organizations should not rely on de-identification alone as a security control or as a privacy protecting technique.”

The security framework outlines 5 distinct functions that go on simultaneously, which are needed to assess security performance. They are:

Identify. This step calls for the development of an overall security plan, risk-management strategies for protecting PMI data, developing an independent third-party review process, and a breach notification process.

Protect. This step calls for creating strict protocols for who has access to data, steps for verifying their identity, encryption processes, data maintenance standards, and patient and user education steps.

Detect. In this step, PMI groups conduct ongoing audits to find any breaches, create user logs, and develop networks to share information threats.

Respond. Here, PMI groups develop strategies to contain data if a breach happens, and well as incident response protocols. These include notification steps and naming an “accountable point of contact.”

Recover. All PMI groups must have an “incident breach and recovery plan,” with strong communication steps and a review process.