The White House recently released a guidance document for those in the precision medicine community to help ensure that participants’ data and resources remain secure. The document, titled “Precision Medicine Initiative: Data Security Policy Principles and Framework,” is meant to offer “security policy principles and a framework to guide decision-making by organizations conducting or participating in precision medicine activities” and is the result of a collaborative, interagency process featuring roundtable discussions with various security experts as well as a review of existing data security resources. Federal PMI agencies already have committed to integrating the framework into all PMI activities.
But the document is meant only to be a guideline – not a one-size-fits-all solution. It notes that those in the PMI community must constantly strive to use current best practices and should conduct their own “comprehensive risk assessment to identify specific security requirements and establish processes to continuously review and make improvements.”
The guidance emphasizes some overarching principles that anyone dealing with sensitive data should bear in mind when developing and implementing a data security plan:
- Keep pace with changing technology and new security threats.
- Tailor your data security plan to your unique circumstances.
- Be specific – think about your risks and put in writing how you will neutralize them.
- Have an independent third party review your plan.
- Without compromising security, be transparent about your plan to build trust among participants.
The document also offers specific suggestions with respect to identity proofing, user credentials and authentication, encryption and physical security, audits to detect anomalous activity, and incident response, among other topics. The White House also emphasizes the importance of ongoing participant education, as well as role-specific training for those who use PMI data.
On balance, the White House’s message to the PMI community is clear: Think hard about data security, think often about data security, and act vigilantly.
The guidance is available here: www.whitehouse.gov/sites/whitehouse.gov/files/documents/PMI_Security_Principles_Framework_v2.pdf.
For more information you can contact Ryan P. Blaney or another member of Cozen O’Connor’s Health Law team.