But the document is meant only to be a guideline – not a one-size-fits-all solution. It notes that those in the PMI community must constantly strive to use current best practices and should conduct their own “comprehensive risk assessment to identify specific security requirements and establish processes to continuously review and make improvements.”
The guidance emphasizes some overarching principles that anyone dealing with sensitive data should bear in mind when developing and implementing a data security plan:
- Keep pace with changing technology and new security threats.
- Tailor your data security plan to your unique circumstances.
- Be specific – think about your risks and put in writing how you will neutralize them.
- Have an independent third party review your plan.
- Without compromising security, be transparent about your plan to build trust among participants.
The document also offers specific suggestions with respect to identity proofing, user credentials and authentication, encryption and physical security, audits to detect anomalous activity, and incident response, among other topics. The White House also emphasizes the importance of ongoing participant education, as well as role-specific training for those who use PMI data.
On balance, the White House’s message to the PMI community is clear: Think hard about data security, think often about data security, and act vigilantly.
The guidance is available here: www.whitehouse.gov/sites/whitehouse.gov/files/documents/PMI_Security_Principles_Framework_v2.pdf.
For more information you can contact Ryan P. Blaney or another member of Cozen O’Connor’s Health Law team.