Data security framework released for Obama’s Precision Medicine Initiative

The final version of the policy principles governing data security efforts within President Barack Obama’s Precision Medicine Initiative (PMI) has been released.

In a blog post, HHS Secretary Sylvia Burwell said the framework, while not a set of firm guidelines, offers organizations looking to participate in PMI some idea of the security expectations involved in the program.

“We recognize that there is no one-size-fits-all approach to managing data security," Burwell wrote. “This is why the Security Framework, which builds on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, is designed to be adaptable and responsive to the needs of multiple participating PMI groups, providing a broad framework for protecting participants’ data.”  

Applying the NIST framework had been applauded by groups such as HIMSS at the draft stage.

The principles organizations are being asked to follow include building a system which inspires confidence in participants, developing risk management plans, minimizing exposure of patient data, and not using security concerns to deny a patient access to their own data.

In more specific terms, the framework outlines five broad categories “to assess cybersecurity and data security functions:”

  • Identify: develop an overall security and risk management plan, including physical security of PMI data storage locations and bringing in an outside party to review security plans
  • Protect: create strict verification procedures for anyone who may have access or contributing to PMI data and use strong encryption for data which could identify an individual
  • Detect: conduct regular audits and share information about threats with other organizations
  • Respond: develop and test plans on how to respond to security incidents
  • Recover: groups will be required to have an “incident breach and recovery plan” on how to restore service, recover data, and improve security after a breach

Burwell said the Office of the National Coordinator for Health IT will be in charge of developing more specific guidelines, due to be released in December. 

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."