On May 25, 2016, the White House unveiled the final data security framework for its Precision Medicine Initiative (“PMI”).  One of the main goals of PMI is to develop a research cohort for collecting health data from Americans “over many years to improve health outcomes, fuel the development of new treatments for disease, and catalyze a new era of data-based and more precise preventive care and medical treatment.”  According to the National Institute of Health’s (“NIH”) Kathy Hudson, Deputy Director for Science, Outreach and Policy, health care organizations will be incentivized to participate in the cohort through funding awards.  NIH is authorized to fund 5-7 organizations to participate in the cohort.  Because personal and sensitive data will be collected through PMI (from participating organizations’ patients), the program “presents fresh privacy and security concerns for sensitive patient data.”  The data security framework is intended to address those concerns.

The 10-page framework, as outlined by U.S. Department of Health and Human Services (“HHS”) Secretary Sylvia Burwell and Homeland Security Assistant to the President Lisa Monaco, provides risk management guidelines for all participating institutions, and “Federal PMI agencies have committed to integrate the framework throughout all PMI activities.” Although the framework is designed to be adaptable to changing security needs, there are eight overarching guidelines that are central to the framework:  (1) strive to build a “participant first” system; (2) identify key risks; (3) provide clear expectations and transparent security practices; (4) share experiences with other organizations; (5) recognize rapidly-evolving security needs; (6) use security practices and controls to protect data (but not as a reason to deny a participant’s access to his or her data); (7) act responsibly; and (8) preserve data integrity.

To ensure these guidelines are followed at the participating organizations, the framework lays out five steps. First, the framework states that PMI organizations should identify an overall security plan that identifies a governance body.  The plan should describe how the organization will, among other things, identify and respond to threats, conduct continuous monitoring, respond to security breaches, and ensure physical and technological controls are in place to safeguard the data. PMI organizations “should use risk-management strategies, tools, and techniques to inform and prioritize decisions regarding the protection of PMI data.” These security plans should be reviewed regularly through an independent third party, and they should be posted publicly to enable transparency and congruity.

Second, PMI organizations should protect their data through both access control and educational training. Access control should not be limited to usernames and passwords, but should involve “innovative approaches for authentication.”

Third, PMI organizations should develop advanced methods of detection. For example, as the framework details, these organizations are expected to “capture interactions with PMI data from networks, servers, and application infrastructure;” “participate in relevant threat information sharing forums;” and “make reports of security anomalies, alerts, reports, or other relevant events available to the organization’s governance boards.”

Fourth, the framework states that PMI organizations should develop a response to “security incidents,” specifically noting that “[n]ot all security incidents result in a breach.” The response plans to such incidents should be tested on a regular basis. When an incident results in a breach, PMI organizations are expected to notify the affected individuals.

Fifth and finally, PMI organizations “should establish, maintain, and implement” plans for post-incident recovery. The framework specifically states that, after a security incident or breach, these organizations are expected to “communicate to stakeholders when a safe and secure environment has been restored,” and to identify “lessons learned” after recovery.

Reactions to the framework appear to be mixed.  Although most agree that the framework is a good start, there is concern that the collection of this very sensitive data is incredibly attractive to bad actors. Also, because PMI seeks to collect genomic data, both individuals and their family members are at risk that the data could be breached. 

Reporter, Bethany Rupert, Atlanta, +1 404 572 3525, brupert@kslaw.com.