Security in the Precision Medicine Initiative

In the White House’s 2016 Precision Medicine Initiative (PMI) Summit, President Obama noted that one of the challenges of the PMI is concerns regarding security. Incorporating “Big Data” into medicine to see larger treatment trends within certain populations to in turn more accurately treat patients’ individual conditions is one of the large goals of the PMI. The hope is for patients to willingly and voluntarily contribute data and information about their health and condition history to the overall pool of data for medical professionals and researchers to then analyze.

Naturally, people may have concerns about the security of their data, especially given the stream of security breaches in large companies that have been in the news almost weekly. Will my data be safe? Who will have access to the data? Can I see my own data? Will I be told if something happens to my data?

In May of this year, The White House released its “Data Security Policy Principles and Framework”. The 10-page PDF can be found here. While the document is comprehensive, it is also a little dense. The bulk of the document addresses five main functions of security in the PMI: identifying security risks and an overall security plan, protection of secure data, detecting any security breaches through comprehensive auditing, responding to any breaches, and then effectively recovering from the breach. In this blog post, we’ll sum up the key points of the Framework and how they may apply to you.

One of the keystones that sets the pace for the rest of the Framework is acknowledging the security challenges unique to the PMI. The lion’s share of the data individuals would contribute is highly sensitive: clinical data, insurance claims data, demographic data, genomic and other biospecimen data, data regarding any equipment or devices used, and much more. The rest of the Framework is built around keeping this sensitive data as secure as possible.

Based on this theme of “highest security possible,” the White House’s PMI Security Framework also expresses flexibility. Rather than mandate one security system for every PMI organization to implement and follow, the Framework recognizes “security best practices are highly dependent on context.” This leaves room for each organization to manage its own risk and create security measures that will best protect its specific data. What form of storage will work best for us? What are the digital security measures that will best protect

the data? What physical security measures must be taken? This core principle of allowing PMI organizations to “take advantage of system architectures that meet their needs” allows each organization for create a tailor-made security system that will best fit their type and form of data from the security threats the organization itself deems most pertinent.

One final key theme of the PMI Security Framework is the heavy focus on recognizing the highly important role participants play. Participants of the PMI are the ones actually contributing the data to be used. And essentially, the PMI cannot be successful without their effort as well as that of researchers and medical professionals. The Framework notes that any PMI organization should have a “participant first orientation” when taking security risks into account and creating a framework around them. This means creating a system which participants can trust to keep their contributed data safe, keep participant access to their own data open (within certain constraints), and maintain transparency of security processes and any breaches that may occur.

The Precision Medicine Initiative is a bold direction for modern medicine, and it requires cooperation between all main constituents, patient participants, medical professionals, researchers, security professionals, and more, to be as successful as possible. Being detailed and transparent in their presentation of PMI security is a strong step forward in promoting strong collaboration, and recognizing that one size rarely fits all when it comes to medicine and that patients should be the highest priority in medicine shows serious dedication in the stated goals of the Precision Medicine Initiative.

The complete “Data Security Policy Principles and Framework” for the Precision Medicine Initiative can be found here. And the previously released “Privacy and Trust Principles” can be found here.