“We’re going to make sure that protecting patient privacy is built into our efforts from day one.”- President Barack Obama, January 30th 2015
The health care system of the future is taking shape right now, and the foundation of that new system is health care data that is private, trusted and secure. Today, we are pleased to release the final Data Security Policy Principles and Framework (Security Framework) for President Obama’s Precision Medicine Initiative (PMI). The types, breadth, and sensitivity of the personal health, genetic, and environmental information that may be part of a precision medicine-type activity warrants careful attention and protection. Therefore, the Security Framework (modeled on the Administration’s Cybersecurity Framework) establishes security expectations for organizations who participate in PMI and provides a risk management approach to achieving those principles. To ensure that we are leading by example, Federal PMI agencies have committed to integrate the framework throughout all PMI activities.
On January 30, 2015, President Obama launched PMI to enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care. With new advances in medical research, our health care system can deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.
Since the launch of the initiative, researchers, technologists, and potential participants have shared their excitement for this vision. At the PMI Summit in February, the Administration announced over 40 major commitments from the private sector that will advance precision medicine, including commitments from seven major electronic health record (EHR) vendors to implement technology that allows patients to easily send their EHR data to the PMI cohort.
Our greatest asset in PMI is the data that participants contribute, and we want to make sure participants know that their data is protected. The Security Framework we are releasing today builds on the existing PMI Privacy and Trust Principles and ensures we put the security of participants’ information first.
We recognize that there is no “one-size-fits-all” approach to managing data security. This is why the Security Framework, which builds on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, is designed to be adaptable and responsive to the needs of multiple participating PMI groups, providing a broad framework for protecting participants’ data. Additionally, the Security Framework emphasizes transparency with participants, the public, and with other precision medicine organizations so that groups can learn from each other’s experiences and challenges. Organizations can use the framework to develop detailed implementation guidelines that address their specific data security needs. With this flexibility, we can make use of rapid evolutions in medicine, research and technology while still protecting participants’ information.
Finally, we are committed to helping organizations develop these tailored requirements. The Office of the National Coordinator for Health Information Technology and the Office for Civil Rights, in partnership with NIST, other Federal partners, and a broad set of stakeholders, will release a precision medicine-specific guide to the NIST Cybersecurity Framework by December 2016.
Today, our health care system is standing on the verge of unprecedented breakthroughs in the way we care for patients and treat disease. Thanks to President Obama’s Precision Medicine Initiative, we have a greater opportunity to make those breakthroughs a reality. And by protecting the health care data that powers those breakthroughs, we can make sure that every American is healthier and their health care data is secure.