Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. It provides medical professionals the resources they need to target the specific treatments of the illnesses that patients may encounter. Although the term “precision medicine” is relatively new, the concept has been a part of healthcare for many years. For example, a person who needs a blood transfusion is not given blood from a randomly selected donor; instead, the donor’s blood type is matched to the recipient to reduce the risk of complications.
The potential of precision medicine is recognized at the highest levels of government. In his 2015 State of the Union address, President Obama launched the Precision Medicine Initiative (“PMI”), a bold new research effort to revolutionize health and the treatment of disease. Subsequently, Sylvia M. Burwell, Secretary of the U.S. Department of Health & Human Services (“DHHS”), announced the FY 2016 budget would include $215 million for the PMI, with $200 million of this to be used by the National Institutes of Health (“NIH”) to launch a national cohort of a million or more Americans who volunteer to share genetic, clinical, and other data to improve research. The funds will also be used to invest in expanding current cancer genomics research and to initiate new studies on how a tumor’s DNA can inform prognosis and treatment choices.
The PMI Cohort Program intends to extend precision medicine to all diseases by building a national research cohort of 1 million or more U.S. participants. Many factors have converged to make now the right time to begin a program of this scale and scope — Americans are extremely engaged in improving their health and participating in health research, electronic health records have been widely adopted, genomic analysis costs have dropped significantly, data science has become increasingly sophisticated, and health technologies have become mobile. Most recently, the NIH and the Office of the National Coordinator announced the program “Sync for Science,” which enables patients to donate their medical data to the PMI and improve the sharing of data between researchers.
Because personal and sensitive data will be collected through PMI, the program may present certain privacy and security concerns for sensitive patient data. To help mitigate these risks, on May 25, 2016, the White House unveiled the final data security framework for the PMI (“Framework”), along with commentary from the DHHS and the Department of Homeland Security. The Framework builds upon the PMI Privacy and Trust Principles previously released and provides risk management guidelines for all participating institutions. Federal agencies participating in the PMI have also committed to implement the Framework in systems and processes used for the PMI. The Framework is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and is designed to be adaptable and responsive to the needs of multiple participating PMI groups, providing a broad framework for protecting participants’ data. Organizations can use the Framework to develop detailed implementation guidelines that address their specific data security needs. The goal is to take advantage of the rapid evolutions in medicine, research, and technology while still protecting participants’ information.
Although the Framework allows for flexibility in its implementation, it does set forth eight overarching guidelines to which participating organizations need to adhere:
- Strive to build a system that participants trust;
- Treat security as a core element of the organization’s culture;
- Seek to preserve data integrity;
- Identify key risks;
- Provide clear expectations and transparent security processes to participants;
- Provide participant access to his or her data;
- Minimize exposure of participant data; and
- Share experiences and challenges so organizations can learn from each other.
To ensure these eight guidelines are met, the Framework provides five steps. First, PMI organizations should identify an overall security plan that outlines roles and responsibilities of individuals related to the security of data. This should include the establishment of a governance body for the organization’s security program. The plan should describe how the organization will, among other things, identify and respond to threats, conduct continuous monitoring, respond to security breaches, and ensure physical and technological controls are in place to safeguard the data. These security plans should be reviewed regularly through an independent third party, and they should be posted publicly to enable transparency and congruity.
Second, organizations should protect their data through access control and training. Access control should go beyond physician safeguards, but implement “innovative approaches” for authentication beyond a simple user name and password.
Third, organizations should develop methods to detect potential breaches of security. These systems should also include alerting mechanisms to ensure timely and adequate awareness of irregular events.
Fourth, organizations should implement a plan to respond to and contain security incidents. The response plans to such incidents should be tested on a regular basis. When an incident results in a breach, PMI organizations are expected to notify the affected individuals in accordance with applicable law.
Fifth and finally, organizations should implement plans for post-incident recovery. The Framework provides that, after a security incident or breach, organizations are expected to “communicate to stakeholders when a safe and secure environment has been restored,” and to identify the lessons that have been learned after recovery.
It is a positive step to see a multi-agency team recognize the potential privacy and security implications of developing technology and work together to develop guidelines to mitigate these potential risks.