The final version of the policy principles governing data security efforts within President Barack Obama’s Precision Medicine Initiative (PMI) has been released.
In a blog post, HHS Secretary Sylvia Burwell said the framework, while not a set of firm guidelines, offers organizations looking to participate in PMI some idea of the security expectations involved in the program.
“We recognize that there is no one-size-fits-all approach to managing data security," Burwell wrote. “This is why the Security Framework, which builds on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, is designed to be adaptable and responsive to the needs of multiple participating PMI groups, providing a broad framework for protecting participants’ data.”
Applying the NIST framework had been applauded by groups such as HIMSS at the draft stage.
The principles organizations are being asked to follow include building a system which inspires confidence in participants, developing risk management plans, minimizing exposure of patient data, and not using security concerns to deny a patient access to their own data.
In more specific terms, the framework outlines five broad categories “to assess cybersecurity and data security functions:”
- Identify: develop an overall security and risk management plan, including physical security of PMI data storage locations and bringing in an outside party to review security plans
- Protect: create strict verification procedures for anyone who may have access or contributing to PMI data and use strong encryption for data which could identify an individual
- Detect: conduct regular audits and share information about threats with other organizations
- Respond: develop and test plans on how to respond to security incidents
- Recover: groups will be required to have an “incident breach and recovery plan” on how to restore service, recover data, and improve security after a breach
Burwell said the Office of the National Coordinator for Health IT will be in charge of developing more specific guidelines, due to be released in December.