The White House has released a data security framework to help organizations participating in the Precision Medicine Initiative (PMI) protect information on individuals. Officials have opted against taking a prescriptive approach and have instead tried to create a framework that organizations can adapt to their specific needs and responsibilities.
In drafting the text, the White House has leaned heavily on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, a document that was put together in 2014 to help the U.S. protect key resources from cyberattack. Like the NIST text, the PMI security framework is split into 5 sections: identify, protect, detect, respond and recover. The White House wants contributors to the PMI to continuously perform activities outlined in each of these sections.
Participants in the PMI are expected to have an overall risk-based security plan and a governance body that ensures it is followed and up to date. The White House is requesting that organizations seek the support of third parties with this task, specifically by bringing people in to review the vulnerability of the system, assess the extent to which users are sticking to the plan and propose improvements. PMI participants will also be exposed to further outside scrutiny, as the White House expects them to post a high-level overview of their security plans publicly.
“The security framework emphasizes transparency with participants, the public and with other precision medicine organizations so that groups can learn from each other’s experiences and challenges,” government officials wrote in an introduction to the framework.
Other aspects of the framework cover the access-control measures organizations can take to protect data, the continuous processes that are needed to detect unusual activities and how to respond to and recover from security incidents.
Given the sensitivity of the data expected to be gathered under PMI, it is important that the initiative gets security and privacy right. Health data initiatives in other parts of the world, notably care.data in the United Kingdom, have been hamstrung by their failure to reassure the public that their data will be kept securely and used appropriately.