In-brief: The White House released new guidelines to help healthcare organizations secure data used in its s0-called “Precision Medicine Initiative” (or PMI), advising healthcare providers to take a risk-based approach to securing data, while being careful not to poison the well of patient trust.
The White House released new guidelines to help healthcare organizations secure data used in its s0-called “Precision Medicine Initiative” (or PMI), advising healthcare providers to take a risk-based approach to securing data, while being careful not to poison the well of patient trust.
The PMI is an effort to spur next generation medical treatment that leverages data from electronic health records and other sources, and uses technology to tailor care to the needs of individuals. The new guidelines were published last week on the White House web site and track closely to guidance from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the White House noted.
Under PMI, hospitals and other facilities are encouraged to embrace new technologies, including electronic health records to provide more powerful and tailored services to patients.
But greater use of electronic health information demands greater security, the White House notes. PMI might include everything from a patient’s clinical history to insurance information to data and metadata associated with biospecimens.
The White House is encouraging healthcare organizations to take a “participant first” approach to security and to make cyber security “a core element of the organization’s culture and services,” according to a copy of the framework published on the whitehouse.gov web site.
“Our greatest asset in PMI is the data that participants contribute, and we want to make sure participants know that their data is protected,” the White House said in a statement. “The Security Framework we are releasing today builds on the existing PMI Privacy and Trust Principles and ensures we put the security of participants’ information first.
Organizations need to identify critical data and systems and take steps to secure it and monitor them over the long term. The healthcare organization should be transparent about its data protection policies and not use security as an excuse to deny patients’ access to their own data, the guidelines say.
The Obama Administration leaned heavily on established cyber security practices developed by NIST for securing critical infrastructure and published in 2014 (PDF). Specifically: the NIST standards define a set of functions – Identify, Protect, Detect, Respond, and Recover—to assess cybersecurity and data security performance, as well as physical and environmental controls. The PMI guidelines adopt the same approach.
Healthcare organizations also need to make sure that data they use for analysis is anonymized and that patients can not be re-identified from a dataset.