Analysis: HHS Precision Medicine Security FrameworkIs It Enough to Safeguard Sensitive Patient Data?
Federal regulators have released a new framework of data security principles to guide healthcare organizations and researchers participating in the Obama administration's Precision Medicine Initiative.
See Also: Threat Intelligence - Hype or Hope?
Some data security experts say the framework - while not perfect - is an important step in addressing a variety of evolving privacy and security concerns related to the protection of sensitive patient information that's central to the precision medicine initiative, which aims to enroll 1 million volunteers to share their health data and provide a biospecimen for genetic testing.
In a statement, the Department of Health and Human Services says the new framework, which is based on the National Institute of Standards and Technology's cybersecurity framework, is "designed to be adaptable and responsive to the needs of multiple participating PMI groups, providing a broad framework for protecting participants' data."
The precision medicine framework was developed through interagency collaboration among various HHS units, as well as the Federal Trade Commission, Veterans Administration, other government agencies and security experts.
The Obama administration launched its Precision Medicine Initiative in January "to enable a new era of medicine - where doctors and clinicians are empowered to tailor their treatments to their patients' needs, and patients can get individualized care." Precision medicine, which is also sometimes referred to as "personalized medicine," aims to take advantage of advances in medical research, taking into account an individual's health history, genetics, environment and lifestyle, to better hone treatment.
While precision medicine holds the promise of advancing medical research and treatments, it also presents fresh privacy and security concerns for sensitive patient data. "The sheer number of disparate types of activities [and] who will be involved and using this information and coming up with a security structure that works for all of them" will be a challenge, says Mac McMillan, CEO of the security consulting firm CynergisTek.
Yet, McMillan is hopeful that the new framework is headed in the right direction to address some of the concerns. "It's a good start, and its focus is on target."
Protection of data that's collected, stored, used and shared as part of the Precision Medicine Initiative is critical, says healthcare attorney Betsy Hodge of the law firm Akerman LLP. "The goals of the Precision Medicine Initiative are commendable and offer hope to so many," she says. "But collecting very sensitive data, including genomic and bio-specimen data, from 1 million people presents a very attractive target to bad actors. There is also the possibility that the PMI could also acquire data from smartphones and wearable devices, including location, movement and social connections."
Also, because of the genomic data collected, not only are the individuals who submit their health information at risk for having their sensitive health information breached, but so are their family members, and potentially their social connections, she adds. "Anytime you allow more people to access data, you increase the risk that the data could intentionally or unintentionally be compromised. Not all stakeholders who could access PMI data may have the same knowledge and resources to protect PMI data."
New Guidance Coming
For its part, HHS appears to be acknowledging the potential risks. "The types, breadth and sensitivity of the personal health, genetic and environmental information that may be part of a precision medicine-type activity warrants careful attention and protection," HHS says in its statement. "Therefore, the security framework establishes security expectations for organizations who participate in PMI and provides a risk management approach to achieving those principles. To ensure that we are leading by example, federal PMI agencies have committed to integrate the framework throughout all PMI activities."
In addition to the newly released PMI framework, HHS and NIST will also release a precision medicine-specific guide to the NIST Cybersecurity Framework by December 2016, HHS says.
"I hope they think about the PMI organization first and develop something that is more instructive with respect to what is minimally acceptable," McMillan says of that upcoming guidance. "This is one of the biggest complaints about HIPAA - it's just too vague."
Indeed, some critics say HIPAA is lacking clarity regarding the privacy and security of genetic data.
On May 19, the American Civil Liberties Union filed a complaint with HHS against lab testing firm Myriad Genetics for its alleged refusal to provide patients with their own genetic information.
Among other claims, the complaint alleges that Myriad refuses to acknowledge that genetic data is part of the "designated record set" under HIPAA, and that all genetic testing labs are required to provide the data when a patient requests it.
In light of the ACLU's statements, Myriad finally agreed to "voluntarily" release genetic information to patients involved with the ACLU complaint, the civil liberties group says. But Myriad stated in a letter to ACLU that it did not rescind its previous statement that it did not consider the information part of the "designated record set."
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the HIPAA Privacy Rule "access" provision "gives individuals a right to a copy of their 'designated record set,' which is a HIPAA term that encompasses medical records."
Some security experts say the disclosure and release of genetic data to patients - including data slated for use in medical research - also poses other potential concerns.
"I would think for liability reasons a covered entity may want to withhold the release of genetic information. What if the tests are wrong? Genetics is not a perfect science," says Tom Walsh, founder of consultancy tw-Security. "What if I get the wrong patient's data and then made life-based decisions on the results? There needs to be a formal procedure for the release of any genetic information, much like that of any patient information."
The new 10-page framework document notes that "overarching principles are intended to guide organizations in developing and implementing an appropriate security plan." At a minimum, PMI organizations should:
- Strive to build a system that participants trust.
- Recognize that security, medicine and technology are evolving quickly. As a result, organizations should treat security as a core element of the organization's culture and ensure that security processes and controls are adaptable and updatable.
- Seek to preserve data integrity, so that participants, researchers, physicians and other healthcare providers can depend on the data.
- Identify key risks and develop evaluation and management plans that address those risks.
- Provide participants and other relevant parties with clear expectations and transparent security processes.
- Use security practices and controls to protect data, but not as a reason to deny a participant access to their data or as an excuse to limit appropriate research uses of the data.
- Seek to minimize exposure of participant data and to make participants and researchers aware of breaches in order to maintain trust.
"On the one hand, these principles are a strong overall set of data security principles that will effectively protect data in this context," Nahra says. "On the other hand, I'm not sure why they felt the need to have to reinvent the wheel so much, given the existing HIPAA security framework that could easily have been adapted here."
Nahra adds that he's concerned about the "Utopian approach" that is being taken with the framework principles. "I am not sure these will transfer to less glamourous or more routine [healthcare] situations, and I am a bit worried that there will be an effort to expand the reach of these principles beyond where they make sense."
Hodge argues that the security framework "reads more as aspirational goals than concrete requirements. For example, the security framework does not provide an in-depth discussion of maintaining the confidentiality, integrity, and availability of data that is collected by the Initiative. Also, the security framework does not provide guidance on physical security of PMI data. In fact, the security framework specifically says that physical security requirements are beyond the scope of the document."
Given the number of data points and the type of data that the PMI will collect, it may be necessary to rethink what it means to de-identify individually identifiable data, Hodge adds. "It would be helpful if the framework included a rigorous process for de-identifying PMI data," she says.