In March 2015, the White House called together leading experts and interested stakeholders in both the public and private sectors to develop a set of privacy and trust principles for users of Precision Medicine Initiative (PMI) data. The Precision Medicine Initiative: Privacy and Trust Principles, published in November 2015, provide broad guidance for governance; transparency; participant empowerment; respect for participant preferences; data sharing, access and use; and data quality and integrity. However, security is an essential component of privacy, and the White House quickly built upon the privacy and trust principles and published the Precision Medicine Initiative: Data Security Policy Principles and Framework on May 25, 2016 to guide decision making by organizations conducting or participating in precision medicine activities.
A section of helpful links with further information is provided at the bottom of this news alert.
The PMI DSP principles are consistent with the preceding privacy and trust principles, and the security framework leverages existing NIST guidance for implementing cybersecurity. The guidance instructs PMI organizations, such as covered entities or business associates that are required to be compliant with the HIPAA Security and Privacy Rules, to select the security framework that adequately addresses the security risks they face while remaining consistent with PMI DSP Principles and Framework. It also mandates that PMI organizations comply with all applicable laws and regulations governing privacy, security, and the protection of PMI data at every stage of data collection, storage, analysis, maintenance, use, disclosure, exchange, and dissemination.
The HITRUST white paper provides additional guidance and streamlines the process of implementing and assuring compliance with the PMI DSP Principles and Framework. It leverages the HITRUST Risk Management Framework (RMF) and existing critical infrastructure sector guidance for the implementation of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Cybersecurity Framework (CsF), in the healthcare industry, specifically the Healthcare Sector Cybersecurity Framework Implementation Guide.
The white paper clearly outlines how PMI organizations can effectively and efficiently implement the PMI DSP Framework requirements through the HITRUST Risk Management Framework (RMF) and healthcare’s model implementation of the NIST CsF, including potential benefits to healthcare and public health (HPH) sector organizations. Additionally, it shows how the HITRUST CSF v8 release of 2016 fully addresses the recommendations of the President’s PMI DSP Principles and Framework.
HITRUST is continuously committed to providing the Healthcare industry with efficient ways to manage the many diverse information protection regulations requirements it faces using one comprehensive framework. To further this commitment, HITRUST has made available an instructive white paper entitled Guidance on Implementing Cybersecurity in Precision Medicine.
Helpful Links
- Guidance on Implementing Cybersecurity in Precision Medicine
- Healthcare Sector Cybersecurity Framework Implementation Guide
- NIST Framework for Improving Critical Infrastructure Cybersecurity
- Precision Medicine Initiative: Privacy and Trust Principles
- Precision Medicine Initiative: Data Security Policy Principles and Framework