Written by HITRUST Independent Security Journalist Sean Martin.
In May 2016, the White House released an important document, “Precision Medicine Initiative: Data Security Policy (DSP) Principles and Framework.” The White House DSP document lays out the key principles needed for secure PMI, defined in five important steps:
- Identify the risks
- Protect the systems and data
- Detect threat and attack incidents
- Respond to a detected incident
- And then recover from the incident
If you are not familiar with the term Precision Medicine, it builds on the Personalized Medicine concept, taking into account treating patients at the molecular and genomic level. The Precision Medicine Initiative was launched by President Obama in January 2015 to help enable a new era of medicine, where healthcare providers can closely tailor treatments to their patients’ exact needs.
The nine-page White House document does an excellent job of explaining and defining how to provide security in the Precision Medicine era — but is not sufficiently detailed to advise healthcare organizations on how to integrate protections into healthcare and public health (HPH) information privacy and security frameworks.
That’s where HITRUST comes in, with the newly released guide, “Implementing Cybersecurity in Precision Medicine: Using HPH Sector Guidance and the HITRUST CSF to Address the PMI Data Security Policy Principles and Framework.”
There’s a lot of information in the HITRUST document, and we recommend that you download, review and distribute it around your organization. In this post, however, we will quickly share eight Precision Medicine principles in the White House guidance:
- Strive to build a system that participants trust. This means having a “participant first” orientation when identifying and addressing data security risks. The HITRUST CSF-based approach to cybersecurity helps ensure PMI organizations fully address the HIPAA Privacy and Security Rules’ standards and implementation specifications, including the risk analysis and flexibility of approach provisions.
- Recognize that security, medicine and technology are evolving quickly. Continuous monitoring and risk management program evaluation and updates are central tenants of the HITRUST approach to cybersecurity.
- Seek to preserve data integrity, so that participants, physicians, and researchers can depend on the data. HITRUST addresses input, processing and output integrity as well as requirements for correction of records under the HIPAA Privacy Rule via implementation of the HITRUST CSF privacy practices control category.
- Identify key risks, and develop evaluation and management plans that address those risks, while enabling science and research to advance. HITRUST provides a risk-based approach to information protection based on business needs, including clinical and research requirements.
- Provide participants and other relevant parties with clear expectations and transparent security processes. The HITRUST approach to cybersecurity strongly promotes an open and transparent assurance process for evaluating and reporting risk to internal and external stakeholders.
- Use security practices and controls to protect data, but not as a reason to deny a participant access to his or her data, or as an excuse to limit appropriate research uses of the data. HITRUST provides organizations with a flexible approach when implementing its risk management program in order to accommodate appropriate uses of ePHI (electronic protected health information), including PMI data; however, the guide also requires organizations to provide a minimum expected level of due diligence and due care for the protection of patient/participant information.
- Act responsibly. Seek to minimize exposure of participant data, and to keep participants and researchers aware of breaches in order to maintain trust over time. The HITRUST CSF-based approach to cybersecurity promotes the concept of minimal necessary use and addresses both HIPAA and state-level breach notification requirements. HITRUST CSF privacy practices also require organizations to adhere to HIPAA Privacy Rule requirements around notification, consent, and acceptable use of patient/provider information.
- Share experiences and challenges so that organizations can learn from each other. encourages participation in external forums as well as the sharing of threat information, e.g., through the use of an Information Sharing and Analysis Organization (ISAO) and participation in incident response exercises with other organizations via its proposed cybersecurity readiness maturity model. HITRUST also provides operational support through its federally-recognized ISAO, including the sharing of threat information via Cyber Threat XChange (CTX) and participation in local, regional and national-level CyberRX exercises.
Those are all excellent recommendations. Still, it’s important to note that the White House DSP document, in terms of its content, terminology and structure, doesn’t match exactly nor address every aspect of the NIST Cybersecurity Framework (CsF). By contrast, the HITRUST CSF and HITRUST Healthcare Cybersecurity Framework Implementation Guide address the NIST CsF guidance in significant detail.
To help you understand the White House guidance and relate it to the HITRUST CSF (and to the NIST CsF), the new HITRUST Implementing Cybersecurity in Precision Medicine guide addresses each of the PMI DSP Framework recommendations in the context of the HITRUST CSF and its overall approach to cybersecurity. Consult all of these documents and resources when planning your PMI cybersecurity strategy and policies. We trust you will find them useful.