White House Releases Data Security Policy Principles for PMI Organizations
White House Releases Data Security Policy Principles for PMI Organizations

Healthcare initiatives that gather data are on the rise. Healthcare data breaches are on the rise. We are at a crucial moment in time for healthcare data.

With the high value of healthcare data, and large stores of electronic health records, healthcare organizations face a rising tide of constantly evolving threats across a highly complicated healthcare network and an increasingly mobile workforce contributing to a growing attack surface. The Ponemon report last month indicates that 90% of healthcare organizations experienced a data breach in the past 2 years with a cost of $6.2 billion in 2015 alone. The latest figures from ITRC indicate that healthcare data breaches continue to rise, up an additional 18% over 2015 figures.

The Precision Medicine Initiative (PMI) is one example of healthcare data gathering with the intent to support research initiatives that improve health and treat disease through precision medicine, an approach that tailors medicine to the individual, rather than the average. Data is at the heart of creating this individualized care. Genome sequences, micro biome composition, health history, lifestyle and many more forms of data will be added to health records, by healthcare providers and patients themselves. There are already 40 major commitments from the private sector, including electronic health record firms, to advance precision medicine.

As the PMI website notes, “Success will require that health data is portable, that I can be easily shared between providers, researchers, and most importantly, patients and research participants.” The PMI will create greater stores of healthcare data, with a focus on data mobility, in a time when healthcare organizations have a very poor record for protecting healthcare data.

Recognizing the need for greater data security, the White House recently released a final data policy framework for the security expectations of the new Precision Medicine Initiative, building on the National Institute of Standards and Technology (NIST) cybersecurity framework. The principles of the guide state that, at minimum, PMI organizations should:

  • Strive to build a system that participants trust
  • Ensure that security is a core element of the organization’s culture and services, and that such processes and controls are adaptable to changing risks
  • Preserve data integrity
  • Create clear expectations and security processes
  • Have security practices and controls that protect data but do not hinder appropriate access or use
  • Minimize exposure of data, but keep researchers and participants aware of breaches
  • Maintain an open dialogue on data risks and challenges, to foster learning among PMI organizations
The PMI policy framework includes details on how to achieve these principles through a data security policy framework based on the NIST Framework including the need for a risk-based security plan, appropriate protection measures (access controls, awareness and training, basic data security precautions such as encryption and patching), adequate detection capabilities (visibility to audit events, but also continuous detection processes for network and endpoint), and response & recovery capabilities.

When data portability sits at the core of healthcare initiatives such as PMI, only Absolute can provide a persistent connection to all of the devices, and the data they contain, in order to secure endpoints, assess risk, and respond appropriately to security incidents. Absolute DDS for Healthcare provides valuable inside into all of your endpoints and the data they contain, so you can have accurate information on your fleet of devices, as well as the information they contain, with alerts for events and activities that could be precursors to a security incident. With Absolute DDS, you can help shine a light on dark data on the endpoint, helping you address the ever-prevalent insider threat, prevent or respond to data breaches, and prove compliance. Learn more at Absolute.com

ABOUT THE AUTHOR

Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada’s first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.