Achieving the Principles through a Precision Medicine Initiative Data Security Policy Framework

*The All of Us Research Program was created as part of the Precision Medicine Initiative (PMI). To learn more about how the All of Us Research Program is rooted in precision medicine, see our Program Overview.

There are a number of frameworks that PMI organizations may use to organize their data security programs. This section is based on a framework developed by the National Institute for Standards and Technology (NIST). The NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, defines a set of activities, outcomes, and references that, when followed, enable five simultaneous and continuous functions—Identify, Protect, Detect, Respond, and Recover—to assess cybersecurity and data security performance, as well as physical and environmental controls1. Organizations should select the security framework that adequately addresses the security risks they face and is consistent with the PMI Data Security Policy Principles and Framework.

Additional Conditions for Awardees with Significant Security Responsibilities

1. Overall Security Plan. PMI organizations should develop a comprehensive risk-based security plan that outlines roles and responsibilities related to security, consistent with the principles and framework outlined here. The security plan should identify the governance body for the organization’s security program. The governance body will ensure that those who use or manage PMI data adhere to the security plan.6 The security plan should be reviewed by the governance body and updated periodically to incorporate evolving standards and best practices. The plan should describe its approach for:

  • Complying with applicable laws and regulations, and other organization-specific security policies and standards;

  • Designating and maintaining an appropriately resourced and technically experienced information security team;

  • Identifying, assessing, and responding to vulnerabilities and threats;

  • Conducting continuous monitoring;

  • Responding to security incidents and breaches;

  • Ensuring the physical security of areas where PMI data is located, as well as that appropriate administrative and technical controls are in place to safeguard the data; and

  • Ensuring participants, researchers, vendors, contractors, and technical staff are aware of their security responsibilities.

2. Risk-Based Approach. PMI organizations should use risk-management strategies, tools, and techniques to inform and prioritize decisions regarding the protection of PMI data, including data in electronic and physical resources within its environment as well as at the point of initial collection. When planning protection of PMI data, the form of the data should be considered (e.g., raw, aggregate, the product of a mathematical or statistical process or an analysis report, as well as whether the data are electronic or paper-based).

3. Independent Third-Party Review. PMI organizations should have an independent review of their security plans and of the effectiveness of controls on a periodic basis. The reviewer, at a minimum, should perform: a review of the organization’s adherence to its security plan; regular vulnerability assessments (e.g., network scans, penetration testing, and assessments to protect against social engineering attacks); and evaluation and adjustment of the security program in light of vulnerability assessments and evolving circumstances.2

4. Transparency. A high-level overview of the organization’s security plan and approach should be posted publicly to help enable transparency and congruity with the goals of the Privacy and Trust Principles and this Security Framework. This high-level overview should describe the organization’s breach notification process, steps individuals should take to protect themselves, and ways that the public and users of the PMI data can easily submit information about potential vulnerabilities and bugs.

Access Control3

  1. Identity Proofing. PMI organizations should develop a policy for verifying the identity of users and contributors (e.g., participants and healthcare provider organizations), prior to granting credentials for access to or contribution of PMI data.

  2. Credentials. PMI organizations should use innovative approaches for authentication so that over time they do not rely on username and password alone, and should use strong multi-factor authentication for users of PMI data.

  3. Authentication. Risk-based authentication controls should flow from the organization’s security risk assessment, and should be commensurate with the type of data, level of sensitivity of the information, and user type.

  4. Authorization. Authorization controls should be granular enough to support participant consent and should limit access, use, or disclosure based on what is necessary to satisfy a particular purpose or carry out a function.

Awareness and Training

  1. Participant Education. PMI organizations should provide participants with security awareness materials and education on an ongoing basis. The educational materials should include discussion of how data will be used, the high-level protections that safeguard the data, and the tools available to research participants to protect their own PMI data.

  2. PMI Data User Education. PMI organizations should provide appropriate training for individuals using PMI data and infrastructure based on the individual’s role and responsibilities. This role-based training should include information on appropriate protections for PMI data and security best practices. Appropriate security certifications and continued training in information system security and privacy protection should be encouraged.

Data Security3

  1. Encryption. PMI data that is reasonably likely to identify an individual should be protected at-rest and in-motion using strong encryption. Examples of data reasonably likely to identify an individual include identifiers such as name, birth date, contact information, and Social Security Number.

  2. Encryption Key Security. PMI organizations should store encryption keys separately from encrypted data and establish policies for secure encryption key creation, distribution, access, and revocation.

  3. Physical Security. PMI data should be protected by physical security controls as well as cybersecurity controls.

  4. Service Provider Security. When PMI organizations employ subcontractors, third parties, or vendors (including hosted, cloud, or application service providers) to create, receive, maintain or transmit PMI data, PMI organizations should obtain the necessary assurances that the service provider will appropriately safeguard PMI data, consistent with the organization’s security plan.

  5. Integrity Protection. PMI organizations should implement integrity protection controls that detect when unauthorized alterations have been made to PMI data.

Information Protection and System Maintenance

  1. Life Cycle. PMI organizations should implement a system development life cycle, which ensures that appropriate safeguards for PMI data remain in place from receipt or creation through disposition.

  2. Security Patching. PMI organizations should keep systems updated with the latest security patches and should develop change control and configuration management policies to ensure that system updates are tested, reviewed, and approved prior to implementing.

  1. Audit Events. PMI organizations should define a set of system and network events that capture interactions withPMI data from networks, servers, and application infrastructure, including user access and behavior.

  2. Audit Logs. System and network events should be logged on a continuous uninterrupted basis in a manner that protects against tampering and provides sufficient detail to identify: the type of action performed on PMI data, the unique identity of who performed the action, the date and time the action occurred, and the subset of data impacted by the action.

  3. Detection and Alerting. Continuous detection processes and alerting mechanisms should be created to ensure timely and adequate awareness of anomalous events, as well as a process to inform operational staff and stakeholders with relevant situational details.

  4. Threat Information Sharing. PMI organizations should participate in relevant threat information sharing forums.4 PMI organizations should also follow existing best practices to provide ways for participants and non-affiliated individuals and entities to report potential vulnerabilities or threats, and respond to reports appropriately.

  5. Anomaly Reporting. PMI organizations should make reports of security anomalies, alerts, reports, or other relevant events available to the organization’s governance boards, and should also provide remediation plans to prevent similar vulnerabilities from occurring in the future.

  1. Incident Response. Not all security incidents result in a breach. PMI organizations should develop a plan to respond to and contain security incidents. This plan should include a process to identify quickly and effectively whether an incident has led to a breach of PMI data. Organizations should coordinate response activities with internal and external parties, as appropriate (e.g., law enforcement, Internet Service Providers, Information Sharing and Analysis Organizations, Information Sharing and Analysis Centers, and vendors).

  2. Incident Response Testing. PMI organizations should regularly test incident response plans to ensure the highest level of proficiency.

  3. Affected Individual Notification. When a PMI organization has determined that a security incident has resulted in a breach of PMI data, the organization should notify the affected individuals and appropriate organizations in accordance with applicable breach notification laws, the Privacy and Trust Principles, and the organization’s security plan.5

  4. Accountable Point of Contact. PMI organizations should identify an accountable point of contact who will coordinate with appropriate organizations and affected individuals throughout the incident response process. The contact should have the authority to direct actions required in all phases of the incident response.

  1. Incident and Breach Recovery Plan. PMI organizations should establish, maintain, and implement plans for emergency response, backup operations, and post-incident recovery for PMI data. These plans should address how the PMI organization will stabilize after the incident and restore basic services.

  2. Communication. As an integral part of the recovery plan, PMI organizations should communicate to stakeholders when a safe and secure environment has been restored.

  3. Lessons Learned. After recovery from a security incident or breach, PMI organizations should identify lessons learned, including conducting root cause analysis, to identify areas needing improvement, and update security plans based on those lessons learned. Lessons learned should be reported to the organization’s governance board, and information that may be helpful to other PMI organizations should be shared with the PMI community as appropriate.

1. NIST Framework for Improving Critical Infrastructure Cybersecurity.
2. Please also see governance principles outline in the White House Precision Medicine Privacy and Trust Principles.
3. Please see the Data Sharing, Access, and Use principles outlined in the Precision Medicine Privacy and Trust Principles, which provide for multiple tiers of data access to PMI data – from open to controlled – based on data type, data use, and user qualifications.
4.This sharing should be conducted through existing information sharing and analysis organizations including information sharing and analysis centers; through the creation of new organizations focused on the specific circumstances of PMI organizations; bilaterally with other trusted organizations, and with the Federal government, including through the National Cybersecurity and Communications Integration Center; and the Department of Health and Human Services.
5. As stated in the Privacy and Trust Principles, “Participants should be notified promptly following discovery of a breach of their personal information. Notification should include, to the extent possible, a description of the types of information involved in the breach; steps individuals should take to protect themselves from potential harm, if any; and steps being taken to investigate the breach, mitigate losses, and protect against further breaches.”

Last Reviewed: January 26, 2022