How to Manage Privacy and Security Risks for Personalized Medicine

Personalized medicine, or tailoring medicine to individuals based on genetic and other information, promises major benefits to improve the quality of healthcare. This key trend is also sure to accelerate in the next few years to a major change driver as DNA sequencing becomes more affordable and algorithms to derive meaning from this data become more powerful. Many new types of sensitive data and intellectual property are used through the personalized medicine information lifecycle from collection, to use, retention, disclosure and disposal.

HIPAA, HITECH Act, GINA, and state level regulations such as CA SB 1386 regarding healthcare / genetic information and breach notification present a complex legal and regulatory compliance landscape. Privacy and security concerns about regulatory compliance, breaches and theft of IP abound, and often impede realization of the full benefits of personalized medicine. Advancing the science of personalized medicine requires vast databases of sensitive healthcare and genetic information, and access for research.

De-identification, for example based on the HIPAA 18 identifiers commonly found in protected health information, is often applied to enable research and help mitigate privacy and security concerns and risks. However, there have been several successful high profile re-identification attempts that have correlated de-identified data with the correct patients.

Clearly, even with de-identification, there is residual risk. Compounding this, genetic information is far from fully understood, and the genetic “dark regions” we don’t yet fully understand, may well hold information that increases re-identification risks.

In my next few blogs, I’ll apply best practices in healthcare privacy and security to take an objective approach to assess risks, apply safeguards using a multi-layered approach to effectively reduce residual risk to acceptable levels. I’ll look at various types of sensitive data used through the personalized medicine information lifecycle from collection, to use, retention, disclosure and disposal, assessing risks to confidentiality, integrity and availability of the data.

I’ll also look at recent healthcare security research underscoring the importance of usability of solutions and security, how a lack of usability can adversely impact compliance and risk, and practical strategies to implement strong and usable security. Hardware based security is enabling stronger and more usable security controls that can be used as part of a holistic multi-layered approach to effectively mitigate risks in personalized medicine, enabling benefits to be fully realized sans privacy and security incidents such as breaches.

What approach are you using to manage privacy and security risks and enable personalized medicine in your organization?