How to Securely Share Data for Personalized Medicine

Many of the benefits of personalized medicine depend on sharing genetic and other healthcare information. For example, deriving meaning out of healthcare data and in particular genetic data requires sharing sensitive information for research, often conducted by third party organizations separate from the covered entity or other organization that originally collects the genetic data. Collaborative care for patients, involving primary care physician as well as multiple specialists, requires sharing sensitive healthcare information. Healthcare organizations may also be motivated to derive revenue from massive databases of such information through de-identifying / anonymizing and then sharing it, within compliance with applicable healthcare regulations and data protection laws, such as the HIPAA Privacy Rule.

Healthcare breaches have reached alarming levels, both in frequency as evidenced by the HHS Breaches Affecting 500 or More Individuals, as well as business impact as evidenced by the Ponemon 2013 research on the Cost of a Data Breach which shows an average total cost per breach event of $5.4 million in the U.S. in 2012. Many of these breaches occur with healthcare data in transit, or where healthcare data is shared with third parties, also often known as a Data Processor in the EU or Business Associates in the U.S. These business impacts have ”naturally selected” a proactive approach (in contrast to a “wait and see” approach) as the only practical approach to privacy and security for safely sharing sensitive healthcare data.

Best practices in a proactive approach include holistic security which involves applying administrative, physical and technical safeguards, as well as a multi-layered security, also known as defense in depth where multiple security controls are applied together in layers to progressively minimize risk. Administrative controls in such an approach include a privacy notice to patients that enables them to be fully aware of the benefits and risks including specifically what sensitive healthcare information is collected, and how it will be used, retained, shared and disposed of. This enables patients to make informed choices such as opt-in or opt-out, and enables provide their consent. Another key risk mitigation in this approach includes the minimization of sensitive information based on the type(s) of processing stated in the privacy notice to the patient. Minimization involves the healthcare organization collecting the sensitive healthcare information for personalized medicine to minimize the Personally Identifiable Information (PII) in this information before sharing with a third party. For example if a research use case doesn’t require any PII, the healthcare organization should fully de-identify, or remove PII, from the genetic / healthcare information before sharing with that third party.

HIPAA, for example, provides guidance on specific PII elements required for safe harbor de-identification. Such de-identified information has low risk, although not zero risk, of re-identification of the patient. Further, some use cases require either full PII, or partial PII. Therefore it is highly recommended to supplement de-identification with other safeguards including tokenization, where any residual PII is stored separately in a secure database with access controls ensuring only authorized access. Encryption is a key safeguard to protect confidentiality of information being shared, or in transit. Hardware assisted security such as encryption acceleration enables encryption of large genetic data sets in transit with high performance.

Last, but not least, appropriate access controls should be used to ensure only authorized access to sensitive healthcare information that is shared, with appropriate auditing to ensure compliance with policies. The healthcare organization collecting the sensitive healthcare information should also vet the privacy and security of the target organization(s) for sharing, to ensure adequate protection. Contractual controls are needed between the healthcare organization sourcing the sensitive healthcare information and the target third party with which information will be shared. Key elements of these contractual controls include service level agreements (SLAs), business associate agreements (BAAs) and security incident response plans (SIRPs), in particular to outline procedures for timely response and collaboration in the event of security incidents such as breaches.

What kinds of strategies are you using to safely share sensitive data for personalized medicine?