NIH takes steps to safeguard participant data for PMI national cohort
As the National Institutes of Health looks to build one of the world’s largest biomedical datasets under the Precision Medicine Initiative’s All of Us research program, NIH is grappling with how to keep the data of a million or more Americans private and secure.
“Everybody’s worried about (privacy), and we are as well,” Francis Collins, MD, director of NIH, testified on Thursday before a House subcommittee. “This is a program that has to maintain the highest standards of privacy and security in order to be credible.”
Collins reassured lawmakers that the All of Us research program is leveraging strong encryption “end to end” for data that is at rest and in motion and that “all of the patient identifiers are stripped off before any of the data is actually moved into a location where researchers have access to it.”
While de-identification—the removal of identifying information (such as name, date of birth, address, Social Security number and more) from the dataset—is a technical control that the research program is implementing to help protect the privacy of participants, NIH acknowledges that no de-identification process guarantees that individuals can never be re-identified.
Although unauthorized re-identification of participants will be expressly prohibited, NIH has nonetheless set penalties for re-identifying participant data. And the agency contends it is not relying solely on de-identification as a privacy protecting technique or security control.
According to Collins, NIH has conducted a series of penetration tests and hackathons to find any potential weak spots when it comes to data security. “So far, it’s looking really good. But, we are not going to do the full launch until we are absolutely convinced that all of those parameters have been taken care of,” he said.
Currently, the All of Us program is in the beta phase and has enrolled about 9,500 individuals, with a national rollout slated for the spring of 2018.
Prior to the launch of the program, NIH contends that it will ensure that all systems meet the requirements of the Federal Information Security Management Act (FISMA)—which defines a comprehensive framework to protect against natural or man-made threats—and after launch the agency says it will continue to perform rigorous security testing to protect participant data.
Ultimately, the All of Us research program will enroll one million or more Americans “from every walk of life,” added Collins. “These volunteers will contribute their health data in many ways, over many years, to create a research resource that will catalyze a new era of precision medicine.”
In addition to providing blood and urine samples as well as access to electronic health records, information will be collected from participants in the program through physical measurements, surveys, as well as mobile technology.
NIH recently announced a new pilot with Fitbit slated to begin in mid-2018 that will help the All of Us research program learn about the use of wearables in sharing participants’ health data. The wearable technology will be used to gather patient information augmenting other data gathered for the national cohort.
“Over time, one of our big challenges is to figure out how do we leverage the devices that many potential participants already have,” said Eric Dishman, director of the All of Us research program. “The diversity of data types is key to this program, not only just electronic health record data—and de-identifying that—or environmental data, but also these kinds of technologies that are increasingly in our everyday lives.”