The Precision Medicine Initiative
“Doctors have always recognized that every patient is unique, and doctors have always tried to tailor their treatments as best they can to individuals. You can match a blood transfusion to a blood type — that was an important discovery. What if matching a cancer cure to our genetic code was just as easy, just as standard? What if figuring out the right dose of medicine was as simple as taking our temperature?”
- President Obama, January 30, 2015
So what is Precision Medicine?
President Obama participates in a panel discussion moderated by Dr. James Hamblin of The Atlantic on the importance of PMI at the White House, February 25, 2016.
It's health care tailored to you.
In his 2015 State of the Union address, President Obama announced that he's launching the Precision Medicine Initiative — a bold new research effort to revolutionize how we improve health and treat disease.
Until now, most medical treatments have been designed for the “average patient.” As a result of this “one-size-fits-all” approach, treatments can be very successful for some patients but not for others. Precision Medicine, on the other hand, is an innovative approach that takes into account individual differences in people’s genes, environments, and lifestyles. It gives medical professionals the resources they need to target the specific treatments of the illnesses we encounter, further develops our scientific and medical research, and keeps our families healthier.
Advances in Precision Medicine have already led to powerful new discoveries and several new treatments that are tailored to specific characteristics, such as a person’s genetic makeup, or the genetic profile of an individual’s tumor. This is helping transform the way we can treat diseases such as cancer: Patients with breast, lung, and colorectal cancers, as well as melanomas and leukemias, for instance, routinely undergo molecular testing as part of patient care, enabling physicians to select treatments that improve chances of survival and reduce exposure to adverse effects.
And we’re committed to protecting your privacy every step of the way. The White House is working with the Department of Health and Human Services and other federal agencies to solicit input from patient groups, bioethicists, privacy and civil liberties advocates, technologists, and other experts, to help identify and address any legal and technical issues related to the privacy and security of data in the context of Precision Medicine.
What is the Precision Medicine Initiative?
To enable a new era of medicine through research, technology, and policies that empower patients, researchers, and providers to work together toward development of individualized care.
The future of precision medicine will enable health care providers to tailor treatment and prevention strategies to people’s unique characteristics, including their genome sequence, microbiome composition, health history, lifestyle, and diet. To get there, we need to incorporate many different types of data, from metabolomics (the chemicals in the body at a certain point in time), the microbiome (the collection of microorganisms in or on the body), and data about the patient collected by health care providers and the patients themselves. Success will require that health data is portable, that it can be easily shared between providers, researchers, and most importantly, patients and research participants.
Agencies across the Federal government are doing important work to support the President’s vision. This is an “all of government” effort, leveraging the unique expertise and history of each agency to carry forward the President’s vision of individualized treatments for every American. Here’s how each participating agency is moving ahead to implement PMI:
- NIH is building the Precision Medicine Initiative (PMI) Cohort Program, with the goal of collecting data from one million or more U.S. volunteers who are engaged as partners in a longitudinal, long-term effort to transform our understanding of health and disease.
- NCI, a second PMI effort housed in the NIH National Cancer Institute, seeks to expand cancer precision medicine clinical trials, examine mechanisms of drug resistance in cancer patients, develop new cancer pre-clinical models, and establish a national cancer knowledge system.
- FDA is developing new regulatory approaches for evaluating next-generation genomic sequencing technologies. In addition, the agency launched precisionFDA in December 2015, a crowd-sourced, cloud-based platform where the community can test, develop, and validate Next Generation Sequencing software and methods.
- ONC is accelerating opportunities for innovative collaboration around pilots and testing of standards that support health IT interoperability for research, encouraging adoption of policies and standards to support privacy and security, and advancing standards that support a participant-driven approach to patient data contribution.
- OCR is developing regulatory guidance and other tools to ensure that individuals and HIPAA covered entities understand the patient’s right to access their health information, enabling them to donate it for research.
Department of Health and Human Services (HHS)
Department of Veterans Affairs
VA continues to expand the Million Veteran Program through enrollment of Veteran volunteers and planned collaborations with DOD. In addition, VA has funded eight scientific projects that will utilize the MVP resource.
Department of Defense
DoD is partnering with VA to facilitate the enrollment of active duty men and women into MVP. This collaboration will enhance the quality of data available to both VA and DoD, as well as the natural progression from active duty military to veteran status.
Guiding Principles for Protecting Privacy and Building Trust
The White House is unveiling final Privacy and Trust Principles for the Precision Medicine Initiative (PMI). The principles provide broad guidance for future PMI activities regarding: governance; transparency; participant empowerment; respect for participant preferences; data sharing, access, and use; and data quality and integrity. The principles articulate a set of core values and responsible strategies for sustaining public trust and maximizing the benefits of precision medicine.
Read the summaries below or read the whole report here
- Governance should include substantive participant representation at all levels of program oversight, design, implementation, and evaluation.
- Governance should create and maintain active collaborations among participants, researchers, health care providers, the Federal Government, and other stakeholders.
- Governance should ensure regular assessment of policies and practices in order to maintain currency with scientific, technological, and ethics-related developments.
- In addition to complying with all applicable laws and regulations governing privacy, security, and research with humans, those who use or manage PMI data should be required to adhere to the rules developed by the established governance system in furtherance of the principles outlined here.
- Governance mechanisms should ensure accountability; responsible data management; protection against any intentional or unintentional unauthorized access, use, disclosure, or re-identification of PMI data; and proper identification, management, and mitigation of breaches.
- Communications with participants should be overseen centrally in order to ensure consistent and responsible engagement.
- Special considerations related to engaging and communicating with certain populations (e.g., children or decisionally-impaired individuals) should be addressed.
- Risks and potential benefits of research for individuals, families, and communities should be considered.
- The potential for research to lead to stigmatization or other social harms should be identified and evaluated through meaningful and ongoing engagement with the relevant stakeholders.
- Researchers and other data users should be informed of and subject to consequences for failure to adhere to all rules developed in furtherance of these principles.
- A dynamic information-sharing process should be developed to ensure all PMI participants remain adequately informed through all stages of participation. Communications should be culturally appropriate and use languages reflective of the diversity of the participants.
- Information should be communicated to participants clearly and conspicuously concerning: how, when, and what information and specimens will be collected and stored; generally how their data will be used, accessed, and shared; types of studies for which the individual’s data may be used; the goals, potential benefits, and risks of participation, including risks of inappropriate use or compromise of the information about participants; the privacy and security measures that are in place to protect participant data, including notification plans in the event of a breach; and the participant’s ability to withdraw from the cohort at any time, with the understanding that consent for research use of data included in aggregate data sets or used in past studies and studies already begun cannot be withdrawn.
- Information should be made publicly available concerning PMI data protections and use, and compliance with governance rules.
- Participants should be notified promptly following discovery of a breach of their personal information. Notification should include, to the extent possible, a description of the types of information involved in the breach; steps individuals should take to protect themselves from potential harm, if any; and steps being taken to investigate the breach, mitigate losses, and protect against further breaches.
- All users of PMI data should be expected to publish or publicly post a summary of their research findings, regardless of the outcomes, as a condition of data use. To enrich the public data resource, mechanisms for data users to integrate their research findings back into PMI should be developed.
- PMI should be broadly inclusive, recruiting and engaging individuals from communities with varied preferences and risk tolerances about data collection and sharing.
- PMI should promote participant autonomy and trust through a dynamic and ongoing consent and information sharing process. This process should enable participants to engage actively in an informed and voluntary manner, and to re-evaluate their own preferences as data sharing, use requirements, and technology evolve.
- Participants should be able to withdraw their consent for future research use and data sharing at any time and for any reason, with the understanding that consent for research use of data included in aggregate data sets or used in past studies and studies already begun cannot be withdrawn.
- Participants should be provided choices about the types and frequency of communications they receive, and about the circumstances under which they would like to be re-contacted for certain purposes, such as to collect additional information or specimens for supplementary research activities.
- PMI should enable participants’ access to the medical information they contribute to PMI in consumer-friendly and innovative ways.
- Educational resources should be made available to participants to assist them in understanding their health information and to empower them to make informed choices about their health and wellness.
- Innovative, responsible, and consumer-friendly ways of sharing research data with participants should be developed. This could include sharing aggregate research data, research findings, information about ongoing research studies, as well as data collected about participants.
- Data access, use, and sharing should be permitted for authorized purposes only. Certain activities should be expressly prohibited, including sale or use of the data for targeted advertising.
- Multiple tiers of data access—from open to controlled—based on data type, data use, and user qualifications should be employed to ensure that a broad range of interested communities can utilize data while ensuring that privacy is safeguarded and public trust is maintained.
- PMI should use privacy-preserving methods to maintain a link to participant identities in order to return appropriate information and to link participant data obtained from different sources.
- Unauthorized re-identification and re-contact of PMI participants will be expressly prohibited. Data analyses should be conducted with coded data to the extent feasible.
- Measures for protecting PMI data from disclosure in civil, criminal, administrative, legislative, or other proceedings should be explored.
- Data quality and integrity should be maintained at all stages—collection, maintenance, use, and dissemination. Standards of accuracy, relevance, and completeness should be appropriately up-to-date.
- Participants should be able to easily report any inaccuracies in information maintained by PMI and request that such inaccuracies be addressed in PMI records.
Creating a dynamic and inclusive governance structure
Building trust and accountability through transparency
Respecting participant preferences
Empowering participants through access to information.
Ensuring responsible data sharing, access, and use
Maintaining data quality and integrity
Data Security Policy Principles and Framework
Participant-contributed data is the foundational asset of PMI, and participants deserve assurance that it is being protected. This requires not only clear privacy protections but strong and adaptable security policies and practices. Building from the existing PMI Privacy and Trust Principles, the Data Security Policy Principles and Framework offers security policy principles and a framework to guide decision-making by organizations conducting or participating in precision medicine activities. Recognizing that there is no “one size fits all” approach to managing data security, this document provides a framework for protecting participants’ data and resources in an appropriate and ethical manner that can be tailored to meet organization-specific requirements.
Read the summaries below or read the whole document here
- Strive to build a system that participants trust. This means having a “participant first” orientation when identifying and addressing data security risks. Participants are the foundational stakeholders of all research activities.
- Recognize that security, medicine, and technology are evolving quickly. As a result, organizations should treat security as a core element of the organization’s culture and services and ensure that security processes and controls are adaptable and updatable.
- Seek to preserve data integrity, so that participants, researchers, and physicians and other healthcare providers, can depend on the data.
- Identify key risks, and develop evaluation and management plans that address those risks, while still enabling science and research to advance.
- Provide participants and other relevant parties with clear expectations and transparent security processes.
- Use security practices and controls to protect data, but not as a reason to deny a participant access to his or her data, or as an excuse to limit appropriate research uses of the data.
- Act responsibly. Seek to minimize exposure of participant data, and to keep participants and researchers aware of breaches in order to maintain trust over time.
- Share experiences and challenges so that organizations can learn from each other.
- Overall Security Plan. PMI organizations should develop a comprehensive risk-based security plan that outlines roles and responsibilities related to security, consistent with the principles and framework outlined here. The security plan should identify the governance body for the organization’s security program. The governance body will ensure that those who use or manage PMI data adhere to the security plan. The security plan should be reviewed by the governance body and updated periodically to incorporate evolving standards and best practices. The plan should describe its approach for:
- Complying with applicable laws and regulations, and other organization-specific security policies and standards;
- Designating and maintaining an appropriately resourced and technically experienced information security team;
- Identifying, assessing, and responding to vulnerabilities and threats;
- Conducting continuous monitoring;
- Responding to security incidents and breaches;
- Ensuring the physical security of areas where PMI data is located, as well as that appropriate administrative and technical controls are in place to safeguard the data; and
- Ensuring participants, researchers, vendors, contractors, and technical staff are aware of their security responsibilities.
- Risk-Based Approach. PMI organizations should use risk-management strategies, tools, and techniques to inform and prioritize decisions regarding the protection of PMI data, including data in electronic and physical resources within its environment as well as at the point of initial collection. When planning protection of PMI data, the form of the data should be considered (e.g., raw, aggregate, the product of a mathematical or statistical process or an analysis report, as well as whether the data are electronic or paper-based).
- Independent Third-Party Review. PMI organizations should have an independent review of their security plans and of the effectiveness of controls on a periodic basis. The reviewer, at a minimum, should perform: a review of the organization’s adherence to its security plan; regular vulnerability assessments (e.g., network scans, penetration testing, and assessments to protect against social engineering attacks); and evaluation and adjustment of the security program in light of vulnerability assessments and evolving circumstances.
- Transparency. A high-level overview of the organization’s security plan and approach should be posted publicly to help enable transparency and congruity with the goals of the Privacy and Trust Principles and this Security Framework. This high-level overview should describe the organization’s breach notification process, steps individuals should take to protect themselves, and ways that the public and users of the PMI data can easily submit information about potential vulnerabilities and bugs.
- Identity Proofing. PMI organizations should develop a policy for verifying the identity of users and contributors (e.g., participants and healthcare provider organizations), prior to granting credentials for access to or contribution of PMI data.
- Credentials. PMI organizations should use innovative approaches for authentication so that over time they do not rely on username and password alone, and should use strong multi-factor authentication for users of PMI data.
- Authentication. Risk-based authentication controls should flow from the organization’s security risk assessment, and should be commensurate with the type of data, level of sensitivity of the information, and user type.
- Authorization. Authorization controls should be granular enough to support participant consent and should limit access, use, or disclosure based on what is necessary to satisfy a particular purpose or carry out a function.
- Participant Education. PMI organizations should provide participants with security awareness materials and education on an ongoing basis. The educational materials should include discussion of how data will be used, the high-level protections that safeguard the data, and the tools available to research participants to protect their own PMI data.
- PMI Data User Education. PMI organizations should provide appropriate training for individuals using PMI data and infrastructure based on the individual’s role and responsibilities. This role-based training should include information on appropriate protections for PMI data and security best practices. Appropriate security certifications and continued training in information system security and privacy protection should be encouraged.
- Encryption. PMI data that is reasonably likely to identify an individual should be protected at-rest and in-motion using strong encryption. Examples of data reasonably likely to identify an individual include identifiers such as name, birth date, contact information, and Social Security Number.
- Encryption Key Security. PMI organizations should store encryption keys separately from encrypted data and establish policies for secure encryption key creation, distribution, access, and revocation.
- Physical Security. PMI data should be protected by physical security controls as well as cybersecurity controls.
- Service Provider Security. When PMI organizations employ subcontractors, third parties, or vendors (including hosted, cloud, or application service providers) to create, receive, maintain or transmit PMI data, PMI organizations should obtain the necessary assurances that the service provider will appropriately safeguard PMI data, consistent with the organization’s security plan.
- Integrity Protection. PMI organizations should implement integrity protection controls that detect when unauthorized alterations have been made to PMI data.
- Life Cycle. PMI organizations should implement a system development life cycle, which ensures that appropriate safeguards for PMI data remain in place from receipt or creation through disposition.
- Security Patching. PMI organizations should keep systems updated with the latest security patches and should develop change control and configuration management policies to ensure that system updates are tested, reviewed, and approved prior to implementing.
- Audit Events. PMI organizations should define a set of system and network events that capture interactions with PMI data from networks, servers, and application infrastructure, including user access and behavior.
- Audit Logs. System and network events should be logged on a continuous uninterrupted basis in a manner that protects against tampering and provides sufficient detail to identify: the type of action performed on PMI data, the unique identity of who performed the action, the date and time the action occurred, and the subset of data impacted by the action.
- Detection and Alerting. Continuous detection processes and alerting mechanisms should be created to ensure timely and adequate awareness of anomalous events, as well as a process to inform operational staff and stakeholders with relevant situational details.
- Threat Information Sharing. PMI organizations should participate in relevant threat information sharing forums. PMI organizations should also follow existing best practices to provide ways for participants and non-affiliated individuals and entities to report potential vulnerabilities or threats, and respond to reports appropriately.
- Anomaly Reporting. PMI organizations should make reports of security anomalies, alerts, reports, or other relevant events available to the organization’s governance boards, and should also provide remediation plans to prevent similar vulnerabilities from occurring in the future.
- Incident Response. Not all security incidents result in a breach. PMI organizations should develop a plan to respond to and contain security incidents. This plan should include a process to identify quickly and effectively whether an incident has led to a breach of PMI data. Organizations should coordinate response activities with internal and external parties, as appropriate (e.g., law enforcement, Internet Service Providers, Information Sharing and Analysis Organizations, Information Sharing and Analysis Centers, and vendors).
- Incident Response Testing. PMI organizations should regularly test incident response plans to ensure the highest level of proficiency.
- Affected Individual Notification. When a PMI organization has determined that a security incident has resulted in a breach of PMI data, the organization should notify the affected individuals and appropriate organizations in accordance with applicable breach notification laws, the Privacy and Trust Principles, and the organization’s security plan.
- Accountable Point of Contact. PMI organizations should identify an accountable point of contact who will coordinate with appropriate organizations and affected individuals throughout the incident response process. The contact should have the authority to direct actions required in all phases of the incident response.
- Incident and Breach Recovery Plan. PMI organizations should establish, maintain, and implement plans for emergency response, backup operations, and post-incident recovery for PMI data. These plans should address how the PMI organization will stabilize after the incident and restore basic services.
- Communication. As an integral part of the recovery plan, PMI organizations should communicate to stakeholders when a safe and secure environment has been restored.
- Lessons Learned. After recovery from a security incident or breach, PMI organizations should identify lessons learned, including conducting root cause analysis, to identify areas needing improvement, and update security plans based on those lessons learned. Lessons learned should be reported to the organization’s governance board, and information that may be helpful to other PMI organizations should be shared with the PMI community as appropriate.
Data Security Policy Principles
The following overarching principles are intended to guide organizations in developing and implementing an appropriate security plan. PMI organizations should, at a minimum:
Awareness and Training
Information Protection and System Maintenance
We’re looking to a broad range of stakeholders to learn about new or expanded initiatives and programs aimed at enabling new ways to improve health and treat disease – and ways to use this information to inform our precision medicine efforts going forward.
We know of exciting work in each of the key areas listed below, and are looking for additional examples of these types of efforts. These initiatives could include:
- New approaches for deploying precision medicine into patient care to improve health.
- Exciting new ways to engage patients, participants, and partners in research, and get the word out about PMI, including through the use of novel technologies.
- The deployment of innovative ways of including historically excluded and underserved populations in research.
- The development of robust APIs in electronic health record systems that can support patients accessing their clinical data and donating it for research.
- The creation of workable models of information sharing across organizational boundaries with appropriate privacy and security protections.
- Technology to support the storage and analysis of large amounts of data, with strong security safeguards.
- Novel analytics to help combine diverse data sets with appropriate privacy and security protections to answer precision medicine questions.
- New solutions for security issues in building large research data sets.
- Steps to increase the number of high quality data scientists and technologists working in healthcare.
- The development of grand challenges, competitions, and prizes to foster innovation.
Connection to Precision Medicine
Precision Medicine is already saving lives. Read the stories of some of the people that have benefited from this new approach:
William Elder Jr.
William Elder, Jr. was diagnosed with cystic fibrosis (CF) at the age of eight, when the life expectancy for CF patients was very low. Now at 27, Bill is alive thanks to Kalydeco, a treatment of a particular form for his cystic fibrosis and a remarkable drug that treats the underlying cause of his CF, rather than the symptoms.
At a congressional briefing in 2013, Bill told members of the U.S. Senate that just knowing that there were individuals who were researching his condition gave him hope and the strength to continue his treatments and work to be healthier every day. Bill described waking up in the middle of the night after taking his new treatment for the first time. “I sat on the floor of my room for a while slowly breathing in and out through my nose, and then I realized that was it. I had never been able to easily breathe out of my nose before. This was something profound,” he said. He recalls telling his parents, "For the first time in my life, I truly believe that I will live long enough to be a grandfather.”
At age six, Emily Whitehead was the first pediatric patient to be treated with a new kind of cancer immunotherapy and was cancer free only 28 days later. “If you didn’t know what happened to her, and you saw her now, you would have no idea what she has been through,” says Emily's Mom.
Her parents decided to enroll her in a pioneering cancer immunotherapy trial at the Children’s Hospital of Philadelphia. Emily’s T-cells were collected from her blood and re-engineered in the lab to recognize a protein found only on the surface of leukemia cells. Those T-cells were then infused back into Emily’s blood, where they circulated throughout her body on a mission to seek and destroy her leukemia. Knowing how to turn these T-cells into what Emily called “ninja warriors” required big investments in basic biomedical research. In fact, Science Magazine named it a 2013 Breakthrough of the Year — Emily's family couldn't agree more.
Melanie Nix's family has a history of breast cancer — a history that Melanie couldn't escape when she tested positive for the BRCA gene mutations linked to breast cancer in 2008. After 16 rounds of chemotherapy and breast reconstruction surgery, she had to have both ovaries removed to further reduce risks of cancer in the future. But Melanie is now cancer free thanks to precision medicine.
Melanie's positive test results for the BRCA gene mutations instantly concerned her medical team. BRCA gene mutations are linked to breast and ovarian cancers. Further tests confirmed that she had triple-negative breast cancer, a very aggressive form of breast cancer that disproportionately affects African-American women. Her best chance for cancer-free survival was to have a bilateral mastectomy. Melanie says that this type of tailored treatment gave her hope. "Precision medicine offers the hope that by the time my daughter is at an age when she considers genetic testing, new, targeted treatments will be available to give her additional choices for preserving her health," she said.
Hugh and Beatrice Rienhoff
Beatrice Rienhoff's eyes were spaced wider than usual, her leg muscles were weak, and she couldn't gain weight. Her father, a trained clinical geneticist, took notice and wanted to help. After six years, he and his team of scientific volunteers identified the cause of her condition.
Beatrice's original medical team had thought her condition resembled Marfan syndrome, a genetic disorder that can cause tears in the human heart. It's typically a fatal syndrome. However, the doctors couldn't fully diagnose Beatrice with Marfan — or any other known disease. Acting as "Super Dad," Hugh lead his team to identifying a variant responsible for his daughter's condition and this research gave rise to the description of a whole new syndrome. The team continues to use precision medicine to learn more about the new syndrome and further study genetic variation to help those like his daughter. Today, Beatrice is living a full life.
Six-time NBA Most Valuable Player, Kareem Abdul-Jabbar was diagnosed with a form of leukemia in 2008. Known to be lethal, leukemia is a cancer of the blood and bone marrow. It caused the basketball great to slow down, fall ill, and worry. A few years later, he credits precision medicine for helping him to be well today.