Why security is key to advancing precision medicine goals through the All of Us research program

By Lynda Malik-Gagnon

On May 6, 2018, the U.S. National Institutes of Health (NIH) launched the All of Us Research Program, a unique longitudinal initiative that seeks to inject new data into population health efforts to advance research and health outcomes. The program aims to engage one million or more U.S. participants as partners to gather insights for precision medicine to prevent and treat diseases based on individual differences in lifestyle, environment and genes.

Participants and consortium partners in the program will be asked to contribute a wide range of health, lifestyle and environmental information. The information may be acquired from multiple sources such as electronic medical records, specimen collection, mobile applications, etc., and will flow into a database for researchers studying many different topics in health and disease.

A broad spectrum of organizations is supporting the program in various ways. This includes bio specimen and data collection and storage, healthcare and retail organizations to help with recruitment, and a central communications and support hub important for participants and all members of the consortium, among others. As important as the data is to advancing precision medicine, so too is protecting the privacy of participants. It is therefore vital that all organizations involved in the All of Us Research Program understand their obligations with regard to personally identifiable information (PII), personal health information (PHI) and other data. This is all the more critical given the commitment to having the data be diverse and representative of all U.S. residents, including groups that have been underrepresented in medical research. That means it’s necessary to take into account the various levels of knowledge and health literacy when it comes to privacy. Every organization needs to understand the NIH’s Precision Medicine Initiative’s Privacy and Trust Principles that commit to the protection of participants’ data and resources.

The program leaders take data privacy seriously, and the program has strict guidelines on what can be gathered and used and what constitutes a breach.

The participants, consortium members and organizations involved in the All of Us Research Program — and indeed any program that involves gathering population data — need to make sure they understand the requirements regarding security and privacy, and how to handle and maintain compliance of the data gathered.

Steps to Protecting PII

As with most projects, securing data for the All of Us Research Program must consider people, technology and process.

A key component when managing PII, PHI, and other data is ensuring that all staff are properly trained.

Training must be ongoing, and it must ensure all personnel involved understand what constitutes PII and PHI, how to identify it, how to handle it, what needs to be redacted or anonymized, and with whom the information can be shared. Integral to training is testing. For example, scenarios should be developed to test the staff’s ability to identify which data or combination of data constitutes PII.

It’s also important to ensure that the infrastructure and technology used are secure and compliant. The platform used to collect and manage data therefore needs to be designed to address governance, risk and compliance.

When it comes to processes, it’s important to ensure that the breach and escalation policies are well communicated and understood. It is also very important to understand the boundaries between systems, hosting vendors, other participating organizations and the information flow. To ensure that safeguards are in place, it’s imperative to set up strong policies and standard operating procedures and to test them frequently.

The All of Us Research Program has committed to certain steps with its partners. These include ensuring that information security is a requirement for each award the program grants; there is dedicated staff at each consortium partner; and that staff of awarded programs use constant electronic and human surveillance, automated tests and periodic penetration tests, largely informed by the NIST standards.

“The All of Us Research Program takes seriously the trust our participants place in us,” says Kermit Littlefield, NIH information systems security officer. “We invest in extensive controls and the best technology possible to keep this data safe.  The All of Us Program uses the most up-to-date industry standards and practices to prevent security breaches. We have enlisted teams of experts to establish safeguards and conduct rigorous security testing on an ongoing basis. These experts make sure our security practices meet the program’s requirements and all federal, state, and local laws and regulations for safeguarding participant data.

“For program participants, we use data encryption and de-identification technologies to automatically remove as many obvious identifiers as possible that would link personal health information to a given participant,” Littlefield continues. “The program replaces the stripped identifiers with a participant ID so that no one will have access to a person’s information.”

The All of Us Research Program has the potential to advance insights into both health and disease, opening the door to new treatments, better ways of managing chronic conditions and better care procedures. To get to that point, participants need to know that they can trust the program, that their data will be safe and used appropriately, and that they can each contribute to making a difference to the future of medicine and health.

We encourage everyone to participate in this groundbreaking program. Learn more about how to join the All of Us Research Program.

Lynda Malik-Gagnon has nearly 40 years of healthcare information technology experience. She is currently the interim lead for DXC’s Healthcare Solution Delivery Center in the Americas. Previously, she was a healthcare solution leader and part of the marketing team for DXC Healthcare and Life Sciences. Prior to DXC, she was a senior manager in the health delivery business unit at First Consulting Group where she led quality improvement activities for the healthcare practice.



  1. Security in medical precision systems includes regular calibration requirements. Machines begin to falter in their result accuracy in a much shorter time than expected. It is vital to keep them well calibrated so that lives are not endangered.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.