As the landscape of genomic data sharing evolves, so do the responsibilities surrounding the access, management, and security of sensitive human genomic data. On January 25, 2025, the NIH will implement critical updates to its Genomic Data Sharing (GDS) policy. These changes are designed to bolster the security of controlled-access genomic data repositories and provide clearer guidelines for both developers and approved users accessing this data. For academic and industry researchers, it is crucial to understand how these updates will impact your research practices and how leveraging compliant platforms, such as Pluto Bio, can help ensure your research remains secure and compliant.
Why is the NIH updating its security best practices?
The NIH Genomic Data Sharing (GDS) policy has long been a cornerstone of ensuring that large-scale genomic data - especially human data - is shared responsibly and in a way that respects both participants' consent and security concerns. Its ultimate goal is to maximize the scientific value of genomic data while protecting the privacy and rights of the individuals who contributed to the research. The GDS policy applies to all NIH-funded research generating human genomic data, as well as any subsequent research using this data.
However, as the volume and sensitivity of genomic data continue to grow, so does the challenge of protecting this data from cyber threats. The NIH recognizes the need to strengthen its security framework to address evolving risks, including cyberattacks, data breaches, and the potential misuse of data in the face of emerging technologies like AI and quantum computing. This is why, on January 25, 2025, the NIH will update its security best practices, ensuring that data storage, analysis, and sharing practices are more robust and future-proof.
These new updates aim to:
- Ensure compliance with national security and
- Standardize the security measures across NIH-controlled data repositories.
- Simplify the compliance burden for institutions applying for NIH funding.
- Provide an enhanced security framework that builds trust with the public and participants.
Key changes impacting approved users of controlled-access human genomic data
The most significant changes under the NIH's updated policy revolve around the security of data storage and analysis. As an approved user of controlled-access genomic data from NIH repositories, you will be expected to follow stricter security protocols, especially if you're using third-party IT systems or cloud providers. Here's what you need to know:
-
Compliance with NIST SP 800-171: The most critical update for approved users is the requirement to ensure that any system handling controlled-access genomic data complies with the security controls outlined in NIST SP 800-171. This standard provides a comprehensive framework for protecting sensitive data and is already widely used across federal agencies and research institutions. If you are using a third-party cloud provider or IT system to store, analyze, or share genomic data, you will need to attest that these systems comply with NIST SP 800-171. This attestation can be based on a self-assessment, and any deviations from the standard will need to be documented with a Plan of Action and Milestones (POA&M).
-
Ongoing attestation requirements: Effective January 25, 2025, all principal investigators (PIs) submitting new or renewal requests for access to NIH-controlled genomic data must submit an attestation that the systems they use for data management meet the NIH's updated security practices. This means that both the PI and their institution will need to ensure their data storage, analysis, and sharing infrastructure aligns with these updated best practices.
-
Impact on third-party providers: If you choose to work with a third-party system (such as a cloud provider or bioinformatics platform like Pluto Bio), you will need to provide an attestation confirming that these external systems comply with NIST SP 800-171. This is a key point for any researcher who relies on external platforms for data storage or analysis.
How Pluto Bio supports researchers in meeting NIH security standards
As a third-party platform provider, Pluto Bio is committed to ensuring a secure and compliant environment for storing, analyzing, and sharing human genomic data. We leverage Google Cloud Services, which has undergone an independent third-party assessment and is operating in full compliance with NIST 800-53 controls. In addition, Pluto Bio meets SOC 2 Type II compliance standards, which align closely with NIST SP 800-171 standards. We can provide users with an attestation letter confirming our adherence to these requirements. Additionally, we employ continuous monitoring of our security controls to maintain the highest standards of data security, privacy, and access controls - critical for managing sensitive genomic information.
Pluto Bio helps researchers meet the NIH’s security requirements by:
- Offering a secure, compliant infrastructure for genomic data analysis and storage.
- Providing encryption and access controls that align with both SOC 2 and NIST standards.
- Streamlining compliance by reducing the need for institutions to manage their own IT security assessments.
Moreover, Pluto Bio’s platform facilitates seamless collaboration across teams, making it an ideal choice for both academic and industry researchers. Whether you're part of a multi-institutional academic project or a pharmaceutical company working with diverse teams, Pluto Bio provides a secure, user-friendly environment that enables efficient, compliant collaboration.
For more information on our security practices, visit trust.pluto.bio or visit our website.
Why security compliance matters for researchers
For academic researchers, the updated NIH guidelines and security best practices may feel like a heavy compliance burden. However, platforms like Pluto Bio can significantly ease this process by offering a pre-compliant infrastructure that simplifies the attestation process for researchers. By using a compliant platform, academic institutions can ensure they meet the necessary NIH security requirements without having to invest in extensive internal resources.
For industry researchers, particularly in the pharmaceutical and biotech sectors, compliance with the NIH’s security best practices has both operational and reputational benefits. Adopting a platform like Pluto Bio can:
- Reduce the compliance burden: By leveraging Pluto Bio’s secure infrastructure, industry teams can focus on their research without worrying about maintaining compliance with stringent security protocols.
- Ensure secure collaboration: Pluto Bio’s platform enables researchers to securely share and analyze genomic data across teams, reducing the risk of data breaches and ensuring compliance with regulatory standards.
- Facilitate data-driven decision-making: The ability to collaborate efficiently on secure, compliant infrastructure accelerates research, which can be a competitive advantage in the fast-paced world of drug discovery and genomics.
Conclusion
The NIH’s updated security best practices are a necessary step to safeguard human genomic data in the face of rising cyber threats and emerging technologies. For approved users of controlled-access genomic data, compliance with these new guidelines is crucial for continuing research in a secure, ethical manner. With platforms like Pluto Bio, researchers can navigate these changes with confidence, knowing that their data management and collaboration needs are being met within a secure, compliant environment.
For both academic and industry researchers, the adoption of secure, compliant platforms is not just about meeting regulatory requirements - it’s about ensuring that sensitive data remains protected, fostering trust, and enabling the kind of collaboration that drives scientific discovery forward.