By Peter J. O’Dwyer, MD (left)
and Mitchell D. Schnall, MD, PhD

As we eliminate yet another phishing message from our phones and laptops, we are sometimes reminded that we’re getting pretty good at this. Practice makes perfect, to coin a phrase. Or close to perfect, as horror stories of “the one that got through” raise our attention threshold. We were recently reminded by Chris Dymek, Entity Information Officer at Penn, that “the environment surrounding data security and risk management is becoming more complex, and expectations for research organizations are steadily increasing.” Chris went on to elaborate (and we quote directly with his permission):

“Just as importantly, the very definition of “sensitive” data is expanding. It is no longer limited to traditional categories like PHI. Increasingly, regulators are focused on broader sets of human-derived data — including genomic, biometric, geolocation, and other participant-level information — particularly when aggregated at scale. Recent Department of Justice rules restricting certain “bulk” transfers of U.S. sensitive personal data underscore this shift, applying even when data are anonymized or encrypted. In today’s environment, “de-identified” is no longer the safety net many once assumed it to be.

At the same time, NIH policy is moving the research community beyond a compliance model centered primarily on HIPAA and PHI. In 2025, NIH implemented requirements that data from widely used repositories such as dbGaP be stored and analyzed in NIST SP 800-171–compliant environments, and draft guidance would further expand the scope of data subject to these standards. The direction is clear: human-derived data — even when not traditionally categorized as PHI — are increasingly subject to robust, lifecycle-based security expectations. Protection is no longer about a single transaction or disclosure; it extends from collection and analysis to storage, sharing, and long-term stewardship.”

Just as we do with our phones, we have to think differently about all of our data in this larger picture—one that supersedes regulatory compliance alone and gets to patient protection and the public’s trust. At ECOG-ACRIN, we are committed to developing a robust, flexible data environment that empowers our investigators. We aim to refine our infrastructure to accommodate the vast scale of modern data, ensuring that our storage and analytical tools remain as dynamic as the science itself. We are discussing many of these issues with the National Cancer Institute, including how we both avail of and contribute to their data repositories. We are also considering how best to accomplish germline analyses that are likely central to risk assessment and prevention strategies going forward. We convey these perspectives with our thanks to Chris Dymek for the succinct and lucid summation of the issues.

Read the March 2026 issue here.