OIG Finds Security Risks in NIH Data Sharing Processes, Controls
February 18, 2019
The Department of Health and Human Services’ Office of the Inspector General discovered risks in the ways the National Institutes of Health shares its sensitive data, including the controls of permitted access to sensitive NIH data.
OIG audited NIH to determine whether the biomedical research agency had adequate controls in place around permitting and monitoring access to sensitive NIH data. Officials used applicable Federal regulations and guidance to make the determination around NIH policies, procedures, and supporting documentation, along with interviews of NIH employees.
Officials found that NIH needs to improve controls around permitting access to data and provided the agency with a detailed report that included recommendations. Further, NIH should work with an outside firm with expertise in scientific data misuse.
“NIH could strengthen its controls by developing a security framework, conducting a risk assessment, and implementing additional appropriate security controls designed to safeguard sensitive data,” officials said. Officials did not dive deeper into the specific risks found in those controls.
“We also recommend that NIH develop and implement mechanisms to ensure data security policies keep current with emerging threats,” they added. “Lastly, we recommend that NIH make security awareness training and security plans a requirement.”
NIH did not concur with the OIG findings around the development of a security framework, conducting a risk assessment, implementing additional data controls, nor to adding controls to ensure training and security plan requirements are met.
They did agree to OIG’s recommendation to ensure security policies remain current with the evolving threat landscape. NIH officials also noted that they’ve recently established a working group to address and mitigate security risks to intellectual property and to protect the peer-review process integrity.
OIG officials stressed that its findings and recommendations were accurate and that NIH should consider other potential actions provided to the agency to address the findings.
“We recognize that NIH reported that it is already taking certain actions, such as the working group that was recently established, that may address our recommendations,” officials said. “If NIH determines that it does not need to strengthen its controls, it should document that determination consistent with applicable Federal regulations and guidance.”
OIG routinely audits federal agencies to determine the status of security processes and policies. Most recently, OIG found that the Department of Defense Health Agency’s security flaws could put patient data at risk, and the agency is slow to address cybersecurity recommendations, 36 of which are still open for DHA.