An audit of the National Institutes of Health grant program revealed a number of cybersecurity risks and a lack of adequate policies to ensure grantees were adhering to risk-based protocols.
The current NIH Grants Policy Statement cybersecurity provisions themselves are “generic and do not establish clear and measurable standards for implementing safeguards proportionate to the assessed level of cybersecurity risk during the pre-award process, and cybersecurity is not part of the scope of current post-award process for grants described in the NIHGPS.”
As it stands, NIH is relying solely on its grantees to design, implement, maintain, and monitor the effectiveness of their own cybersecurity controls in protecting the confidentiality of the data. Because of this, OIG warns that NIH may not be able to identify potential gaps in protecting the data or even personal health information.
The Department of Health and Human Services Office of the Inspector General made five detailed recommendations to bring the program up to a more effective security standard. However, NIH didn’t indicate whether or not it concurred with the recommendations, and instead, marked the recommendations “closed and implemented.”
“Based on our review of NIH's comments, we determined that the actions described do not sufficiently address the identified cybersecurity risks. As such, we maintain that our findings and recommendations are accurate and valid," according to the report.
The NIH is the largest public funder of biomedical research in the world with more than $32 billion invested each year through 50,000 competitive grants to more than 300,000 researchers at more than 2,500 universities, medical schools, and other research institutions in the U.S. and globally.
The scope of its program and the importance, as well as its troves of patient data and intellectual property prompted the audit to ensure NIH has risk-based cybersecurity provision requirements in place to protect its confidential data and intellectual property.
Cybersecurity not even considered in NIH grants
The findings determined the NIH cybersecurity protocols were lacking in a number of key ways. Specifically, the agency does not have an adequate pre-award risk assessment process for its grantees. In fact, NIH does not “consider cybersecurity and does not include a special term and condition addressing cybersecurity risk in the Notice of Award.”
Further, NIHGPS lacks specific risk-based provisions for cybersecurity, nor does the agency use adequate post-award monitoring to ensure grantees maintain effective cybersecurity to protect sensitive and confidential data and NIH’s intellectual property.
OIG found the driving cause of these major security gaps were due to a lack of specific details into how cybersecurity risks will be evaluated as part of the requirements for the pre-award process of NIHGPS and funding opportunities.
In one example, NIH did conduct monitoring of one grantee sampled in the audit and focused on multi-factor authentication and access controls. OIG noted it was an “adhoc review” and not required by the NIHGPS nor the grant award. The gap is attributed to the lack of cybersecurity as part of the post-award process.
Without identifying potential issues, NIH may not be able to provide timely assistance.
“Within each Federal Agency, there is a shared interest for management and oversight of Federal grant dollars from both a financial management and grants management perspective,” the report authors wrote. The risk-based perspective and “internal controls framework should serve as a mechanism to ensure effective and efficient allocation and use of grant dollars.”
Overlooking recommended controls
OIG recommended NIH assess its grant award programs to determine where cybersecurity protections are missing, particularly for sensitive and confidential research data or intellectual property. Similarly, funding opportunity announcements or grant conditions should include cybersecurity control requirements.
The NIHGPS program can be strengthened with clear and measurable standards for cybersecurity, while its pre-award process should clearly identify how cybersecurity risks will be assessed. Its post-award process should also confirm grantees have implemented adequate cybersecurity.
NIH responded that it requires only elective recommendations or expectations for adopting a cybersecurity approach. However, OIG pointed out that “best practice recommendations may or may not be adopted at the discretion of the grantees.” If NIH were to set out clear and measurable requirements, the agency could be reasonably assured data it protected.
“While we agree with the importance of appropriate data security measures, we believe that technical provisions regarding data security are more appropriately addressed by the institutions and repositories preserving and sharing the scientific data,” NIH responded.
“We do not wish to burden the funded community with describing in-depth the data security processes of the data repositories preserving and sharing the data generated by their research,” they added.
NIH's response is surprising considering the FBI and other government agencies have warned of the heightened targeting of healthcare and research data during and after the pandemic response, or the vendor-related security incidents affecting the healthcare sector.
OIG re-asserted its recommendations were needed, but the report does not detail whether NIH has plans to implement some or all of the recommendations.
This is certainly not the first OIG report to find serious security gaps within NIH.
Three OIG audits in 2019 alone found needed improvements in security controls for its "All of US" awardees program, risks in the ways it shares data and access controls, and weaknesses in its risk management, configuration management, identity and access management, data protection and privacy, training, continuous monitoring, incident response, and contingency planning.