Audit Uncovers Security Weaknesses in the NIH All of Us Security Program
An audit of the National Institutes of Health (NIH) All of Us Research Program has uncovered privacy and security weaknesses that put the health information of more than 1 million individuals at risk of compromise.
The All of Us Research Program was launched in 2015 as part of the NIH Precision Medicine Initiative to advance disease prevention and treatment by making the personal health and genomics data of more than 1 million individuals available for research purposes. Unlike research studies that focus on a specific disease or cohort of people, the All of Us Research database can be used to study a wide range of health conditions and diseases. The data is housed by the Data and Research Center (DRC) and is managed by an NIH award recipient, Vanderbilt University Medical Center. The All of Us database is one of the largest health research databases of its kind.
While general data about the entire group of participants can be viewed by anyone, only researchers approved by the All of Us Research Program are allowed to view data from individual participants. Such a large database of health information is extremely valuable; therefore, robust privacy and security measures must be implemented to protect research participants’ data from cybersecurity and national security threats.
The Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently published the findings of a 2024 audit that sought to determine whether appropriate access controls had been implemented by the DRC award recipient, if appropriate privacy and security controls were in place, and if information security and privacy weaknesses had been addressed in accordance with federal standards.
HHS OIG Exclusions List
What You Need To Know
Get The 6 Essentials Checklist For Compliance Officers
A link to your download will be sent to your email address
Your Privacy Respected
HIPAA Journal Privacy Policy
HHS-OIG determined that the DRC award recipient had implemented some cybersecurity controls, including vulnerability scanning, penetration testing, flaw remediation, system monitoring, incident response, contingency planning, disaster recovery, and security awareness training; however, controls were inadequate in some areas, which put research participants’ data at an increased risk of compromise.
HHS-OIG identified access control weaknesses. For instance, while authorized users were permitted to remotely access the information systems from foreign countries with prior approval, there were no controls in place to restrict access to only the individuals who had received approval. As such, any authorized user could access the information systems from a foreign country. While downloads of detailed participants’ data are prohibited, there were no access controls in place to prevent data downloads.
HHS-OIG also found that the DRC award recipient failed to communicate national security concerns associated with the maintenance of genomic data to NIH and did not resolve identified weaknesses and vulnerabilities within the timeframe stipulated by NIH in its award agreement. As such, there was an increased risk of research participants’ data, including genomic data, being accessed, downloaded, and misused by bad actors, including foreign adversaries.
HHS-OIG made five recommendations to NIH to improve oversight of the All of Us Research Program and address the identified privacy and security issues. NIH concurred with all five recommendations and is implementing measures to address the privacy and security weaknesses. NIH has confirmed that measures already fully implemented include controls to resolve the remote access security issues, and access from certain countries of concern has been blocked, including China, Cuba, Iran, Russia, and North Korea.
