Data Access and Sharing Risks Identified at National Institutes of Health

The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report of the findings of an audit of the National institutes of Health (NIH). The NIH is the primary government biomedical and public health research agency in the United States and one of the foremost medical research centers in the world.

The audit was conducted to determine whether adequate controls had been implemented for permitting and monitoring access to sensitive NIH data. OIG reviewed internal controls, policies, procedures, and supporting documentation, and conducted interviews with internal staff.

While controls had been implemented at NIH to restrict access to sensitive data, OIG identified several areas where improvements could be made to bolster security and several recommendations were made.

OIG recommended NIH should develop a security framework, conduct risk assessments, implement additional security controls to safeguard sensitive data, and should start working with an organization that has expertise and knowledge of misuse of scientific data. NIH did not concur with any of those recommendations.

OIG also recommended that mechanisms should be implemented to ensure that its data security policies remain current and reflect the rapidly changing threat landscape and that security awareness training and security plans should be made a requirement.

NIH concurred with those recommendations but did not agree to implement controls to ensure that training and security plan requirements are fulfilled. NIH explained that it had already established a working group to address risks and vulnerabilities to the confidentiality of intellectual property and protect the integrity of the peer review process.

OIG maintained that the findings of its auditors were accurate and the recommendations were valid. Detailed information on potential actions that could be taken to address its findings and recommendations was provided to NIH. OIG recommended that if NIH decides not to strengthen its controls that the decision should be documented in line with Federal regulations and guidance.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.