NIH database needs cybersecurity improvements, watchdog finds
The National Institutes of Health didn’t ensure that the entity housing personal health information of over 1 million people — including biosamples — implemented proper cybersecurity protocols, according to an internal watchdog.
In a report publicly released Friday, the Department of Health and Human Services’ Office of Inspector General made five recommendations for the security of the All of Us program — a database of diverse health information from 1 million participants that’s meant to aid research — after finding weaknesses.
According to the report, while the award recipient operating the program’s Data and Research Center implemented some cybersecurity measures, NIH failed to ensure other controls were addressed.
The report found that NIH didn’t ensure that the awardee, which wasn’t identified, appropriately limited access to the program’s data and didn’t communicate national security concerns related to maintaining genomic data — or data relating to DNA. It also failed to ensure that weaknesses in security and privacy were fixed within a timeline outlined in federal requirements.
In a response included in the report, NIH agreed with all of the recommendations and said it had already taken some action to implement them. For example, the awardee running the Data and Research Center had established a process for access control and planned to reevaluate the security categorization of the awardee with the national security concerns of genomic data in mind.
The audit was initially conducted by the inspector general due to the threats that cyberattacks and the potential exposure of sensitive information can pose to the agency’s programs. The watchdog’s objective was to scrutinize the access, security and privacy controls of the program.
The All of Us program began in 2016 after it was authorized by Congress under the 21st Century Cures Act, and was designed to provide researchers with a database that could “inform thousands of studies on a variety of health conditions,” per its website.
As it stands, the participant data included in the database includes 470,000 electronic health records and 607,000 biosamples, the report said.
Specifically, the access control issues included not preventing internal users from accessing the systems with the program data while they were abroad, as well as not preventing the download of detailed participant data.
While authorized users attempting to download detailed participant data were met with a warning that told them they were prohibited from that action, the inspector general found they could still download the data “by checking a box just below the warning message that stated: ‘I understand the data use policies and certify that this download will be used in accordance with All of Us Data Use Policies.’”
Such a download is prohibited by policy, the report said.
“Without a control to prevent the downloading of detailed participant data, the confidentiality of sensitive genomic and participant data is at increased risk if the downloaded detailed data is viewed by unauthorized people,” the inspector general report said.
The report also found that the awardee hadn’t appropriately categorized the data as high risk under federal standards. According to the inspector general, the awardee, in coordination with NIH, determined that the program systems were of moderate risk and elected to implement additional security controls beyond what was required for that category.
NIH, however, didn’t communicate to the awardee that genomic data has national security and economic implications and should be classified as high risk.
“As a result, the processing, storage, or transmission of genomic data in the [Data and Research Center and Data and Research Center Researcher Workbench] information systems may have been at risk of exploitation by bad actors,” the report found.
