OIG identifies risks related to NIH’s sharing of sensitive data
The National Institutes of Health does not have adequate controls in place when it comes to permitting and monitoring access to the agency’s sensitive data.
That’s the finding of an audit by the Department of Health and Human Services’ Office of Inspector General.
According to OIG, NIH is the largest public funder of biomedical research agency in the world. However, auditors have identified risks related to the sharing of the agency’s sensitive data.
“We reviewed NIH’s internal controls for monitoring and permitting access to sensitive data,” OIG reported. “NIH should improve its controls when permitting access to sensitive NIH data.”
Among the OIG’s overall recommendations are that NIH:
• Work with an organization with expertise and knowledge in scientific data misuse.
• Strengthen its controls by developing a security framework, conducting a risk assessment, and implementing additional appropriate security controls designed to safeguard sensitive data.
• Develop and implement mechanisms to ensure data security policies keep current with emerging threats.
• Make security awareness training and security plans a requirement.
In written comments to the OIG, NIH concurred with auditors’ recommendations to develop a security framework, conduct a risk assessment and implement additional controls for sensitive data. The agency also agreed with OIG’s recommendations to ensure security policies keep current with emerging threats and to make training and security plans a requirement.
Nonetheless, NIH disagreed with the OIG’s call for additional controls to ensure training and security plan requirements have been fulfilled. In addition, the agency also informed auditors that it recently established a working group to address and mitigate risk to intellectual property, as well as to protect the integrity of the peer-review process.
“We maintain that our findings and recommendations are valid,” concluded OIG. “We recognize that NIH reported that it is already taking certain actions, such as the working group that was recently established, that may address our recommendations. We also provided NIH with other potential actions to address our findings and recommendations. If NIH determines that it does not need to strengthen its controls, it should document that determination consistent with applicable federal regulations and guidance.”