OIG pushes NIH to improve security controls for All of Us program
Participant data from the National Institutes of Health’s Precision Medicine Initiative could potentially be at risk, according to the Department of Health and Human Services’ Office of the Inspector General.
The All of Us Research Program, a major component of the NIH Precision Medicine Initiative, is trying to recruit one million Americans to contribute their physical, genomic and electronic health record data to help researchers achieve medical breakthroughs.
Participants are providing blood and urine samples, and granting access to their EHRs. In addition, information is being collected from program volunteers through fitness trackers, physical measurements and surveys.
However, an OIG audit of information system general controls at one of the seven components of the All of Us program—the Participant Technology Systems Center (PTSC) awarded to Vibrent Health—found serious vulnerabilities; by contrast, none were found at the Data and Research Center, which had been awarded to Vanderbilt University Medical Center.
According to the OIG, the PTSC develops mobile apps and websites for participants to enroll in the All of Us program, provide data and receive updates, while also supporting ongoing testing and upgrades to improve the user experience, implements innovative participant tools, as well as ensure the security of participant-facing systems.
“The PTSC did not have adequate controls to protect All of Us participants’ sensitive data,” states OIG’s report. “NIH did not adequately monitor the PTSC to ensure that the PTSC had implemented adequate cybersecurity controls to protect the participants' sensitive data. Based on the results of our penetration testing at the PTSC, we identified vulnerabilities that could expose personally identifiable information, including personal health information of the All of Us participants, and allow access to their data.”
“These vulnerabilities could have allowed an attacker with limited technical knowledge to exploit and compromise the PTSC’s systems, as most of the vulnerabilities did not require significant technical knowledge to exploit,” according to auditors. “In addition, the PTSC failed to enable encryption in the S3 buckets used for cloud storage. The PTSC did not have policies and procedures to address remediating source code vulnerabilities and timely disabling of network access. Finally, the PTSC did not adequately scan its network.”
However, thanks to the audit, NIH and the PTSC addressed and remediated all of the vulnerabilities that the OIG identified.
The OIG’s report recommended that NIH revise its All of Us cooperative agreements—and cooperative agreements with security and privacy requirements—to include a detailed description of how the agency will monitor cybersecurity and ensure that future awardees adequately implement security controls to protect sensitive data.
“In written comments on our draft report, NIH requested that we revise our recommendation to limit the scope of applicability to ‘appropriately focus on those cooperative agreement awards with security and privacy requirements,’ which we have done,” notes the OIG. “NIH stated that, based on our recommendation, it is reviewing All of Us Research Program awards. Specifically, NIH stated that it will make necessary updates to security and privacy terms and conditions.”