OIG Advises NIH to Improve Health Grant Program Cybersecurity Requirements

An audit conducted by the Department of Health and Human Services’ Office of Inspector General has found that the National Institutes of Health (NIH) has failed to implement appropriate cybersecurity safeguards to ensure sensitive data protection in its pre-award risk assessment procedure. 

The NIH is known to invest over $30 billion annually to medical research for the benefit of United States citizens, with over 80% of the money going to research institutions both domestically and abroad through around 50,000 competitive grants. Both the HHS and the Governmental government place a large emphasis on security measures and data protection in order to secure research projects that have received federal funding. OIG appointed CliftonLarsonAllen LLP (CLA) to undertake an audit to determine whether NIH has sufficient standards in place to guarantee that grant awards include risk-based cybersecurity measures to safeguard sensitive and private information as well as NIH’s intellectual property.

In order to determine the legitimacy of the NIH’s cybersecurity, CLA conducted NIH official interviews, examined NIH policies and practices, evaluated the effectiveness, surveillance, and enforcement of cybersecurity provisions, and examined post-award monitoring and the installation of cybersecurity measures for a sample of grantees. The CLA discovered that the NIH had failed to implement an adequate pre-award risk assessment process because it fails to take cybersecurity into account and does not include a special term and condition addressing cybersecurity risk in the Notice of Award, sufficient policies since the NIH Grants Policy Statement (NIHGPS) does not contain specific, risk-based provisions on cybersecurity, and adequate post-award monitoring to help ensure grantees uphold an efficient cybersecurity to safeguard sensitive and confidential data and NIH’s intellectual property. 

In order to resolve these vulnerabilities in the NIH’s cybersecurity, the OIG has made several recommendations. Firstly, the OIG advises the NIH to evaluate its grant award programs in order to identify whether awards should require enhanced cybersecurity measures owing to research potentially including sensitive and confidential data and or NIH intellectual property or both. Secondly, the OIG advises the NIH to recommend what cybersecurity controls should be implemented by the grantee of each funding opportunity. Thirdly, the OIG advises the NIH to improve the NIHGPS’s security to provide precise and quantifiable requirements. Additionally, the NIH has been advised to Strengthen its pre-award process to recognize and address how cybersecurity risk will be assessed and to strengthen its post-award process to confirm that cybersecurity protections have been implemented to adequately safeguard sensitive and confidential data.