NIH Needs to Improve Cybersecurity Requirements for its Grant Program

By | September 30, 2022

The National Institutes of Health (NIH) failed to implement adequate cybersecurity measures to protect sensitive data in its pre-award risk assessment process, according to a recent audit conducted by the HHS’ Office of Inspector General (OIG).

NIH invests more than $30 billion each year in medical research for the American people, with more than 80% of the funding awarded through approximately 50,000 competitive grants for research institutions within the United States and around the world. Security controls and data safeguards to protect federally funded research efforts are of major importance to both the HHS and the Federal government. OIG engaged CliftonLarsonAllen LLP (CLA) to conduct an audit to determine whether NIH had adequate requirements to ensure that grant awards have risk-based cybersecurity provisions to protect sensitive and confidential data and NIH’s intellectual property.

As a grant-making organization, NIH is required to comply with the uniform administrative requirements in Federal regulations at 45 CFR Part 75, and the Department’s Grants Policy Administration Manual (GPAM). Under 45 CFR Part 75, NIH is required to review the risks posed by applicants, and NIH may impose special conditions on grant recipients corresponding to the degree of risk associated with making a grant award.

The NIH Grants Policy Statement (NIHGPS) calls for grantees to establish and maintain effective internal controls, in compliance with Federal statutes, regulations, and the terms and conditions of the award, and they are required to safeguard assets. Grantees are also responsible for ensuring the privacy and security of sensitive and confidential data. Those requirements include not storing personally identifiable, sensitive, and confidential information about NIH-supported research or research participants on portable electronic devices and implementing controls to prevent unauthorized access to sensitive and confidential data.

OIG found the lack of an adequate pre-award risk assessment process was due to NIH not considering cybersecurity, and not including a special term and condition addressing cybersecurity risk in its Notice of Award. Adequate policies were not in place because the NIHGPS does not include specific, risk-based provisions for considering or requiring cybersecurity. There was also inadequate post-award monitoring of grantees to ensure they were maintaining effective cybersecurity to protect sensitive data and NIH intellectual property.

OIG recommends improvements be made to the NIH grant program cybersecurity requirements, including assessments of its grant award programs to determine which grants should require additional cybersecurity protections due to the research including sensitive and confidential data or NIH intellectual property. Based on the NIH risk assessment of grant awards, funding opportunity announcements or grant terms and conditions should include the specific requirements for cybersecurity that must be implemented.

OIG said NIH should also strengthen its NIHGPS to include clear and measurable standards for cybersecurity, the pre-award process should be strengthened to identify and address how cybersecurity risk will be assessed, and the post-award process should confirm that appropriate cybersecurity protections have been implemented, and that sensitive and confidential information is appropriately safeguarded.

NIH failed to indicate concurrence or nonconcurrence with the recommendations, with NIH considering the five recommendations appropriately addressed through its existing NIHGPS requirements, best practice recommendations, and the planned addition of Data Management and Sharing (DMS) policy statements to the NIHGPS. However, OIG maintains that its recommendations are valid and has encouraged NIH to ensure they are implemented.

The post NIH Needs to Improve Cybersecurity Requirements for its Grant Program appeared first on HIPAA Journal.