OIG Finds NIH Health Grant Program Needs Stricter Cybersecurity Controls

September 28, 2022 - In a recent audit, The HHS Office of Inspector General (OIG) found that the National Institutes of Health (NIH) had not implemented adequate requirements to ensure that its grant awards had risk-based cybersecurity protections in place to protect sensitive data.

“National Institutes of Health (NIH) invests more than $30 billion annually in medical research for the American people. More than 80 percent of NIH’s funding is awarded through almost 50,000 competitive grants to various research institutions in all 50 states and around the world,” the report stated.

“Thus, the data safeguards and security controls protecting federally funded research efforts are of significant importance to both HHS and the Federal government.”

CliftonLarsonAllen LLP (CLA) conducted the audit on behalf of OIG. CLA interviewed NIH officials, tested the institute’s cybersecurity provision adequacy, monitoring, and enforcement, and reviewed grantee cybersecurity controls.

Background

Since NIH is a grant-making organization, it is required to comply with federal requirements to ensure that its data is protected throughout the grant-making process.

“Federal grantees must establish and maintain effective internal controls to provide reasonable assurance that the grantee is managing the award in compliance with Federal laws and policies, as well as the terms and conditions of the award,” the report stated.

HHS’ Grants Policy Administration Manual (GPAM) requires NIH and other HHS agencies that award grant funds to impose special conditions on the grantee that correspond with the risks associated with the award.

In addition, the current NIH Grants Policy Statement (NIHGPS) contains general statements about data security and requires grantees to not store NIH-supported research on portable electronic devices and to limit access through password protection and proper access controls.

Recommendations and NIH Response

In its analysis of the GPAM, NIHGPS, and other policies, CLA’s findings suggested a lack of cybersecurity considerations by the NIH. For example, CLA discovered that NIH “did not have an adequate pre-award risk assessment process because it does not consider cybersecurity and does not include a special term and condition addressing cybersecurity risk in the Notice of Award.”

Essentially, the current version of the NIHGPS, from CLA’s point of view, is inadequate in ensuring that NIH is aware of cybersecurity weaknesses due to a lack of monitoring and pre- and post-award assessments. The grantees themselves are responsible for implementing and maintaining secure data.

The audit said that the NIHGPS was too generic in its cybersecurity provisions. In some cases, cybersecurity was not considered at all.

CLA recommended that NIH require additional cybersecurity protections from the start by including cybersecurity considerations in funding opportunity announcements or grant terms. CLA also suggested that NIH strengthen the NIHGPS and its pre- and post-award processes to determine that cybersecurity safeguards have been implemented.

Despite these recommendations, NIH’s response “did not indicate concurrence or nonconcurrence” with them.

“NIH considers the five recommendations closed and implemented through existing NIHGPS requirements, published best practice recommendations, and published the planned addition of Data Management and Sharing (DMS) policy statements to the NIHGPS,” the report noted.

“Based on our review of NIH’s comments, we determined that the actions described do not sufficiently address the identified cybersecurity risks. As such, we maintain that our findings and recommendations are accurate and valid. We encourage NIH to implement our recommendations to enhance cybersecurity controls over its grant program.”