OIG Finds NIH Security Practices Potentially Put EHR Data at Risk

March 02, 2020 - The security policies and practices around the electronic health system of the National Institutes of Health may have potentially put the security, confidentiality, integrity, and availability of its data at risk, according to a Department of Health and Human Services’ Office of Inspector General audit.

OIG performed an audit of NIH, as it received $5 million in congressional appropriations for fiscal year 2019 to conduct oversight of the NIH grant programs and operations. Cybersecurity protections and NIH compliance with federal requirements was a key area of interest.

Notably, Sen. Chuck Grassley, R-Iowa, has repeatedly cracked down on NIH for its oft lax security controls. Just one year ago, OIG found risks in the ways NIH shares its sensitive data, including its access controls. A later audit found flaws the data and network security of several HHS’ agencies, including NIH.

Given the Clinical Research Information System (CRIS) at NIH contains EHR data for patients of the NIH Clinical Center, its data and security controls are crucial to both HHS and the government overall. OIG contracted with CliftonLarsonAllen to audit those controls and determine if the NIH EHR had effective IT controls.

Further, they sought to understand how patient records are received, processed, stored, and transmitted into the EHR. Officials said they reviewed the agency policies and procedures, tested security controls, inspected the NIH public websites, and conducted interviews.

OIG found that while NIH did have some controls in place to secure its EHR data and information systems, its actual policies and practices weren’t “operating effectively to preserve the security, confidentiality, integrity, and availability of NIH's EHR information and information systems, resulting in potential risks of unauthorized access, use, disclosure, disruption, modification, or destruction.”

The crux of the issues was found in three keys areas. First, the primary and alternate processing sites were not geographically distinct, located adjacent to each other on the NIH campus, which is required by NIST standards under the Federal Information Security Modernization Act (FISMA).

“[Per NIST], organizations must have a process in place to minimize the risk of unintended interruptions and to recover critical operations when prolonged interruptions occur,” according to the report. “Alternate processing sites provide a location for an organization to resume system operations when a catastrophic event disables or destroys the system’s primary processing site.”

“If an agency has an alternative processing site that is subject to the same event(s) as its primary site, a risk assessment is required,” it continued. “NIH cited budgetary constraints as one of several reasons why it has not been able to secure funding for a NIST-compliant alternate processing site.”

In response, NIH indicated they’ve taken steps to mitigate the risk posed by this issues, including procuring servers to restore data from backups stored at a third-party vendor. A potential new site was found during the audit, but it was not sufficiently separated from the primary site.

“As a result, the hospital may not have an alternative means to access EHR data because one threat could halt processing at both sites. This would not only adversely affect patient care, but also present profound implications for patient harm,” the report found.

The audit also found the four servers that support the EHR were still operating although they were nearing the end-of-life on extended support. In fact, Microsoft stopped providing mainstream support for the software in 2015, with extended service ending in January 2020.

As a result, the report showed that these systems could be susceptible to vulnerabilities and exploitation. NIH also did not have an effective transition plan for these systems. But after the audit concluded, the agency upgraded those servers to vendor-supported versions, with mainstream support of those products until 2023.

Lastly, OIG found that NIH did not deactivate terminated user and inactive accounts in a timely manner. There were 26 user accounts that had been inactive for more than a year, and 19 accounts remained active without being deactivated. Further, nine of 61 terminated user accounts were still active.

And three out of 25 sampled new EHR users had changes to their account privileges, without a form to justify and document those changes. Those issues were address in NIH’s security policies, but its new automated access management tool was found to be not operating as designed.

“For example, the automated tool does not properly track an employee’s transfer between departments at NIH, which may inform whether system access should be revoked or deactivated,” the report read. “NIH management continues to work on improving the tool.”

“If system access is not revoked or deactivated in a timely manner for persons who no longer require access, NIH’s EHR data and resources may be exposed to unauthorized access and misuse,” it continued. “Inactive accounts that are not disabled when employees separate from NIH may be used to gain access to NIH data and sensitive information.”

And any unauthorized changes to user access levels can give those users access to resources they don’t need or require to do their jobs, which increases the risk of unauthorized use to EHR data.

Officials explained the weaknesses were allow as NIH located the alternative processing site at the same location as its main site and delated software updates until completing its system upgrades. And NIH failed to fully implement an automated tool meant to ensure timely deactivation of inactive accounts.

The audit team recommended NIH complete the NIST requirements for implementing a “reasonable and viable option” for its alternative processing site, which includes identifying, documenting, and implementing actions to mitigate the risks of using its existing alternative site based on the result of its risk assessment until they’ve established a compliant alternative site.

Further, the auditors also recommended NIH implement policies and procedures to ensure all software is upgraded and replaced before reaching end-of-life support. Officials also recommended the agency “ensure the automated CRIS User Account Management tool is operating so that all changes to user privileges are authorized, properly documented, and inactive accounts are deactivated.”

The preliminary findings were shared with NIH before the draft report was issued, and officials said NIH concurred with all of the recommendations. NIH has already implemented some of the recommendations and described actions it has taken or plans to take to address the findings.

The auditors determined the recommendations around access controls and software updates were implemented by NIH and recommended those findings be closed.