OIG: Gaps in CMS ERM Puts Genomic Data Security at Risk 

July 14, 2021 - A newly released report is pointing out a flaw with CMS Enterprise Risk Management processes that leaves genomic data security liable. 

The Department of Health and Human Services Office of Inspector General’s July 8 report notes that CMS did not account for national security risks in its Enterprise Risk Management processes (ERM), putting genomic data security at risk.  

The Office of Inspector General (OIG) performed the audit, after congress made the request, following a previous OIG audit that “determined that national security risks were not adequately considered by the National Institutes of Health (NIH.)” 

“Specifically, we found that NIH did not consider the risk presented by foreign principal investigators when permitting access to United States genomic data,” the OIG report states.  

The report states that the audit found that CMS’ ERM processes “did not consider national security risks for any of CMS's programs in accordance with Federal requirements. CMS lacked policies and procedures that required its programs to consider national security threats because it relied on HHS's ERM process. As a result, CMS was unable to ensure that it had implemented effective controls to protect against threats from foreign and domestic adversaries.” 

The OIG recommends that CMS, “as part of its ERM program, implement a process to assess all of its programs for national security risks in accordance with OMB Circular No. A-123's requirement to include new or emerging risks in the risk profile.” 

In response to the OIG’s report, US Senator Marco Rubio (R-FL) issued a statement, urging the Senate to pass the Genomics Data Security Act. 

“It is ridiculous that our current policies enable the Chinese Communist Party to access Americans’ genomic data,” Rubio said in his statement. “There is absolutely no reason that Beijing, which routinely seeks to undermine U.S. national security, should be handed the genomic data of American citizens. We must take action to address these vulnerabilities, and that starts by passing my Genomics Data Security Act.” 

Rubio stated that he, along with Senator Chuck Grassley (R-IA), initially requested the OIG’s report in June of 2019. 

The senator’s Genomics Data Security Act, which he introduced in May 2021, would “address this issue by requiring CMS to list if the company conducting the Clinical Laboratory Improvement Amendments (CLIA) test has ties to the People’s Republic of China,” he noted in his statement. 

Rubio said the requirement would “force CMS to develop a process to obtain information on national security threats related to a company’s organizational structure.”