The Department of Health and Human Services’ Office of Inspector General (OIG) has released a report of the findings of a National institutes of Health (NIH) data access and data sharing audit.
The NIH is the main federal biomedical and public health research agency in America and one of the leading medical research centers worldwide. OIG conducted the audit to find out if NIH had implemented sufficient controls covering access to sensitive NIH information. OIG examined internal controls, supporting documentation, policies and procedures and performed interviews with NIH personnel.
Although NIH had implemented controls to limit access to sensitive information, OIG identified some areas where changes could be made to reinforce security. A number of recommendations were made, but NIH did not concur with the majority of OIG’s recommendations.
OIG suggested that NIH ought to implement a security framework, perform a risk assessment, add further security controls to protect sensitive information, and should begin working with a third-party organization that has expertise in the misuse of scientific information. NIH did not agree with those suggestions.
OIG likewise suggested that systems should be implemented to make sure that data security policies are kept up-to-date and reflect the fast changing threat landscape and that security awareness training and safety programs should be implemented. NIH agreed with the recommendation to keep its security policies up to date but would not be reporting on whether training and security plan requirements had been satisfied. NIH mentioned that it had previously organized a working team to address vulnerabilities to the confidentiality of intellectual property and ensure the integrity of its peer review processes.
OIG maintained that the findings of the audit and its recommendations were correct and legitimate and suggested that if NIH decided not to take its recommendations on board that its decisions should be documented in keeping with Federal policies and guidance.