An audit of the National Institutes of Health grant program revealed a number of cybersecurity risks and a lack of adequate policies to ensure grantees were adhering to risk-based protocols.
The current NIH Grants Policy Statement cybersecurity provisions themselves are “generic and do not establish clear and measurable standards for implementing safeguards proportionate to the assessed level of cybersecurity risk during the pre-award process, and cybersecurity is not part of the scope of current post-award process for grants described in the NIHGPS.”
As it stands, NIH is relying solely on its grantees to design, implement, maintain, and monitor the effectiveness of their own cybersecurity controls in protecting the confidentiality of the data. Because of this, OIG warns that NIH may not be able to identify potential gaps in protecting the data or even personal health information.
The Department of Health and Human Services Office of the Inspector General made five detailed recommendations to bring the program up to a more effective security standard. However, NIH didn’t indicate whether or not it concurred with the recommendations, and instead, marked the recommendations…
