The National Institutes of Health should strengthen the information-security controls it has in place for sharing access to sensitive data, according to a report from the HHS' Office of Inspector General.
The OIG reviewed NIH's internal controls for monitoring and permitting access to sensitive data to assess whether the agency had adequate information-security practices in place. The OIG also reviewed the NIH's policies and procedures, and interviewed the agency's staff.
As a result of its review, the OIG identified risks related to data sharing at the NIH. The OIG detailed these findings in a restricted report to the NIH. The draft report the OIG released to the public does not include this information.
"We recommend that NIH work with an organization with expertise and knowledge in scientific data misuse," the OIG wrote in its public report. "NIH could strengthen its controls by developing a security framework, conducting a risk assessment and implementing additional appropriate security controls designed to safeguard sensitive data."
The NIH agreed with some of the OIG's recommendations, such as its suggestion to develop mechanisms to ensure the agency's data security policies keep current with emerging threats, as well as to make security awareness training and security plans a requirement. However, the NIH did not agree with the OIG's recommendation to add controls to ensure this training and security plan requirement is fulfilled.
Additionally, the NIH did not agree with the OIG's recommendation to develop a security framework, conduct a risk assessment and implement additional controls for sensitive data. The NIH emphasized that it had recently established a working group to address and mitigate risk to intellectual property, according to the report.
"We maintain that our findings and recommendations are valid," the OIG wrote. "We recognize that NIH reported that it is already taking certain actions, such as the working group that was recently established, that may address our recommendations."
To read the OIG's draft report, click here.