The Department of Health and Human Services Office of Inspector General, or OIG, has issued a report calling on the National Institutes of Health to strengthen the cybersecurity of its All of Us Research Program to protect participants’ personal health data from cyber and national security threats.
Join top government and industry experts at the Potomac Officers Club’s 2025 Healthcare Summit on Feb. 12 (rescheduled due to the shutdown) to explore the latest in healthcare technology, citizen user experience and innovative solutions transforming federal healthcare. Secure your spot today for this premier GovCon networking event!
In an audit report posted Friday, OIG said the All of Us Research Program aims to improve disease prevention and treatment by providing researchers access to personal health information from over 1 million volunteer participants.
An NIH award recipient oversees the Data and Research Center, or DRC, which stores the participant data.
The OIG audit found that although the DRC award recipient implemented some cybersecurity controls, NIH did not ensure that authorized users’ access to program data was limited as required by program policies.
What Are OIG’s Recommendations for NIH to Improve Cybersecurity?
OIG issued five recommendations for NIH to improve its oversight of the program’s DRC. One of the recommendations is requiring the DRC awardee to implement controls that prevent users from accessing the system from outside the U.S. without verified approval.
According to the report, NIH should ensure the DRC prevents the downloading of detailed participant data in accordance with the program’s data use policies.
Other recommendations in the report are that NIH formally communicate national security concerns about maintaining genomic data to All of Us award recipients; require the DRC awardee to reassess the security categorization for the DRC and DRC-RW information systems in light of national security concerns; and update the remediation timeframe in its system security plans to meet the deadlines in its award agreement with NIH.
