As of April, 209,000 Americans have volunteered to provide their personal health data for the National Institutes of Health (NIH) All of Us Research Program to build a national research cohort of over 1 million participants that will help drive the Precision Medicine Initiative. But those participants may have placed their data at risk.
While All of Us continues to grow and collect personal information of participants, the Health and Human Services Office of Inspector General (OIG) conducted an audit and revealed in a recent report that one of the two awardees NIH chose to safeguard participant data had inadequate controls to provide those protections.
NIH issued its Data and Research Center award to Vanderbilt University Medical Center, which OIG found no security problems with.
The other award, the Participant Technology Systems Center (PTSC), went to Vibrent Health, and OIG found several inadequacies with its security controls for protecting All of Us participants’ data, such as their personally identifiable information (PII).
“Through our penetration testing at Vibrent, we identified vulnerabilities that could have exposed the All of Us participants’ PII, including personal information, and allowed unauthorized users to alter the participants’ data,” OIG stated. “These vulnerabilities could have allowed an attacker with limited technical knowledge to exploit and compromise the PTSC’s systems, as most of the vulnerabilities did not require significant technical knowledge to exploit.”
NIH had not previously found these vulnerabilities because it did not properly monitor PTSC to ensure it had necessary cybersecurity controls to protect participant data, OIG added.
Other complications OIG found with PTSC include that the center failed to:
- Enable encryption in its 22 private S3 buckets in the cloud;
- Have policies and procedures to address remediating source cold vulnerabilities and prompt network access disabling; and
- Maintain proper network vulnerability scanning.
NIH agreed with OIG’s findings and said that PTSC has “remediated the vulnerabilities” OIG identified. Moving forward, OIG further recommended that NIH revise its All of Us cooperative agreements to ensure more secure data protection.
“We recommend that NIH revise its All of Us Cooperative Agreements and cooperative agreements with security and privacy requirements to include a detailed description of how NIH will monitor cybersecurity and ensure that future awardees adequately implement security controls to protect sensitive data,” OIG said.