NIH Grant Program Needs Upgraded Cybersecurity Requirements

The National Institutes of Health (NIH) was unable to carry out sufficient cybersecurity measures to secure sensitive information in its pre-award risk evaluation process, based on a recent review performed by the HHS’ Office of Inspector General (OIG).

NIH spends over $30 billion annually on medical research for people in the U.S.A., with over 80% of the funds given through roughly 50,000 competitive grants for research organizations in the United States and worldwide. Security controls and data safety measures to secure government-funded research initiatives are of great value to the HHS and the Federal government. OIG asked CliftonLarsonAllen LLP (CLA) to perform a review to find out if NIH had sufficient requirements to make sure that grant awards have risk-dependent cybersecurity terms to secure sensitive and confidential information and intellectual property of NIH.

Being a grant-making agency, NIH needs to comply with 45 CFR Part 75, the uniform administrative requirements in Federal regulations, and the Department’s Grants Policy Administration Manual (GPAM). With 45 CFR Part 75, NIH must evaluate the risks presented by applicants, and NIH could enforce special conditions on recipients of grants related to the degree of risk linked to giving a grant award.

The NIH Grants Policy Statement (NIHGPS) requires grantees

  • to create and manage efficient internal controls
  • comply with Federal statutes, rules, and the agreements of the award
  • to protect assets

Grantees are additionally accountable for protecting the privacy and security of sensitive information. Those specifications consist of not keeping personally identifiable, sensitive, and private details about NIH-supported research or participants on mobile electronic devices and employing controls to avoid unauthorized sensitive information access.

OIG discovered that the deficiency of the pre-award risk evaluation process was because of

NIH not looking at cybersecurity, and not having a special term and condition dealing with cybersecurity threats in its Notice of Award

There were no sufficient policies because the NIHGPS doesn’t include particular, risk-dependent provisions for considering or necessitating cybersecurity

There was furthermore insufficient post-award tracking of grantees to make sure they have efficient cybersecurity to safeguard sensitive information and NIH intellectual property.

OIG suggests making improvements to the cybersecurity requirements of the NIH grant program, such as reviewing which of its grant award programs should call for more cybersecurity protections because of dealing with sensitive and confidential information or NIH intellectual property. According to the NIH risk evaluation of grant awards, funding opportunity notices or grant agreements must have particular requirements to implement cybersecurity.

OIG mentioned NIH must additionally reinforce its NIHGPS to have clear and measurable criteria for cybersecurity. The pre-award process ought to be toughened to determine and deal with the assessment of cybersecurity risk. The post-award process must confirm that proper cybersecurity measures are put in place and that sensitive and confidential data have proper security.

NIH did not say any agreement or disagreement with the suggestions. NIH believes that the five recommendations are addressed sufficiently in its current NIHGPS specifications, best practice guidelines, and the intended inclusion of Data Management and Sharing (DMS) policy statements in the NIHGPS. Nonetheless, OIG believes that its suggestions are good and has urged NIH to make sure they are enforced.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at