The Clinical Center at the National Institutes of Health (NIH), which holds tens of thousands of sensitive patient records, needs to develop a secure data backup site, according to a report from the Office of Inspector General (OIG) at the Department of Health and Human Services (HHS).
NIH has awarded $30 billion for medical research and has a hospital on its Bethesda, Md., campus dedicated to clinical research. The hospital – the Clinical Center at the National Institutes of Health – had nearly 100,000 patient visits in 2018.
According to the OIG, electronic health records (EHR) from patient visits to the center are kept in the Clinical Research Information System, which did not have a secure backup location at the time of the audit during March-July 2019.
According to the National Institute of Standards and Technology (NIST), data storage centers should not be geographically adjacent to each other. The idea is that if one site is at-risk, the other site will be more difficult to compromise if it is at a separate location. Both of NIH’s data processing sites are located on the NIH campus and, according to the report, not geographically distinct.
“The data and the IT security controls protecting the data are of significant importance to both HHS and the Federal government,” the report reads. NIH said in the OIG report it would continue implementing the recommendation to find a secure backup site for its data.
In addition, the Clinical Research Information System at the time of the audit operated on servers which were nearing end-of-life cycle support, and 19 of 26 inactive users of the system were not deactivated a year later. Both problems have been rectified since the time of the audit, according to NIH documentation provided to the auditors.