The National Institutes of Health (NIH) is in the process of working through a long list of network security fixes recommended by the Government Accountability Office (GAO) earlier this year, but doesn’t expect to get done with addressing all of those until the end of 2022.
That’s the top-line news from a new a report from GAO that found numerous control and program deficiencies in NIH’s core security functions.
In June 2021, GAO was asked to evaluate cybersecurity at NIH, and following that the government watchdog agency made 219 recommendations – 66 regarding security programs and 153 related to system controls – to address deficiencies.
Amongst its numerous tasks, NIH is responsible for conducting research on the prevention of infectious diseases such as COVID-19, administering over $30 billion annually in medical research grants, and supporting research on pathogens. To successfully carry out its mission, “NIH relies extensively on information technology systems to receive, process, and maintain sensitive data. Accordingly, effective information security controls are essential to ensure the confidentiality, integrity, and availability of the agency’s systems,” the GAO report says.
“These deficiencies increased the risk that sensitive research and health-related information could be disclosed or disrupted,” the public report states.
At the moment, the NIH has resolved or implemented 25 of the 66 information security program recommendations, and 37 of the 153 recommendations to address control deficiencies for selected systems. Among those, the agency implemented information security controls intended to safeguard its information systems and information confidentiality, integrity, and availability, GAO said.
However, the agency still has a long way to go, according to GAO.
GAO found numerous deficiencies in core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations. NIH has not fully implemented fixes for a host of recommendations, including cyber threat identification, developing a risk management strategy, and developing complete system security plans.
“Until NIH takes additional steps to ensure that contingency plans are developed, tested, and annually reviewed for all information systems, the agency is at risk that it may not be able to recover mission essential functions or ensure recovery activities are effective,” GAO said. “In not establishing and documenting alternate processing sites, NIH is at increased risk of disruption to mission essential functions,” the report says.
In a response letter to the GAO, NIH stated it expects to close more than 93 percent of the recommendations by June 2022, and all of them by December 2022.