The National Institutes of Health’s (NIH) duties include researching infectious diseases and administering over $30 billion a year in research grants. NIH uses IT systems containing sensitive data to carry out its mission.
On December 7, the Government Accountability Office (GAO) released a public version of its limited, official use June 2021 report on NIH cybersecurity. In the report, GAO notes that NIH has taken actions intended to safeguard the confidentiality, integrity, and availability of its systems. However, the watchdog also found many weaknesses.
GAO identified numerous control and program deficiencies in the core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations. GAO previously made 219 recommendations —66 on the security program and 153 related to system controls—to address these deficiencies. As of June 2021, NIH had made progress in resolving the deficiencies by implementing 25 (about 38 percent) of the 66 information security program recommendations, and 37 (about 24 percent) of the 153 recommendations to address control deficiencies for selected systems.
NIH relies extensively on information systems for biomedical research, high performance computing, facilities maintenance, intramural biosafety labs, and administration. The agency’s information systems also support research and training conducted at approximately 2,500 universities and medical centers. Given the growing cyber threat to medical facilities and research, it is vital that NIH has the strongest of cyber defenses.
For fiscal year 2019, NIH’s total appropriation was $39 billion, of which it reported spending $1.15 billion on IT and $114.9 million (or about 10 percent of all IT spending) on information security. In addition to its appropriations, NIH received $15.9 million in information security funding from HHS and the Department of Homeland Security (DHS) in fiscal year 2019.18 For fiscal year 2020, NIH’s total appropriation was $41.8 billion, of which it reported spending $1.23 billion on IT and $145.9 million (or about 12 percent of all IT spending) on information security.
During its review, GAO found that NIH entities did not fully conduct risk assessments. For example, the entities did not fully determine the risk that threats may exploit vulnerabilities for any of the systems that GAO reviewed. Officials responsible for risk assessments provided different viewpoints on why they had not fully addressed the risk assessment steps. Officials at one entity stated that they were under the impression that their security assessment reports captured risk assessments. However, GAO found that the security assessment reports did not include a full assessment of risk. Officials from another NIH entity stated that their entity had not fully implemented its risk assessment process in accordance with agency guidance. For a third entity, officials stated that they were unsure why risk assessments were incomplete and added that, while they were working to improve their process, they previously did not have sufficient personnel to do so.
The public report also notes that while NIH implemented controls to protect its operating environment, it did not consistently implement access controls effectively, encrypt sensitive data, configure devices securely or apply patches in a timely manner, or ensure staff with significant security responsibilities received role-based training.
GAO found that NIH took steps to implement strong password and authentication settings among its servers and devices. For example, NIH had implemented appropriate password settings on operating systems and applications. However, GAO also noticed that strong password management settings were absent from some NIH servers and devices. Access weaknesses could lead to an increased risk of compromise and credential theft. Less restrictive authentication could also cause a variety of exploits from advanced persistent threats, including attackers gaining administrative privileges.
According to GAO, NIH used Federal Information Processing Standards (FIPS)-compliant encryption for some network devices and firewalls but did not effectively implement encryption controls in other areas. Officials provided various possible reasons that the agency did not fully implement encryption consistent with guidance. According to these officials, the primary reason the agency had not fully implemented encryption controls was that their implementation could cause problems with functionality or business needs. In addition, officials stated that there may have been operational constraints or conflicts due to the complexity and scale of NIH’s federated environment.
GAO’s review found that NIH had a plan in place to provide role-based training annually to the majority of personnel with significant security responsibilities. However, the agency did not ensure that training was completed consistent with agency guidance. Specifically, NIH role-based training records indicated that 549 of 2,135 personnel from the four selected entities had not completed training within the recommended defined frequency, as specified in agency policy. According to agency officials, personnel did not meet role-based training requirements because the agency had not fully automated its training records to identify and track individuals that required training.
The watchdog found that shortcomings also existed with NIH’s collection, analysis, and documentation of information systems security incidents. For example, among the 10 security incidents NIH considered most significant from January 2018 to February 2019: NIH failed to collect and analyze data for two incidents that may have been related to the incidents prior to the remediation and reimaging of systems, resulting in the loss of data and artifacts. In addition, the agency did not document key analysis for an incident that impacted 102 user workstations across 22 institutes. Instead, the documentation focused on recovery and remediation efforts.
However, GAO has praised NIH for reducing some risk within various control areas. Specifically, these efforts included areas such as protecting network boundaries, restricting privileged access and unauthorized disclosure, and preventing data compromise. These areas were highlighted in GAO’s June 2021 report as being particularly vulnerable.