Report Materials
Why OIG Did This Audit
- The goal of NIH’s All of Us Research Program is to advance disease prevention and treatment by making personal health information provided by more than 1 million volunteer participants available for research.
- The Data and Research Center (DRC) houses the participant data and is managed by an NIH award recipient. This audit examined whether NIH ensured that the DRC award recipient: (1) adequately limited access to research data, (2) implemented required information security and privacy controls, and (3) remediated information security and privacy weaknesses in accordance with Federal requirements.
- It is crucial for NIH to protect research participants’ personal health data from cybersecurity and national security threats.
What OIG Found
The DRC award recipient implemented some cybersecurity controls to protect participant data; however, NIH did not:
- ensure that the DRC award recipient limited the access of authorized data users to program data in accordance with program policies,
- communicate national security concerns associated with maintaining genomic data to the DRC award recipient to enable it to choose the appropriate security and privacy cybersecurity controls for its information systems, and
- ensure that security and privacy weaknesses were remediated within federally required timeframes.
What OIG Recommends
We made five recommendations to NIH to improve its oversight of the All of Us Research Program’s DRC, including that NIH require the DRC award recipient to implement access controls to limit access to information systems and detailed participant data, and to reevaluate its security categorizations. The full recommendations are in the report.
NIH concurred with all five of our recommendations.
25-A-18-127.01 to NIH - Open Unimplemented
Update expected on
03/28/2026
We recommend that NIH require the DRC awardee to implement access controls to prevent DRC and DRC-RW information systems users from accessing the systems while abroad without verified approval.
25-A-18-127.02 to NIH - Open Unimplemented
Update expected on
03/28/2026
We recommend that NIH require the DRC awardee to identify and implement a control or compensating control to prevent the downloading of detailed participant data, as required by the All of Us Data Use Policies.
25-A-18-127.03 to NIH - Open Unimplemented
Update expected on
03/28/2026
We recommend that NIH formally communicate national security concerns related to maintaining genomic data to All of Us award recipients that use or maintain genomic data and require the implementation of the IT security and privacy controls to protect the storage, transmission, and processing of such data.
25-A-18-127.04 to NIH - Open Unimplemented
Update expected on
03/28/2026
We recommend that NIH require the DRC awardee to reevaluate the security categorization for the DRC and DRC-RW information systems considering the national security concerns of maintaining genomic data.
25-A-18-127.05 to NIH - Open Unimplemented
Update expected on
03/28/2026
We recommend that NIH require the DRC awardee to update the remediation timeframe in its system security plans to comply with the timeframes specified in its award agreement with NIH.
View in Recommendation Tracker
-
Notice
This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.