“An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk.”
“NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations.”
“The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center…”
“CLA found NIH had implemented controls to ensure the confidentiality, integrity, and availability of health data contained in its EHR and information systems, but those measures were not working effectively. Consequently, data in its EHR system and information systems could potentially have been accessed by unauthorized individuals and data was at risk of impermissible disclosure, disruption, modification, and destruction.”
“The National Institute of Standards and Technology (NIST) recommends primary and alternate EHR processing sites should be geographically separated. The geographical separation reduces the risk of unintended interruptions and helps to ensure critical operations can be recovered when prolonged interruptions occur. OIG found the primary and alternate sites were located in adjacent buildings on the NIH campus. If a catastrophic event had occurred, there was a high risk of both sites being affected.”
“The hardware supporting the EHR system was either approaching end of life or was on extended support. Four servers were running a Windows operating system that Microsoft had stopped supporting in 2015…” Read the full article here.
Source: IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk – March 3, 2020. HIPAA Journal.