NIH’s core security functions remain deficientDavid Chung
The Government Accountability Office (GAO) issued a report on Tuesday stating that the National Institute of Health’s (NIH) core secure function had many security control and program deficiencies. 219 recommendations were published by the GAO for the NIH to improve its cybersecurity posture. According to the report, the risks pertained to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations. NIH has already full implemented one third of these recommendations and half had been partially implemented as of June 2021
11 systems were selected as part of the review and the GAO report determined that security program and system control deficiencies place selected NIH information systems at risk and increased the risk that sensitive research and health-related information could be disclosed in an unauthorized manner. . Of the 219 recommendations noted above, 66 were related to the security program and 153 were related to system controls. 25 of those 66 had been implemented by the NIH and 37 of the remaining 153 across the 11 systems selected.
NIH responded to this report in a letter saying “NIH will continue to work with GAO to provide evidence of the actions it has taken to implement recommendations and to keep them updated as the remaining recommendations are completed. We do not anticipate any issues with reaching closure on these matters.”
More information can be found at: https://www.fedscoop.com/nihs-core-security-functions-remain-deficient/