In This Month’s E-News: November 2022

By Theresa Defino

NIH is unable to “ensure grants have appropriate cybersecurity provisions” and should make nearly a half-dozen changes, according to auditors for the HHS Office of Inspector General (OIG). Yet, NIH said it had already made the recommended improvements—an assertion auditors disputed. CliftonLarsonAllen LLP “reviewed NIH’s policies and procedures to determine if NIH includes cybersecurity provisions as part of the pre-award risk assessment process and to determine the extent of current cybersecurity requirements.” Auditors also “reviewed a sample of 75 grants to determine if risk-based cybersecurity provisions were included for the grants” and “completed a review of 3 grantees to determine if post-award monitoring of grantee cybersecurity compliance by NIH was taking place.” Auditors found NIH has “an inadequate pre-award risk assessment process because it does not consider cybersecurity and has no special term and condition addressing cybersecurity risk in the Notice of Award,” and also has “inadequate policies because the NIH Grants Policy Statement [NIHGPS] does not include specific, risk-based provisions on cybersecurity.” The agency also lacks “post-award monitoring to ensure grantees maintain effective cybersecurity,” according to the report.

Auditors said NIH “relies solely on its grantees to design, implement, maintain, and monitor the effectiveness of their cybersecurity controls in protecting the confidentiality, integrity, and availability of data. As a result, NIH may not be able to identify potential problems with protecting sensitive and confidential data (e.g., proprietary information, personal health information, personally identifiable information, detailed genomic data from human subjects) and NIH’s intellectual property. Without identifying those potential problems, NIH may not be able to provide timely technical assistance.” Among the recommendations are that NIH should “determine which grants should require additional cybersecurity protections due to research potentially including sensitive and confidential data or NIH intellectual property or both” and what those controls should be; “establish clear and measurable standards for cybersecurity protections”; and “strengthen its post-award process to confirm that cybersecurity protections have been implemented to adequately safeguard sensitive and confidential data.” However, auditors wrote that NIH “considers the five recommendations closed and implemented. Based on our review of NIH’s comments, we determined that the actions described do not sufficiently address the identified cybersecurity risks,” the report states. “As such, we maintain that our findings and recommendations are accurate and valid. We encourage NIH to implement our recommendations to enhance cybersecurity controls over its grant program.” (10/20/22)

In a little more than a month after her appointment was announced, Renee Wegrzyn was sworn in by HHS Secretary Xavier Becerra as the first director of the Advanced Research Projects Agency for Health (ARPA-H). “Throughout my career, my motivation has always been focused on ‘How do we create health solutions that can be implemented in the real world?’ And that’s what ARPA-H aims to do,” Wegrzyn said in a statement HHS issued Oct. 18. “My hope is not to nudge the needle on health, but to create an agency that sparks transformational solutions to improve the health of all Americans.” Before joining ARPA-H, Wegrzyn held positions at Ginkgo Bioworks “focused on applying synthetic biology to outpace infectious diseases—including COVID-19—through biomanufacturing, vaccine innovation, and biosurveillance of pathogens,” the statement said. Wegrzyn also “comes to the new agency with experience at two of the institutions that inspired the creation of ARPA-H,” the Defense Advanced Research Projects Agency (DARPA) and the Intelligence Advanced Research Projects Activity. “While serving as a program manager at DARPA, Wegrzyn’s portfolio tackled infectious disease, protecting the bioeconomy, and enhancing biosecurity. She has also led technical teams in the private sector in the areas of biosecurity, gene therapies, emerging infectious disease, neuromodulation, synthetic biology, and other areas,” HHS said. (10/20/22)

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings