Vibrent, one of NIH’s data management contractor for the All of Us genomic and other health data research project, was found by OIG to have a number of holes in its data security infrastructure and policies, ranging from failure to encrypt its AWS servers to failure to adhere to FISMA (federal IT security) standards more broadly. OIG also found that NIH fell down on the job by not monitoring its contractor more closely. Everything has been patched, but this represents a black eye for a program intended to build public confidence in government colleciton and analysis of sensitive medical and genomic data as it seeks to enroll one million Americans.
What can NIH, or any entity responsible for dealing responsibly with sensitive medical, genomic or other personal data, do to discharge its responsibilites more adequately?
As regular readers of HealthBlawg are already rehearsing silently, it’s all about infusing a compliance mindset into organizational culture. This, combined with practical tools and empowerment of personnel, will then manifest itself in comprehensive data privacy and security policies and procedures, function-specific appropriate training and testing of personnel, compliance review of subcontractor organizations, personnel and technical infrastructure in advance of engagement, regular audits of subcontractors’ activities and deliverables from a data security perspective, and more. Many of these ideas are spelled out in the federal standards applicable to this procurement, but somehow they didn’t make it to the front lines.
The All of Us program has taken long enough to get off the ground, and is taking baby steps towards its enrollment goals. Here’s hoping that this misstep does not squander the momentum the program has built to date.