The Office of Inspector General (OIG) found cybersecurity gaps in the National Institutes of Health's (NIH's) All of Us precision medicine project that could expose personally identifiable information, including personal health information of the All of Us participants, and allow access to the data.
These vulnerabilities could have allowed an attacker with limited technical knowledge to exploit and compromise the participant-facing IT systems, because most of the vulnerabilities did not require significant technical knowledge to exploit, according to an OIG report (PDF).
During the audit, which began in August 2017 and wrapped up this past February, NIH addressed and remediated all of the vulnerabilities identified, OIG said in a summary of the report.
The All of Us research program is responsible for building a national research cohort of more than 1 million participants who will provide their personal health information to the NIH so researchers, providers, and patients can work together. As of April 2, more than 209,000 individuals had registered for All of Us, and of those, more than 126,000 had completed all steps in the protocol to contribute their data.
Ensuring that participant data are securely maintained is paramount to retaining the participants' trust and participation in the project, OIG said in its report.
Through cooperative agreements, NIH established four components of All of Us: the biobank, the data and research center, the participant technology systems center and the participant center.
OIG reviewed IT system security controls at the participant technology systems center, managed by healthcare technology company Vibrent Health as part of its contract with NIH, and the data and research center, managed by Vanderbilt University Medical Center.
When people enroll in the All of Us project, either at a participating healthcare provider or on their own, they submit their data via either a smartphone app or the All of Us website, developed by Vibrent Health. That platform also supports ongoing testing and upgrades to improve the user experience, implements innovative participant tools and ensures the security of these participant-facing systems, according to OIG.
Participants submit data such as answers to questionnaires and surveys, electronic health records (EHRs), physical measurements and biospecimens and passive mobile and digital health data.
The data and research center acquires, organizes and provides secure access to what will be one of the world’s largest and most diverse data sets for precision medicine research. That center, managed by Vanderbilt, also provides support for a platform through which individuals may access and analyze All of Us data.
All of the organizations contracted to work on the All of Us project are required to follow a security framework based on the National Institute of Standards and Technology framework, as outlined in the cooperative agreements, OIG said.
OIG wanted to determine whether NIH ensured that the two organizations managing the research data had adequate controls to protect participants’ sensitive data. The inspector general specifically looked at security plans, access controls, information protection and system maintenance, audit logging, data and physical security, incident response and disaster recovery.
The OIG determined Vibrent Health did not have adequate controls to protect All of Us research program participants’ sensitive data. Specifically, through penetration testing on Vibrent's internal and external networks and on the mobile app used to enroll participants, OIG identified 13 vulnerabilities, two classified as "high," that could have exposed the All of Us participants’ personally identifiable information, including their personal health information, and allowed unauthorized users to alter the participants’ data.
Many of the vulnerabilities were a result of server misconfigurations and design oversights when building the web application. Because of the nature of the vulnerabilities identified, an attacker with limited technical knowledge could exploit and compromise the systems, OIG said.
Overall, the tests resulted in access to critical and moderate systems and the potential to access sensitive data or negatively affect systems.
The inspector general also identified several other issues at the participant technology services center that could affect the security of participants' data, such as failing to enable encryption in its cloud data store, a lack of policies and procedures to address remediating source code vulnerabilities and timely disabling of network access. Vibrent Health also did not adequately scan its network, according to the report.
Vanderbilt, on the other hand, has solid cybersecurity practices in place, including routine assessments and monitoring of security controls, according to the inspector general, as researchers did not find any vulnerabilities at the data and research center.
In a letter to OIG sent in April addressing the report, NIH Director Francis Collins, M.D., noted that the OIG's audit of the All of Us research program took place in August 2017, and the penetration testing in October 2017, prior to the opening of the program to broad enrollment. During this time, the program was engaged in a robust beta testing phase, the purpose of which was to uncover any potential vulnerabilities, Collins said.
The NIH's All of Us program also engaged with HackerOne for "real world" security vulnerability testing in April 2018 before the national launch, Collins said. HackerOne found 34 security flaws, all of which have been corrected and many before the program's nationwide rollout, he said.
Collins also said OIG discovered the vulnerabilities within the data center's firewall under a "grey-box" framework, referring to a software testing method.
"The security of our participant data is of paramount importance to the All of Us Research Program," Collins said.
The inspector general is recommending that NIH revise its All of Us cooperative agreements with security and privacy requirements to include a detailed description of how NIH will monitor cybersecurity and ensure future contractors adequately implement security controls to protect sensitive data.
Collins said NIH is reviewing its security and privacy terms and conditions in the applicable All of Us research program contracts and will make any necessary updates to ensure robust security of participant data.