FROM:  Mike Lauer, NIH Deputy Director for Extramural Research

October is National Cybersecurity Awareness Month. In recognition, we are reminding our extramural research community about the importance of prioritizing cybersafety across all functions of your organization and understanding how important it is to practice cyber-safe behaviors every day. As we have discussed in previous posts here and here, our current virtual environment makes it more important than ever that we stay vigilant and maintain strong cybersecurity protocols.

In this post, we would like to remind you of some of the important cybersecurity policies that apply to your NIH-supported research. These policies are designed to protect not only the NIH, but also you, your coworkers, your study participants, your institution, and your research. As healthcare and research institutions continue to face mounting threats from cyberattacks, it’s important that we all not only know how to protect sensitive information, but also make a personal commitment to keeping data safe.

When institutions like yours accept NIH awards, you also accept responsibility for protecting sensitive and confidential data as part of proper stewardship of federally funded research [Section 2.3.12 of the NIH Grants Policy Statement (GPS)]. This means, in part, that:

• You must not house sensitive and confidential information about NIH-supported work on portable electronic devices.
• Data must be encrypted.
• Your institution must use proper controls to limit access to personally identifiable information.
• You and your institution should only transmit data when the security of the systems on the other side is known.
• You must take all reasonable efforts to prevent sensitive personal information, such as that held within online systems at your home institution, from being inadvertently lost, released, or disclosed.

For awardees who collect, store, process, transmit, or use federal data, you must also make sure your information systems are protected from unauthorized access as required by the Federal IT Security and Management Act (FISMA) (see NIH GPS Section 4.1.9).

While it may be annoying to change your electronic Research Administration (eRA) password every 120 days, doing so is an important FISMA-required part of our security protocol that protects the sensitive information of hundreds of thousands of NIH-funded projects and NIH applications. Additionally, it is absolutely prohibited to share system passwords, no matter how much we may want to do so. As an alternative to password sharing, eRA offers capabilities allowing you to delegate access to others. With the notable exception about peer review responsibilities which cannot be delegated to anyone, the eRA capabilities do allow others to maintain your personal profile, prepare progress reports, maintain trainee information, work on financial conflict of interest information, and more. We urge you to make use of this functionality instead of sharing your password.

Despite our best efforts, cybersecurity breaches can happen. If you or your institution experiences an incident or breach, immediately report it to the NIH grants management specialist identified on your award and provide a copy of the report to your program official (Section 8.1). Once a report is made, we at the NIH can work with you to ensure that your research is protected.

Cybersecurity risks in biomedical research are continually evolving, threatening the integrity of our science and the public’s trust in our findings. It’s up to each one of us to mitigate these risks by staying vigilant, working together, and following the policies that are in place to protect our people and our science.