Statement on Data Security from the All of Us Research Program

June 14, 2019

The All of Us Research Program takes the trust our participants place in us very seriously. The information that participants share is personal, and protecting it is our most important responsibility. Accordingly, we take many steps to safeguard participants’ information with extensive policies, security testing, and oversight. In all aspects of our work, we strive for transparency, respecting our relationships with participants and our other partners.

Recently, the HHS Office of Inspector General released a report about two of our awardees’ data security efforts, based on a routine audit it conducted two years ago when our systems were in the testing phase. The OIG identified potential vulnerabilities in the Participant Technology Systems Center platform, all of which were promptly resolved. The OIG also recommended that NIH more closely monitor its awardees to ensure strong security protections.

While we appreciate the OIG’s audit and recommendations, we want to assure our program participants and other partners that NIH employs some of the strongest security protocols available and holds awardees to the highest data security standards. The report’s title may lead some to believe that the issues identified are ongoing, when in fact, they were resolved long ago.

Data management requires ongoing improvements to security systems and processes in response to evolving threats. Our security measures have increased, and continue to increase, as the program matures. For example, prior to our national launch on May 6, 2018, All of Us partnered with HackerOne to conduct expanded security testing. HackerOne enlists ethical hackers to help companies and government agencies discover security vulnerabilities before they can be exploited. Additionally, we have increased the frequency of our security tests on both internal- and external-facing systems.

To ensure responsible oversight of security operations, All of Us staff at NIH work diligently on a daily basis alongside team members from the Data and Research Center and the Participant Technology Systems Center. Based on the OIG recommendation, we continue to review the security and privacy terms and conditions in our awards and will make any updates as needed to ensure we continue to have a multifaceted, robust security program.