Security

Why Agencies Handling Genomic Data Need Identity-Focused Access Governance

The permanent, personal data is some of the most sensitive that the government handles due to the national security risks.

Darren Guccione

Darren Guccione is the CEO & Co-founder of Keeper Security, Inc.

The National Institutes of Health and other agencies tasked with protecting genomic and health data require modern, identity-focused access governance to comply with federal security standards.

Genomic and participant-level data is among the most sensitive managed within federal research environments because it is both permanent and personally specific, and the security frameworks surrounding it must adhere to government guidance.

A recent Department of Health and Human Services Office of Inspector General audit found that NIH’s All of Us Research Program, which houses sensitive genomic data, had significant cybersecurity gaps. NIH concurred with the OIG’s recommendations to improve access control enforcement, implement technical safeguards to prevent participant-level data downloads, speed up remediation of known weaknesses and recognize the national security risks related to genomic data.

The audit serves as a reminder that large-scale biomedical research efforts need to ensure privileged access enforcement, data download restrictions and timely remediation to reduce their security risk.

Click the banner below to manage the security risks of machine identities.

How Federal Research Programs Manage Data Access Is Evolving

Ensuring only authorized individuals can access genomic data under the right conditions and with appropriate oversight is foundational to maintaining public trust and supporting scientific progress.

Advancements in cloud-based research platforms, distributed collaboration and hybrid infrastructure have changed how federal programs manage access to sensitive data. These environments benefit from privileged access management approaches that align with National Institute of Standards and Technology security controls, federal zero-trust initiatives and Federal Risk and Authorization Management Program-authorized architectures.

Such capabilities help ensure access pathways remain tightly governed and continuously verifiable.

STUDY UP: Here are four more security trends to look for in the new year.

Preserving Research Programs, Scientific Work and Public Trust

Modern privileged access practices that directly support improvements highlighted in the NIH audit include:

Conditional and risk-adaptive controls that consider device posture, network attributes or other contextual factors before granting elevated access to research systems
Just-in-time privileged access that replaces long-standing administrative permissions with time-limited, approval-based access aligned to specific tasks
Remote browser isolation and controlled analytical environments that enable research activity without introducing unnecessary opportunities for data to be downloaded or stored locally
Centralized monitoring and unified audit trails that support timely remediation, consistent control operation and clear visibility into privileged activity

These capabilities are not designed to slow or restrict research but to strengthen it. Effective access governance protects the integrity of federally funded programs, preserves participant trust and reduces the likelihood of avoidable incidents that could disrupt long-term scientific work.

NIH’s concurrence with the OIG’s recommendations reflects an important commitment to security within the agency. As improvements move from assessment to implementation, embedding modern privileged access practices into daily operations can help federal research programs maintain strong protections for sensitive scientific data while supporting the continued advancement of precision medicine and biomedical innovation.

Photo courtesy of the National Institutes of Health