The NIH eRA Reduces Vulnerabilities and Enhances Cybersecurity Posture

Challenge

The National Institutes of Health (NIH) accomplishes its mission by conducting and supporting research in the US and abroad, helping train research investigators, and fostering communication of biomedical information.

Each year, the NIH awards more than $30 billion in research and non-research grants through the Office of Electronic Research Administration (eRA). Applicants and grantees at more than 38,000 institutions worldwide use the eRA system to apply for, process, review, receive, report on, and monitor these funds. This makes eRA a prime target for bad actors seeking to defraud the NIH, intercept and redirect research funds, or conduct other nefarious activities.

Solution

In 2020, the NIH awarded Guidehouse a three-year eRA Cybersecurity and Audit Support project.¹ In doing so, Guidehouse collaborates with the eRA to identify improvements to security controls, enhance its overall security posture, and respond to concerns and third-party inquiries. This project includes application and infrastructure security testing and security operations, training, and audit support.

Application and Infrastructure Security Testing

Guidehouse conducts hundreds of internal- and external-facing website tests to identify potential vulnerabilities. Experts then work with systems developers, engineers, and change professionals to improve awareness and practices around DevSecOps and software.

Security Operations, Training, and Audit Support

Guidehouse helped the NIH increase eRA’s audit preparedness and efficiency by supporting engineers and administrators to produce better reporting and keep track of evolving regulations, technologies, and threats. This includes providing training for more than 30 people on advanced threat-hunting techniques and tactics, such as refined search thresholds and alternative source reconnaissance.

Guidehouse experts also work side-by-side with teams on security engineering and operations, including the development of improved security policies and procedures, new tool implementation and adoption, enhanced system monitoring, and overall improved security posture of eRA applications.

Impact

• Reduced mean time to closure of security vulnerabilities by nearly 50% through implementation of application vulnerability management solution
• Material reduction in the identification of cross-site scripting and application account security vulnerabilities via multiple targeting trainings
• Enhanced cyber resiliency by preventing future risks

During an annual conference in March 2022, the US Department of Health and Human Services recognized Guidehouse’s work as instrumental in maturing the eRA’s system cybersecurity posture, risk remediation, and audit preparedness.

Ranked the second largest healthcare consulting firm in 2022 by Modern Healthcare, Guidehouse has delivered cybersecurity solutions to commercial and public sector organizations, including the Centers for Medicare & Medicaid Services, the Centers for Disease Control and Prevention, Anthem, and multiple healthcare providers. Our team includes experts formerly responsible for protecting U.S. national security systems against cyberthreats.

_______________________________________________________________________________________

¹ Gilbert, Jackie. 2020. “Guidehouse Awarded NIH ERA Cybersecurity and Audit Support Task.” Forum Insights. January 3, 2020. https://www.fedhealthit.com/2020/01/guidehouse-awarded-nih-era-cybersecurity-and-audit-support-task.