- The Food and Drug Administration (FDA) must still improve in its efforts to fix information security weaknesses found by the US Government Accountability Office (GAO), especially as the FDA receives, processes, and maintains sensitive industry and public health data.
GAO recently reviewed seven FDA systems, and found a “significant number of security control weaknesses,” according to the report. Part of the reason for some of the control weaknesses was that the FDA “had not fully implemented an agency-wide information security program.”
While the FDA has made improvements in the seven systems that GAO reviewed, there are still numerous information security vulnerabilities that could potentially put sensitive data at risk.
Specifically, the FDA did not always protect its network boundaries adequately, did not consistently identify and authenticate system users, and also did not always limit user access to information that is necessary to perform his or her job function.
Furthermore, GAO found that the FDA did not always encrypt sensitive data, audit and monitor system activity consistently, or conduct physical security reviews of its facilities.
“FDA relies extensively on information technology systems to receive, process, and maintain sensitive industry and public health data, including proprietary business information such as industry drug submissions and reports of adverse reactions,” GAO explained. “Accordingly, effective information security controls are essential to ensure that the agency's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.”
Overall, GAO made 15 recommendations for the Secretary of Health and Human Services to direct to the Commissioner of FDA. This included conducting comprehensive risk assessments for certains systems, and to develop a policy for system maintenance.
Personnel with significant security responsibilities must also receive role-based training, according to the recommendations. There should also be “a process to effectively monitor and track training for personnel with significant security roles and responsibilities.”
“We are also making 166 technical recommendations in a separate report with limited distribution,” the report stated. “These recommendations address information security weaknesses related to boundary protection, identification and authentication, authorization, cryptography, physical security, configuration management, and media protection.”
GAO identified a total of 58 access control weaknesses, while finding 23 weaknesses for configuration management.
The access control weaknesses included issues in areas such as boundary protection, identification and authentication, authorization, and cryptography.
“Inadequate design or implementation of access controls increases the risk of unauthorized disclosure, modification, and destruction of sensitive information and disruption of service,” the report’s authors wrote.
Boundary controls could affect how certain agency networks are potentially accessed. For example, GAO found that network devices at FDA field locations “were not properly configured and allowed all remote access protocols.”
Certain host-based firewalls were also found to not be configured properly, while certain routers did not “restrict inbound management traffic from untrusted sites.”
“As a result, sensitive public health, proprietary business, and personal information maintained by the agency were at increased risk of compromise due to inadequate separation of the service provider’s network from FDA’s network, inadequate separation of the untrusted network from the agency’s network, and weaknesses in other boundary controls,” GAO said.
As federal agencies have access to myriad amounts of sensitive data, it is essential that their security measures are current and comprehensive.
Earlier this year, the Office of Inspector General found some data security vulnerabilities in CMS wireless networks, which could result in unauthorized access to and disclosure of PII.
There was no evidence that the vulnerabilities had been exploited, but they could still result in unauthorized PII access and disclosure. OIG added that critical operations may be disrupted, and “the confidentiality, integrity, and availability of CMS’s data and systems” could have been compromised.
Image Credit: GAO