FDA Cybersecurity Weaknesses Put Public Health Data At Risk: GAO

A recent review of the FDA’s cybersecurity by a government watchdog found more than 80 security weaknesses, which could put personal confidential health data at risk for many people. 

The review of the FDA’s seven information systems was conducted by the U.S. Government Accountability Office (GAO), a watchdog arm of Congress. The August 2016 report highlighting security flaws was publicly released September 29.

The assessment was a part of a congressional initiative to secure data within government agencies. The GAO review revealed more than 80 weaknesses at the FDA concerning computer systems and information security, involving more than 150 specific flaws.

The FDA maintains computer systems for confidential personal health information for many Americans. The recent review revealed those computer systems are seriously vulnerable to hackers.

The review indicated weaknesses among the FDA’s firewall, consistency and ability to authenticate users, limit user’s access to only what was within their job duties, encrypt sensitive data, continually audit system activity and consistency to conduct reviews of security measures at its facilities.

The GAO made 15 recommendations to secure and strengthen the FDA’s computer systems, including proper employee training and a thorough risk assessment of the system. Additionally, it made 166 specific technical recommendations.

“Security control weaknesses jeopardize the confidentiality, integrity and availability of its information and systems,” wrote the GAO in a press release concerning the FDA systems review.

Overall, the FDA did not fully implement security measures across its seven systems to adequately protect personal health data, the GAO found.

“Until the FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss,” wrote the GAO.

The FDA responded in a statement released Thursday that emphasized the agency focuses on security and protection as a top priority said it plans to address the 15 recommendations given by the GAO.

The agency said it has already implemented 12 of the 15 recommendations, and has also addressed 102 of the GAO’s technical recommendations to address security issues.

Many of the remaining action items will be completed within the next few months, with the remainder to be completed by next year, according to the FDA.

The agency indicated it has enlisted industry-leading experts to help implement and execute security measures. The FDA said  it also plans to go beyond the report recommendations to fully secure their management of sensitive data.

While the FDA indicates that it takes the report seriously, the agency emphasized the GAO recommendations are not applicable to the FDA’s entire IT system. The FDA says it has not undergone any major cybersecurity breaches that would place the health data at further risk.

“The agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis,” wrote Todd Simpson, FDA Chief Information Officer.