FDA Cybersecurity Weaknesses Put Public Health Data At Risk: GAO

A recent review of the FDA’s cybersecurity by a government watchdog found more than 80 security weaknesses, which could put personal confidential health data at risk for many people. 

The review of the FDA’s seven information systems was conducted by the U.S. Government Accountability Office (GAO), a watchdog arm of Congress. The August 2016 report highlighting security flaws was publicly released September 29.

The assessment was a part of a congressional initiative to secure data within government agencies. The GAO review revealed more than 80 weaknesses at the FDA concerning computer systems and information security, involving more than 150 specific flaws.

Did You Know?

Ticketmaster Data Breach Impacts Millions of Customers

A massive Ticketmaster data breach exposed the names, addresses, phone numbers, credit card numbers and other personal information of more than 560 million customers, which have now been released on the dark web. Lawsuits are being pursued to obtain financial compensation.

Learn More

The FDA maintains computer systems for confidential personal health information for many Americans. The recent review revealed those computer systems are seriously vulnerable to hackers.

The review indicated weaknesses among the FDA’s firewall, consistency and ability to authenticate users, limit user’s access to only what was within their job duties, encrypt sensitive data, continually audit system activity and consistency to conduct reviews of security measures at its facilities.

The GAO made 15 recommendations to secure and strengthen the FDA’s computer systems, including proper employee training and a thorough risk assessment of the system. Additionally, it made 166 specific technical recommendations.

“Security control weaknesses jeopardize the confidentiality, integrity and availability of its information and systems,” wrote the GAO in a press release concerning the FDA systems review.

Overall, the FDA did not fully implement security measures across its seven systems to adequately protect personal health data, the GAO found.

“Until the FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss,” wrote the GAO.

The FDA responded in a statement released Thursday that emphasized the agency focuses on security and protection as a top priority said it plans to address the 15 recommendations given by the GAO.

The agency said it has already implemented 12 of the 15 recommendations, and has also addressed 102 of the GAO’s technical recommendations to address security issues.

Many of the remaining action items will be completed within the next few months, with the remainder to be completed by next year, according to the FDA.

The agency indicated it has enlisted industry-leading experts to help implement and execute security measures. The FDA said  it also plans to go beyond the report recommendations to fully secure their management of sensitive data.

While the FDA indicates that it takes the report seriously, the agency emphasized the GAO recommendations are not applicable to the FDA’s entire IT system. The FDA says it has not undergone any major cybersecurity breaches that would place the health data at further risk.

“The agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis,” wrote Todd Simpson, FDA Chief Information Officer.

0 Comments

Share Your Comments

I authorize the above comments be posted on this page*

Want your comments reviewed by a lawyer?

To have an attorney review your comments and contact you about a potential case, provide your contact information below. This will not be published.

NOTE: Providing information for review by an attorney does not form an attorney-client relationship.

This field is for validation purposes and should be left unchanged.

More Top Stories

Ozempic MDL Court To Evaluate Need for Gastroparesis Diagnostic Testing in GLP-1 Lawsuits
Ozempic MDL Court To Evaluate Need for Gastroparesis Diagnostic Testing in GLP-1 Lawsuits (Posted yesterday)

A federal judge has agreed to divide lawsuits over gastroparesis injuries linked to drugs like Ozempic and Mounjaro into multiple phases, examining how the condition is diagnosed and whether plaintiffs' claims are preempted by federal laws.

Adult Woman Files Similac Lawsuit Over NEC Injuries Experienced as a Newborn
Adult Woman Files Similac Lawsuit Over NEC Injuries Experienced as a Newborn (Posted 2 days ago)

Lawsuit alleges that Abbott Laboratories failed to provide families and the medical community with adequate warnings about the risks associated with it’s cow’s milk-based Similac formula, which a now adult woman indicates has left her with life-long NEC injuries.

Amended Lawsuit Over BioZorb Implant Side Effects Outlines Problems Caused By Tissue Marker Design Defects
Amended Lawsuit Over BioZorb Implant Side Effects Outlines Problems Caused By Tissue Marker Design Defects (Posted 3 days ago)

Six breast cancer patients have asked a federal judge for permission to amend a complaint filed in March 2024, which describes problems linked to the device and painful side effects experienced when the tissue marker migrated out of position or shattered inside their bodies.