GAO: FDA needs to address a number of IT security weaknesses
The regulatory agency responds that it has implemented most of the recommendations offered in the report.
A significant number of security control weaknesses are jeopardizing the confidentiality, integrity and availability of the Food and Drug Administration’s information and systems, putting industry and public health data at risk, according to an audit by the Government Accountability Office.
“The agency did not fully or consistently implement access controls, which are intended to prevent, limit and detect unauthorized access to computing resources,” the GAO’s report says. “Specifically, FDA did not always adequately protect the boundaries of its network, consistently identify and authenticate system users, limit users’ access to only what was required to perform their duties, encrypt sensitive data, consistently audit and monitor system activity, and conduct physical security reviews of its facilities.”
While the FDA conducted background investigations for personnel in sensitive positions, auditors reported that FDA weaknesses existed in other control areas, including:
Part of the problem, according to auditors, is that the FDA has not fully implemented an agency-wide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.
Also See: FDA’s medical device arm ramps up health IT strategies
In response to the GAO report on the agency’s IT security program, FDA Chief Information Officer Todd Simpson countered that “information security and the protection of industry and public health information are among the FDA’s highest priorities.”
According to Simpson, the regulatory agency does not “take lightly” the GAO’s recommendations and has “worked quickly to address the concerns outlined by the GAO,” fully implementing 80 percent (12 of 15) of its program recommendations and 61 percent (102 of 166) of its technical recommendations.
“We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year,” he added. “The agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis.
“In support of these efforts, we acquired industry-leading expertise to assist in the development and execution of timely action plans, as well as program/project management activities to immediately address the recommendations outlined in the GAO report,” Simpson noted.
In addition to addressing the majority of the GAO’s recommendations, Simpson said the agency has also started several other key activities and initiatives to ensure its IT systems and sensitive information are “appropriately protected by safeguarding against unauthorized disclosure, access or misuse.”
At the same time, Simpson argued that the GAO report’s “limited findings should not be broadly applied to the FDA’s entire IT enterprise,” noting that the agency “has not experienced any major cybersecurity-related breaches that exposed industry or public health information.”
“The agency did not fully or consistently implement access controls, which are intended to prevent, limit and detect unauthorized access to computing resources,” the GAO’s report says. “Specifically, FDA did not always adequately protect the boundaries of its network, consistently identify and authenticate system users, limit users’ access to only what was required to perform their duties, encrypt sensitive data, consistently audit and monitor system activity, and conduct physical security reviews of its facilities.”
While the FDA conducted background investigations for personnel in sensitive positions, auditors reported that FDA weaknesses existed in other control areas, including:- Those intended to manage the configurations of security features on and control changes to hardware and software.
- Contingency plans for systems disruptions and their recovery.
- Protecting media—such as tapes, disks and hard drives—to ensure information on them was “sanitized” and could not be retrieved after they were disposed of.
Part of the problem, according to auditors, is that the FDA has not fully implemented an agency-wide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.
Also See: FDA’s medical device arm ramps up health IT strategies
In response to the GAO report on the agency’s IT security program, FDA Chief Information Officer Todd Simpson countered that “information security and the protection of industry and public health information are among the FDA’s highest priorities.”
According to Simpson, the regulatory agency does not “take lightly” the GAO’s recommendations and has “worked quickly to address the concerns outlined by the GAO,” fully implementing 80 percent (12 of 15) of its program recommendations and 61 percent (102 of 166) of its technical recommendations.
“We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year,” he added. “The agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis.
“In support of these efforts, we acquired industry-leading expertise to assist in the development and execution of timely action plans, as well as program/project management activities to immediately address the recommendations outlined in the GAO report,” Simpson noted.
In addition to addressing the majority of the GAO’s recommendations, Simpson said the agency has also started several other key activities and initiatives to ensure its IT systems and sensitive information are “appropriately protected by safeguarding against unauthorized disclosure, access or misuse.”
At the same time, Simpson argued that the GAO report’s “limited findings should not be broadly applied to the FDA’s entire IT enterprise,” noting that the agency “has not experienced any major cybersecurity-related breaches that exposed industry or public health information.”
More for you
Loading data for hdm_tax_topic #better-outcomes...