GAO: FDA needs to address a number of IT security weaknesses
A significant number of security control weaknesses are jeopardizing the confidentiality, integrity and availability of the Food and Drug Administration’s information and systems, putting industry and public health data at risk, according to an audit by the Government Accountability Office.
“The agency did not fully or consistently implement access controls, which are intended to prevent, limit and detect unauthorized access to computing resources,” the GAO’s report says. “Specifically, FDA did not always adequately protect the boundaries of its network, consistently identify and authenticate system users, limit users’ access to only what was required to perform their duties, encrypt sensitive data, consistently audit and monitor system activity, and conduct physical security reviews of its facilities.”
While the FDA conducted background investigations for personnel in sensitive positions, auditors reported that FDA weaknesses existed in other control areas, including:
- Those intended to manage the configurations of security features on and control changes to hardware and software.
- Contingency plans for systems disruptions and their recovery.
- Protecting media—such as tapes, disks and hard drives—to ensure information on them was “sanitized” and could not be retrieved after they were disposed of.
“Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration and loss,” concluded the GAO’s report.
Part of the problem, according to auditors, is that the FDA has not fully implemented an agency-wide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.
In response to the GAO report on the agency’s IT security program, FDA Chief Information Officer Todd Simpson countered that “information security and the protection of industry and public health information are among the FDA’s highest priorities.”
According to Simpson, the regulatory agency does not “take lightly” the GAO’s recommendations and has “worked quickly to address the concerns outlined by the GAO,” fully implementing 80 percent (12 of 15) of its program recommendations and 61 percent (102 of 166) of its technical recommendations.
“We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year,” he added. “The agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis.
“In support of these efforts, we acquired industry-leading expertise to assist in the development and execution of timely action plans, as well as program/project management activities to immediately address the recommendations outlined in the GAO report,” Simpson noted.
In addition to addressing the majority of the GAO’s recommendations, Simpson said the agency has also started several other key activities and initiatives to ensure its IT systems and sensitive information are “appropriately protected by safeguarding against unauthorized disclosure, access or misuse.”
At the same time, Simpson argued that the GAO report’s “limited findings should not be broadly applied to the FDA’s entire IT enterprise,” noting that the agency “has not experienced any major cybersecurity-related breaches that exposed industry or public health information.”