Despite steps it has taken to safeguard systems that receive, process, and maintain sensitive data, the FDA still utilizes a number of weak security controls that put the confidentiality, integrity, and availability of its systems at risk. A Government Accountability Office (GAO) report analyzing just seven of the FDA’s more than 80 reported information systems revealed incomplete or inconsistently applied access controls and other policies, procedures, and techniques for protecting sensitive information. The GAO made 15 recommendations for the agency to effectively implement key elements of its information security program, with which the FDA generally concurred (GAO Report, GAO-16-513, September 29, 2016).
The Federal Information Security Modernization Act of 2014 (FISMA) (P.L. 113-283) requires federal agencies to develop, document, and implement agency-wide information security programs and authorizes the National Institute of Standards and Technology (NIST) to develop standards and guidelines for agencies to follow. Although many of the FDA’s policies aligned with NIST standards, many were not appropriately implemented.
Access controls. One area of concern involves access controls that prevent, limit, and detect unauthorized access to computer systems. The GAO determined that the FDA did not always ensure that network boundaries were sufficiently segregated to prevent unauthorized users from connecting to networks or to prevent devices from one network to connect to devices on another network. For example, a contractor that supported the FDA’s public-facing network did not isolate it from its own network and that of other customers, making the FDA network vulnerable to intrusion. The FDA also failed to restrict inbound connections from an untrusted network to isolate it from its own internal network.
The GAO found that many network passwords had not been changed in years or were set to never expire, despite the NIST’s recommendation for the use of multifactor authentication, including secure passwords for entering systems, in addition to "something you have" (such as a token) or "something you are" (such as a biometric). The FDA failed to follow the principle of "least privilege," meaning that a person is only granted access rights and permissions required to perform official duties. Specifically, 4,534 users had access to certain information, some of which was sensitive, when only about 2,400 users accessed those files.
Further, the FDA did not have audit and monitoring controls in place that were viewable across all systems that would help the agency assess computer security, perform investigations during and after an attack, and even recognize an ongoing attack. The agency also did not retain records of evidence of an October 2013 security breach that could have provided tools for improvement. Physical security policies and encryption were also lacking.
Other controls. The GAO applauded the agency for its performance of background checks on employees. However, it noted that the FDA failed to consistently implement controls for configuration management, contingency planning, or media sanitization. Configuration management involves verifying the correctness of the security settings and obtaining reasonable assurance that systems are configured and operating securely and as intended. However, the FDA was unable to provide documentation that emergency changes to software code to remediate security vulnerabilities were tested, validated, or documented. It also failed to apply security patches—fixes for known software vulnerabilities—within the appropriate time periods of 30 days for critical or high-risk vulnerabilities, 60 days for moderate-risk vulnerabilities, and 90 days for low-risk vulnerabilities. In fact, many network devices had not been patched for more than three years. The GAO noted that contingency plans had not been updated and tested. Media waiting for disposal were not properly "sanitized" before disposal to ensure that information was removed. Although the agency recommends "degaussing"—using a magnetizing field to render a hard disk or drive permanently unusable—many backup tapes awaiting disposal had not been treated.
Low-hanging fruit. The GAO noted numerous other vulnerabilities in the FDA’s program, including security training. One significant issue was the agency’s approach to remediation. FDA personnel told the GAO that, when determining which plans of action and milestones (POA&M) to complete based on the results of various assessments and analyses, insufficient resources led them to often go after "low hanging fruit" and remedy a number of low-risk issues, rather than tackling high-risk issues that were more difficult or time-consuming to fix. The GAO indicated that 183 of the 611 POA&Ms it reviewed had not been completed by their scheduled completion date, 30 of which were high risk and 102 of which had a scheduled completion date of 2013 or earlier. As of the first quarter of 2015, 1,265 POA&Ms were open.
MainStory: TopStory GAOReports FDCActNews AuditNews ConfidentialityNews CyberPrivacyFeed HITNews RiskNews
Interested in submitting an article?
Submit your information to us today!Learn More
Health Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.