Analysis: GAO Report on FDA Security WeaknessesExperts Say Many Healthcare Organizations Face Similar Issues
A long list of information security weaknesses, including inadequate access controls, that a federal watchdog agency found at the Food and Drug Administration are similar to those found at many healthcare organizations, some security experts say. But the FDA should be held to an even higher standard than the organizations that implement FDA-regulated drugs and devices, they argue.
"These are weaknesses that are common everywhere," says Kate Borten, founder of the privacy and security consulting firm The Marblehead Group. "I would hope the FDA knows better but has staffing issues."
The Government Accountability Office report issued on Sept. 29 says that although the FDA has taken steps to safeguard seven systems GAO reviewed, a significant number of security control weaknesses jeopardize the confidentiality, integrity and availability of the agency's information and systems.
"The agency did not fully or consistently implement access controls, which are intended to prevent, limit and detect unauthorized access to computing resources," according to the GAO report. The report says the FDA did not always:
- Adequately protect the boundaries of its network;
- Consistently identify and authenticate system users;
- Limit users' access to only what was required to perform their duties;
- Encrypt sensitive data;
- Consistently audit and monitor system activity;
- Conduct physical security reviews of its facilities.
GAO also noted: "FDA conducted background investigations for personnel in sensitive positions, but weaknesses existed in other controls, such as those intended to manage the configurations of security features on and control changes to hardware and software; plan for contingencies, including systems disruptions and their recovery; and protect media such as tapes, disks and hard drives to ensure information on them was 'sanitized' and could not be retrieved after they are disposed of."
Federal Standards Missed?
GAO says the FDA control weaknesses existed, in part, "because FDA had not fully implemented an agencywide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.
For example, GAO says the FDA did not ensure risk assessments for reviewed systems were comprehensive and addressed system threats; review or update security policies and procedures in a timely manner; complete system security plans for all reviewed systems or review them to ensure that the appropriate controls were selected; ensure that personnel with significant security responsibilities received training; always test security controls effectively and at least annually; and always ensure that identified security weaknesses were addressed in a timely manner.
"Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss," GAO writes.
Because the FDA is an important regulatory body within the Department of Health and Human Services, its security weaknesses are especially disturbing, some security experts say.
"These are fairly common weaknesses found during risk assessments and audits for a lot of different organizations, but for the FDA, which should be setting the example, and which has a fairly prescriptive requirement, namely FISMA, that they are supposed to be compliant with, this is a pretty damning appraisal of their performance," says Mac McMillan, CEO of security consultancy CynergisTek.
McMillan says three of the most troubling findings in the GAO report are "the technical vulnerabilities alluded to with the perimeter, access management and auditing and monitoring. What these three things combined say is that the FDA could be easy to breach, and then exploit, and might never even know it. That is about as serious as it gets."
GAO reports that it's making 15 recommendations to the FDA to fully implement its agencywide information security program.
Some of those recommendations involve improvements to risk assessment; developing procedures for security controls, including identification and authentication; enhancing procedures for a number of security control families including access control and configuration management.
GAO also notes that in a separate report with limited distribution, it's recommending that FDA take 166 specific actions to resolve weaknesses in information security controls.
The report notes that FDA concurred with GAO's recommendations and has begun implementing several of them.
In a statement, the FDA notes it "takes very seriously the GAO report's recommendations, but the report's limited findings should not be broadly applied to the FDA's entire IT enterprise."
FDA also notes that it has not experienced any major data breaches that exposed industry or public health information.
"We recognize the risks associated with operating our large global IT enterprise and have implemented processes, procedures and tools to ensure the deterrence, prevention, detection and correction of incidents," the FDA statement notes. "In addition to addressing the majority of the recommendations identified in the GAO report, we have also undertaken several other key activities and initiatives to ensure our IT systems and sensitive information are appropriately protected by safeguarding against unauthorized disclosure, access or misuse.
Lessons in GAO Report
Borten, the security consultant, notes that the GAO reviewed "very standard information security controls that should be universally understood and applied." Together they constitute a security program, she says.
"They are all important; an adequate security program must have numerous controls," she says. "Whether mandated or not, it is distressing that today's government and businesses don't yet accept and apply them."
Covered entities and business associates should pay attention to the GAO's list of security shortcomings at the FDA, she stresses. "Hopefully, the takeaway isn't, 'since the FDA has these problems, we shouldn't be too concerned about our security program'," she says. "Instead, CEs and BAs should learn from this report what additional controls are essential and perhaps missing in their own programs."