The FDA and information security
Much like other businesses these days, the Food and Drug Administration (FDA) relies heavily upon IT systems to fulfill its mission. IT plays a part in conducting operations, processing transactions, delivering services to constituents, and communicating with individuals and organizations.
The FDA collects, processes, and maintains highly sensitive information, personally identifiable information, trade secrets, and confidential commercial information, placing their need for a secure network as a high priority.
According to a recent [link url=”http://www.gao.gov/assets/680/679359.pdf” title=”Government Accountability Office (GAO) report”], the FDA reportedly spent $585 million on IT, with nearly $12 million of the spend directly on information security, during fiscal year 2015.
With what seems to be a healthy budget to combat cyber attacks and threats, the report detailed how the FDA failed to completely implement an agency-wide information security program.
Information Security: FDA Needs to Rectify Control Weaknesses That Place Industry and Public Health Data at Risk https://t.co/BR7dVLjOkp
— U.S. GAO (@USGAO) September 29, 2016
GAO takes a hard look
The GAO further outlined within its report [link url=”http://www.gao.gov/assets/680/679359.pdf” title=”six areas in which the FDA failed”]: (1) adequately protecting the boundaries of its network, (2) consistently identifyiing and authenticating system users, (3) limiting users’ access to only what was required to perform their duties, (4) encrypting sensitive data, (5) consistently auditing and monitoring system activity, and (6) conducting physical security reviews of its facilities.
Where the FDA is falling short
Many of these shortcomings are a direct result of not implementing guidelines as required under the [link url=”https://www.congress.gov/bill/113th-congress/senate-bill/2521″ title=”Federal Information Security Modernization Act of 2014″] and the [link url=”http://csrc.nist.gov/drivers/documents/FISMA-final.pdf” title=”Federal Information Security Management Act of 2002″].
These acts provide a structure that was to be implemented by all federal government operations to strengthen overall information security. [link url=”http://www.gao.gov/assets/680/679359.pdf” title=”According to the report”], the FDA neglected to apply many of the mandatory directives outlined, as they did not implement any of the following:
- Ensure risk assessments for reviewed systems were comprehensive and addressed system threats.
- Review or update security policies and procedures in a timely manner.
- Complete system security plans for all reviewed systems or review them to ensure that the appropriate controls were selected.
- Ensure that personnel with significant security responsibilities received training or that such training was effectively tracked.
- Always test security controls effectively and at least annually.
- Always ensure that identified security weaknesses were addressed in a timely manner.
- Fully implement procedures for responding to security incidents.
Placing systems at risk
This lack of execution by the FDA placed no fewer than seven of its systems at risk, according to the GAO report. [link url=”http://www.gao.gov/assets/680/679359.pdf” title=”The report”] identifies weaknesses within the access controls, change controls, and patch management systems which is jeopardizing the confidentiality, integrity, and availability of these systems.