Despite recent steps to improve cybersecurity, the US Government Accountability Office (GAO) said Thursday that the US Food and Drug Administration (FDA) needs to better protect industry and public health data.
The report, titled “FDA Needs to Rectify Control Weaknesses That Place Industry and Public Health Data at Risk,” offers 15 recommendations for FDA to fully implement its agency-wide information security program.
For fiscal year 2015, the agency said it spent $585 million on IT, of which about $12 million (or 2% of the IT budget) was for information security, which is lower than the nearly 8% of its fiscal year 2015 IT spending that the 23 civilian agencies covered by the Chief Financial Officers Act reportedly spent.
GAO said a significant number of weaknesses remain in FDA’s technical controls—including access controls, change controls and patch management—that jeopardize the confidentiality, integrity and availability of its systems.
“An underlying reason for these weaknesses is that FDA had not yet fully implemented an agency-wide information security program to provide reasonable assurance that controls were operating effectively. These shortcomings put FDA systems at increased and unnecessary risk of unauthorized access, use, or modification that could disrupt its operations. To its credit, FDA, during the course of our work, immediately resolved some of the weaknesses identified and provided information on its proposed actions to address the underlying weaknesses in controls,” the report says.
More specifically, GAO says FDA did not “always (1) adequately protect the boundaries of its network, (2) consistently identify and authenticate system users, (3) limit users' access to only what was required to perform their duties, (4) encrypt sensitive data, (5) consistently audit and monitor system activity, and (6) conduct physical security reviews of its facilities.”
The House Energy and Commerce Committee, which initiated the request for the report, said that while it continues to monitor FDA’s progress, “the fact remains that FDA’s cybersecurity posture today as compared to when GAO first informed the committee about the vulnerabilities is much improved. The collaborative effort undertaken by all parties involved helped resolve the problem faster, more efficiently, and more effectively than more traditional means.”
In a separate report, GAO is recommending that FDA take 166 specific actions to resolve weaknesses in information security controls. The Department of Health and Human Services said in comments on a draft of this report that FDA concurred with GAO's recommendations and has begun implementing several of them.