The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

The Next Big Health Data Breach May Come from the FDA

A report by the GAO warns the FDA to mind the security of its own network.

The Food and Drug Administration (FDA) is on the front lines in the battle to make medical devices and medical data safe from hackers. But a report from the Government Accountability Office (GAO) warns that the FDA should mind the security of health data on its own network.

A recently published GAO Report (GAO-16-513) finds that the FDA has a “significant number of security control weaknesses” in critical IT systems that could “jeopardize the confidentiality, integrity and availability of its information and systems.” That’s particularly concerning, as the FDA network contains both sensitive health information and proprietary trade secrets, GAO said.

The FDA has, so far, failed to implement an agency-wide information security program as required by the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002. As a result, “the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss.”

The Food and Drug Administration is part of the Department of Health and Human Services and is responsible for regulating food safety, pharmaceuticals, tobacco products, medical devices and other products. The agency has taken a lead role in setting standards for medical device makers to secure their products and the information they contain from hackers.

But when it comes to the FDA’s own IT environment, GAO found there was much work to be done. The FDA, it found, had not done comprehensive risk assessments of its IT assets and addressed threats to those systems. The agency lacked complete security plans for all reviewed systems and hadn’t put in place programs to train personnel with “significant security responsibilities.” The agency couldn’t prove that it was testing its security controls effectively each year, as required by FISMA, or that any identified security weaknesses were being addressed in a timely fashion, GAO said.

Among the list of “deplorables” (to use a popular phrase): the FDA did a poor job of securing its network boundaries and limiting access from the outside. In one case uncovered by GAO, a contractor failed to isolate the FDA’s network from its own network and those of its customers, or configure a firewall to restrict access to the FDA’s internal network.

Network devices deployed in field locations run by the agency were poorly configured and allowed communications via insecure protocols like Telnet. Routers at field locations were configured to accept management traffic from untrusted sites. The practices put “sensitive public health, proprietary business, and personal information maintained by the agency… at increased risk of compromise,” GAO concluded.

FDA also failed to manage user passwords and user access effectively. Access control and “user least privilege” are two of the most effective steps to preventing data breaches, but GAO found that the FDA’s internal environment allowed far too many employees access to far too much data.

For example, while the FDA implemented personal identity verification cards for multifactor authentication, it did not implement strong password controls in accordance with its security policies and NIST guidance on five of the seven critical systems GAO reviewed.

GAO auditors found a database server that was used to encrypt industry partner submission packages on which passwords had not been changed in more than 5 years. Service accounts for servers with access to sensitive industry partner regulatory submissions had passwords set to never expire and GAO found evidence of privilege escalation due to loose user management.

In addition, FDA did not always implement password controls on certain network devices, GAO found. Two network devices that delivered web applications to FDA users were configured with weak password settings, accepting short (six character) passwords and not requiring password complexity. There was no security to enforce maximum password lifetime, password history or to time out a user after too many invalid attempts, GAO noted.

In another example, a user account password for a network management server that monitors and maintains a history of network devices’ hardware and software changes had not been changed since January 6, 2011.

“Without implementing strong password requirements, increased risk exists that passwords could be guessed, permitting unauthorized access to FDA systems,” GAO warned.

In a letter responding to the report, the FDA said it has not experienced a data breach, but is working to improve its IT security and had hired an outside consultant, Deloitte, to assist it. The FDA hired its first CIO in 2015 and is working to “ensure the prevention, detection and correction of incidents.”

The FDA is just the latest federal agency to fall flat in the face of an audit. In May, the GAO warned that the Federal Government is dangerously dependent on “legacy” technology, some decades old, that is expensive to maintain, insecure and an obstacle to the development of more efficient services.

In a 2013 report, the GAO warned that Uncle Sam has made negligible progress towards improving the security of its information systems, and has little to show in key areas such as responding to cyber incidents, promoting R&D on cyber security tools and technology and educating its workforce about cyber security, or responding to international cyber threats.

The Obama Administration has taken steps to address cyber security challenges. A recent Cyber Sprint resulted in a 21-page memorandum from Federal CIO Tony Scott and Office of Management and Budget Director Shaun Donovan that called on agencies to identify high value information and assets on their networks and developed strategies to identify and respond to cyber incidents in a timely manner.

Paul Roberts

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.