Lax FDA data security puts entire system at "elevated and unnecessary risk'
An investigative team led by Gregory Wilshusen, the GAO's director of information security issues, and Dr. Nabajyoti Barkakati, director of the agency's Center for Technology and Engineering, said that while the FDA has "taken steps to safeguard the seven systems" investigators reviewed, "a significant number of security control weaknesses jeopardize the confidentiality, integrity and availability of its information and systems."
The GAO said the FDA has not "fully or consistently implement[ed] access controls, which are intended to prevent, limit and detect unauthorized access to computing resources."
The report identified a number of security weaknesses in the FDA's security processes, including how it manages changes to computer hardware and software, how it responds to emergencies, such as power outages, and its procedures for ensuring tapes, disks and computer hard drives that were no longer in use were properly scrubbed of sensitive data.
The report also said the FDA failed to encrypt sensitive data.
In one example of how vulnerable the FDA's systems were to outside attack, the GAO discovered that the FDA had not installed security software updates on "hundreds" of devices, such as routers, servers and computer firewalls, in more than three years.
The GAO also said file sharing servers on three of the systems it reviewed had not received security updates since 2009.
"Until FDA rectifies these weaknesses," the investigators said, "the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration and loss."
The GAO made 166 recommendations on how the FDA can correct the problems.
Health and Human Services assistant secretary for legislation Jim Esquea said the FDA "has already begun implementing several of GAO's recommendations, and is actively working to address all recommendations as quickly and completely as possible."
Esquea said the FDA "has not experienced a major cybersecurity-related breach that exposed industry or public health information."
But the FDA has been a target for hackers.
In October 2013, hackers gained access to data systems at the FDA's Center for Biologics Evaluation and Research, and stole usernames, passwords, email addresses and phone numbers.
The extent of the damage caused by that attack remains unknown, in part, the GAO said, because the FDA did not keep records of its forensic investigation into the incident.
In 2014, an HHS inspector general's office conducted a "penetration test" to see if it could break into the FDA's computer systems using common hacker techniques.
While the inspector general's report said its testers failed to breach the FDA's main files, they identified a number of issues that could put the entire system at risk, and recommended "corrective actions."
GAO investigators gave the FDA credit for "immediately" fixing some of the security weaknesses they identified during the course of their recent assessment.