Today's Article
FDA Public Health Data
is 'at an elevated and
unnecessary risk of
unauthorized access,
use, disclosure,
alteration, and loss,'
stated a GAO study.
The American Spark
FDA Public Health Data ‘At An Unnecessary Risk Of Loss’

By Cliff Montgomery - Sept. 30th, 2016

To perform its oversight duties, the U.S. Food and Drug Administration (FDA) routinely maintains “sensitive
industry and public health data, including proprietary business information such as industry drug submissions
and reports of adverse reactions [to those drugs],”
points out an little-known report on FDA data use practices
released in August by the Government Accountability Office (GAO).

But here’s the thing: the GAO found that the FDA has allowed “a significant number of security control
weaknesses” to “jeopardize the confidentiality, integrity, and availability of its information and systems.”

“Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains ...
will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss,”
the GAO study flatly declared.

Below, the
American Spark offers the “Highlights” from this damning report:


Why GAO Did This Study

FDA [Food and Drug Administration] has a demanding responsibility of ensuring the safety, effectiveness,
and quality of food, drugs, and other consumer products. In carrying out its mission, FDA relies extensively on
information technology systems to receive, process, and maintain sensitive industry and public health data,
including proprietary business information such as industry drug submissions and reports of adverse reactions.

“Accordingly, effective information security controls are essential to ensure that the agency’s systems and
information are adequately protected from inadvertent or deliberate misuse, improper modification,
unauthorized disclosure, or destruction.

“GAO was asked to examine security controls over key FDA information systems. GAO assessed the extent
to which FDA had effectively implemented information security controls to protect the confidentiality, integrity,
and availability of its information on seven information systems selected for review.

“To do this, GAO reviewed security policies, procedures, reports, and other documents; examined the
agency’s network infrastructure; tested controls for the seven systems; and interviewed FDA personnel.

What GAO Found

“Although the Food and Drug Administration (FDA), an agency of the Department of Health and Human
Services (HHS), has taken steps to safeguard the seven systems GAO reviewed, a significant number of
security control weaknesses jeopardize the confidentiality, integrity, and availability of its information and
systems.

“The agency did not fully or consistently implement access controls, which are intended to prevent, limit, and
detect unauthorized access to computing resources.

“Specifically, FDA did not always (1) adequately protect the boundaries of its network, (2) consistently identify
and authenticate system users, (3) limit users’ access to only what was required to perform their duties, (4)
encrypt sensitive data, (5) consistently audit and monitor system activity, and (6) conduct physical security
reviews of its facilities.

“FDA conducted background investigations for personnel in sensitive positions, but weaknesses existed in
other controls, such as those intended to manage the configurations of security features on and control
changes to hardware and software; plan for contingencies, including systems disruptions and their recovery;
and protect media such as tapes, disks, and hard drives to ensure information on them was ‘sanitized’ and
could not be retrieved after they are disposed of. [...]

“These control weaknesses existed, in part, because FDA had not fully implemented an agency-wide
information security program, as required under the Federal Information Security Modernization Act of 2014
and the Federal Information Security Management Act of 2002.

“For example, FDA did not:

    • ensure risk assessments for reviewed systems were comprehensive and addressed system threats,

    • review or update security policies and procedures in a timely manner,

    • complete system security plans for all reviewed systems or review them to ensure that the appropriate
    controls were selected,

    • ensure that personnel with significant security responsibilities received training or that such training
    was effectively tracked,

    • always test security controls effectively and at least annually,

    • always ensure that identified security weaknesses were addressed in a timely manner, and

    • fully implement procedures for responding to security incidents.

“Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains
in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use,
disclosure, alteration, and loss.

What GAO Recommends

“GAO is making 15 recommendations to FDA to fully implement its agency-wide information security program.

“In a separate report with limited distribution, GAO is recommending that FDA take 166 specific actions to
resolve weaknesses in information security controls.

“HHS stated in comments on a draft of this report that FDA concurred with GAO’s recommendations and has
begun implementing several of them.”



Like what you're reading so far? Then why not order a full year (52 issues) of  The American Spark
e-newsletter for only $15? A major article covering an story not being told in the Corporate Press will be
delivered to your email every Monday morning for a full year, for less than 30 cents an issue. Order Now!
Wait, why does an
independent news source
run advertisements? The
Spark answers in its
advertising policy.