GAO blasts FDA for cybersecurity failings, says data at ‘elevated and unnecessary risk’

FDA sign

The Government Accountability Office (GAO) has blasted FDA for failing to adequately control access to confidential data. A probe by the congressional watchdog found 87 weaknesses at FDA stemming from its failure to implement an agency-wide security program, a failing that puts the proprietary data businesses share with the regulator at an “elevated and unnecessary risk” of leaking out.

GAO rattles off a list of stinging criticisms in its report, taking FDA to task for failing to consistently authenticate system users, restrict the information these users can access and encrypt sensitive data. The regulator is also reportedly falling short in terms of planning for system disruptions, wiping data from hard drives prior to disposal and monitoring system activities. The upshot is GAO thinks FDA is failing to protect the sensitive data it is entrusted with handling.

To improve the situation, GAO has given FDA a laundry list of recommendations to implement. These include 15 overarching program recommendations, which call on FDA to carry out a risk assessment, create a system maintenance policy and bolster procedures for access control and other aspects of security. And GAO has also hit FDA with a list of 166 technical recommendations that dive into the specific actions the regulator needs to take to get its house in order.

GAO shared the report with members of congress in late August--before going on the make it public this week--and FDA is claiming it has been quick to act on its recommendations. Todd Simpson, the latest person to pass through the revolving door to the CIO’s office at FDA, said the regulator has fully implemented 12 of the program recommendations and 102 of the technical actions. Simpson expects to wrap up the program tasks within a few months, with the technical work taking up to a year.

If FDA can deliver on that timeline, it will still need keep up with GAO recommendations for ongoing reviews and improvements. Such vigilance is needed given the value of the data held by FDA--to unscrupulous drug developers, stock traders and others--and evidence it is being targeted. In 2014, hackers made off with email addresses, passwords and other details for 14,000 accounts with FDA. And this year Federal Times reported FDA faced 35 security incidents a month from 2013 to 2015.

The success of the security reboot is dependent on the IT team sticking around to see it through, something that hasn’t happened historically. When Eric Perakslis took up the CIO post in 2011, he became the fifth person to hold the title since 2008. Perakslis jumped ship in 2013, landing a gig in industry later that year. The CIO post then sat vacant, despite FDA advertising it, until Simpson left the Department of Transportation to take on the role in May 2015.