The Government Accountability Office (GAO) has found that the U.S. Food and Drug Administration’s (FDA) online information system has a number of weaknesses that make it vulnerable to cyberattacks. After conducting a review, GAO said it found over 80 weaknesses that make it easier for hackers to access confidential health information. GAO made 15 broad recommendations for strengthening the FDA’s online system, including a complete risk assessment, employee training and consolidation of systems.
GAO stated in its report, “Significant harm to FDA’s reputation and economic damage to regulated industries could result if this information is not adequately protected against cyber threats,”
The report cited flaws in FDA’s access controls, firewalls, contingency planning, encryption and systems to sanitized disposed tapes, disks and hard drives. GAO issued the report in August, and the FDA has been working to amend these issues.
GAO says the security of FDA’s IT system is vital. Flaws in its cybersecurity can expose private health data as well as trade secrets in drug submissions. These systems are also important because they are used to maintain industry and public health data. “Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss,” GAO stated.
In order to address weaknesses, the GAO made 15 broad recommendations and 166 specific actions the FDA needs to take. According to ZDnet, the agency has already implemented 12 of the 15 recommendations and 102 of the 166 actions. “We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year,” said FDA CIO Todd Simpson. “The FDA appreciates and takes very seriously the GAO report’s recommendations, but the report’s limited findings should not be broadly applied to the FDA’s entire IT enterprise,”
“It is also important to note that the FDA has not experienced any major cybersecurity-related breaches that exposed industry or public health information.”