DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

InfoSec: FDA Needs to Rectify Control Weaknesses That Place Industry and Public Health Data at Risk

Posted on October 2, 2016 by Dissent

For years, Congress and federal regulators have been raising concerns about FDA’s infosecurity after report of a hack in 2013. So while the FDA has been issuing lots of statements about securing medical devices and mobile apps, the GAO would like them to know that they need to do a better job on securing their own data:

What GAO Found

Although the Food and Drug Administration (FDA), an agency of the Department of Health and Human Services (HHS), has taken steps to safeguard the seven systems GAO reviewed, a significant number of security control weaknesses jeopardize the confidentiality, integrity, and availability of its information and systems. The agency did not fully or consistently implement access controls, which are intended to prevent, limit, and detect unauthorized access to computing resources. Specifically, FDA did not always (1) adequately protect the boundaries of its network, (2) consistently identify and authenticate system users, (3) limit users’ access to only what was required to perform their duties, (4) encrypt sensitive data, (5) consistently audit and monitor system activity, and (6) conduct physical security reviews of its facilities. FDA conducted background investigations for personnel in sensitive positions, but weaknesses existed in other controls, such as those intended to manage the configurations of security features on and control changes to hardware and software; plan for contingencies, including systems disruptions and their recovery; and protect media such as tapes, disks, and hard drives to ensure information on them was “sanitized” and could not be retrieved after they are disposed of. The table below shows the number of GAO-identified weaknesses and associated recommendations, by control area.

Download the full report from GAO (59 pp, pdf), while I try to locate a recently disclosed breach involving FDA internal documents that I saw a while back, but foolishly did not download or bookmark.

Related posts:

  • The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did.
Category: Commentaries and AnalysesGovernment SectorU.S.

Post navigation

← GA: Martin Army Community Hospital can’t individually notify 1,000 patients impacted by insider breach that began in 2011
Leet.cc data hacked in February publicly dumped →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware
  • Senator Chides FBI for Weak Advice on Mobile Security
  • Cl0p cybercrime gang’s data exfiltration tool found vulnerable to RCE attacks
  • Kelly Benefits updates its 2024 data breach report: impacts 550,000 customers
  • Qantas customers involved in mammoth data breach
  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban
  • 20 States Sue HHS to Stop Medicaid Data Sharing with ICE
  • Kids are making deepfakes of each other, and laws aren’t keeping up
  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.