Information Security and Privacy Controls Over the Airmen Medical Support Systems
Federal Aviation Administration
Report Number: FI-2010-060
Date Issued: June 18, 2010
From Results in Brief:
The names, addresses, Social Security numbers, medical data, and other PII of airmen are not properly secured to prevent unauthorized access and use. We found serious security lapses in FAA’s management of AMEs private medical support staff access to the system. For example, medical examiners’ former staff continued to have access to MSS. At the same time, FAA has not fully implemented security controls required by the Office of Management and Budget (OMB) and the Department to protect PII, such as multi-factor user authentication, audit trail reports to detect inappropriate access, and data encryption. In addition, FAA has not ensured secure configuration of MSS computers in accordance with the Department’s baseline standards to reduce the risk of unauthorized access and corruption. Specifically, we found vulnerabilities on MSS computers, such as configuration allowing intruders to install malicious codes on FAA user computers. Inadequate contingency planning also threatens the service continuity of MSS. Combined, these weaknesses make airmen’s PII vulnerable to unauthorized access and use and potential falsification of medical certificates that could lead to unfit airmen being medically certified to fly. During the course of our review, FAA took immediate action to enhance security protection by working with doctors to remove thousands of separated medical staff’s access to MSS and retracting millions of PII records from the contractor’s site. However, additional improvements are needed to adequately secure PII data from unauthorized use.
Hat-tip, ExecutiveBiz. Carousel image from Ideas2Image.