TRENDING:

Encryption & Key Management , Security Operations

FAA Criticized for IT Security

Inspector General Says Medical Info Inadequately Protected Howard Anderson (ismg_editor) • June 28, 2010    
FAA Criticized for IT Security
The Federal Aviation Administration is inadequately securing medical and personal information on the more than 3 million airmen who it certifies as being fit to operate an aircraft, according to a new government report.

The Office of the Inspector General in the U.S. Department of Transportation said its findings mean that airmen's information is "vulnerable to unauthorized access and use and potential falsification of medical certificates that could lead to unfit airmen being medically certified to fly."

The inspector general, in the report on the FAA's Airmen Medical Support Systems, states that names, addresses, Social Security numbers, medical data and other information "are not properly secured to prevent unauthorized access and use."

Controls Lacking

The new report found that the FAA has not fully implemented security controls, such as multi-factor authentication, audit trail reports and encryption, as required by the Office of Management and Budget and the Department of Transportation.

The report says investigators found vulnerabilities on Medical Support Systems computers, "such as configuration allowing intruders to install malicious codes on FAA user computers." Inadequate contingency planning also threatens MSS service continuity, according to the report.

The report notes, however, that the FAA "took immediate action to enhance security protection," such as by restricting access to the systems by former staff members. However, it states "additional improvements are needed" to adequately secure data from unauthorized use.

15 Recommendations

The 31-page report recommends 15 steps to make the information more secure, including extensive use of encryption and multi-factor authentication as well as such contingency planning steps as acquiring a back-up server and upgrading databases.

The Health Information Technology for Economic and Clinical Health Act, passed last year as part of the economic stimulus package, set tougher penalties for violations of the federal privacy and security rules under the Health Insurance Portability and Accountability Act, such as for unauthorized access to private medical information.

Previous
White House Unveils Online Authentication Plan
Next
U.S. Spends $8.8 Billion to Secure Classified Data

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.



Around the Network

Protecting the Hidden Layer in Neural Networks
Protecting the Hidden Layer in Neural Networks
Craig Box of ARMO on Kubernetes and Complexity
Craig Box of ARMO on Kubernetes and Complexity
Securing the SaaS Layer
Securing the SaaS Layer
The Persisting Risks Posed by Legacy Medical Devices
The Persisting Risks Posed by Legacy Medical Devices
Organization-Wide Passwordless Orchestration
Organization-Wide Passwordless Orchestration
Are We Doomed? Not If We Focus on Cyber Resilience
Are We Doomed? Not If We Focus on Cyber Resilience
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
David Derigiotis on the Complex World of Cyber Insurance
David Derigiotis on the Complex World of Cyber Insurance
Showing Evidence of 'Recognized Security Practices'
Showing Evidence of 'Recognized Security Practices'
Whistleblowing Brings Visibility to the Role of CISOs
Whistleblowing Brings Visibility to the Role of CISOs

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.