Encryption & Key Management , Security Operations

FAA Criticized for IT Security

Inspector General Says Medical Info Inadequately Protected
FAA Criticized for IT Security
The Federal Aviation Administration is inadequately securing medical and personal information on the more than 3 million airmen who it certifies as being fit to operate an aircraft, according to a new government report.

The Office of the Inspector General in the U.S. Department of Transportation said its findings mean that airmen's information is "vulnerable to unauthorized access and use and potential falsification of medical certificates that could lead to unfit airmen being medically certified to fly."

The inspector general, in the report on the FAA's Airmen Medical Support Systems, states that names, addresses, Social Security numbers, medical data and other information "are not properly secured to prevent unauthorized access and use."

Controls Lacking

The new report found that the FAA has not fully implemented security controls, such as multi-factor authentication, audit trail reports and encryption, as required by the Office of Management and Budget and the Department of Transportation.

The report says investigators found vulnerabilities on Medical Support Systems computers, "such as configuration allowing intruders to install malicious codes on FAA user computers." Inadequate contingency planning also threatens MSS service continuity, according to the report.

The report notes, however, that the FAA "took immediate action to enhance security protection," such as by restricting access to the systems by former staff members. However, it states "additional improvements are needed" to adequately secure data from unauthorized use.

15 Recommendations

The 31-page report recommends 15 steps to make the information more secure, including extensive use of encryption and multi-factor authentication as well as such contingency planning steps as acquiring a back-up server and upgrading databases.

The Health Information Technology for Economic and Clinical Health Act, passed last year as part of the economic stimulus package, set tougher penalties for violations of the federal privacy and security rules under the Health Insurance Portability and Accountability Act, such as for unauthorized access to private medical information.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.