FAA Criticized for IT SecurityInspector General Says Medical Info Inadequately Protected
The Office of the Inspector General in the U.S. Department of Transportation said its findings mean that airmen's information is "vulnerable to unauthorized access and use and potential falsification of medical certificates that could lead to unfit airmen being medically certified to fly."
The inspector general, in the report on the FAA's Airmen Medical Support Systems, states that names, addresses, Social Security numbers, medical data and other information "are not properly secured to prevent unauthorized access and use."
Controls LackingThe new report found that the FAA has not fully implemented security controls, such as multi-factor authentication, audit trail reports and encryption, as required by the Office of Management and Budget and the Department of Transportation.
The report says investigators found vulnerabilities on Medical Support Systems computers, "such as configuration allowing intruders to install malicious codes on FAA user computers." Inadequate contingency planning also threatens MSS service continuity, according to the report.
The report notes, however, that the FAA "took immediate action to enhance security protection," such as by restricting access to the systems by former staff members. However, it states "additional improvements are needed" to adequately secure data from unauthorized use.
15 RecommendationsThe 31-page report recommends 15 steps to make the information more secure, including extensive use of encryption and multi-factor authentication as well as such contingency planning steps as acquiring a back-up server and upgrading databases.
The Health Information Technology for Economic and Clinical Health Act, passed last year as part of the economic stimulus package, set tougher penalties for violations of the federal privacy and security rules under the Health Insurance Portability and Accountability Act, such as for unauthorized access to private medical information.