Friday, September 30, 2016

[U] GAO Notes: Some 87 Cyber-Security Issues At FDA -- All Are Non-Alarming

UPDATED @ 7:00 AM EDT 10.01.2016: I've just now read the GAO report (60 page PDF file attached) in full (over coffee, yogurt, a banana and OJ), and I am convinced that there would be minimal meaningful "real-world" probable risk here. From the report itself, then:

. . .FDA did not always (1) adequately protect the boundaries of its network, (2) consistently identify and authenticate system users, (3) limit users’ access to only what was required to perform their duties, (4) encrypt sensitive data, (5) consistently audit and monitor system activity, and (6) conduct physical security reviews of its facilities. . . .

That may sound a little more ominous that it actually would be, in most likely practical scenarios. So, as opposed to a likely or real-world meaningful hack, it is frankly largely a remote possibility that this sort of data access would be of any real value to a hacker, or group. There is very little chance of high-value access, and therefore little real market value, for such data access. So -- while I think the report is worthwhile, and the fixes now being undertaken are appropriate -- I've decided it presents scant real world risk to pharmaceutical, bio-science and device manufacturers and their patients, doctors or hospitals. [End, Updated Portion.]


09.30.2016 | 8:00 PM EDT: It is good to learn that the FDA has already begun to implement the GAO report's suggestions (see below), it is also worth noting that patient data, from clinical trials might -- at least in theory -- be compromised in this way. And Kenilworth should keep that in mind.

Here is the bit, from Bloomberg, overnight:

. . . .A review of the FDA’s online information systems found more than 80 weaknesses including a lack of cybersecurity firewalls, according to the Government Accountability Office, Congress’s investigative arm.

The GAO audit was part of a congressional initiative to fortify data security at government agencies that stockpile volumes of public data. The GAO made 15 recommendations for strengthening FDA’s systems, including a complete risk assessment, employee training and consolidation of systems. . . .

FDA said it has begun adopting the recommendations in response to the report. . . .

Sleep well one and all (like little round rocks) -- just chillin' -- and watching old movies -- here, on a Friday night. Smiling widely, as visits roll by. . . .


No comments: