The U.S. Government Accountability Office (GAO) released a report on Thursday regarding cybersecurity and control weaknesses at the U.S. Food and Drug Administration (FDA).
The report, titled “FDA Needs to Rectify Control Weaknesses That Place Industry and Public Health Data at Risk,” was requested by U.S. Reps. Fred Upton (R-MI), Joseph Pitts (R-PA) and Tim Murphy (R-PA).
The GAO report found that while the FDA took steps to protect its sensitive network information, the agency did not always adequately protect the boundaries of its network, consistently identify and authenticate system users, limit users access to only what was required to perform their duties, or encrypt sensitive data.
The report also found that the FDA did not consistently audit and monitor system activity or conduct physical security reviews of its facilities.
The GAO said that the weaknesses persisted because the FDA did not fully implement an agency-wide information security program as required by the Federal Information Security Modernization Act of 2014.
To fix the remaining issues, the GAO report recommended that the FDA take 166 different actions to resolve weaknesses in information security controls. The U.S. Department of Health and Human Services, which oversees the FDA, agreed with the report’s recommendations and has begun to apply many of the recommendations.
In addition to the report, the U.S House Committee on Energy and Commerce requested that the FDA work with the United States Computer Emergency Readiness Team to search their network for any signs of a compromised system.