From the U.S. Government Accountability Office, www.gao.gov

Transcript for: FDA Information Security

Description: Audio interview by GAO staff with Greg Wilshusen, Director,
Information Technology

Related GAO Work: GAO-16-513: Information Security: FDA Needs to Rectify
Control Weaknesses That Place Industry and Public Health Data at Risk

Released: September 2016


[ Background Music ]

[ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and
information from the U.S. Government Accountability Office. It's
September 2016. Ensuring the safety, effectiveness and quality of food,
drugs and other consumer products is a big responsibility for the Food
and Drug Administration. In carrying out its mission, FDA relies
extensively on information technology systems to receive, process and
maintain sensitive industry and public health data. A team led by Greg
Wilshusen, a director in GAO's Information Technology team, recently
reviewed FDA's efforts to ensure the security of these information
systems. Jacques Arsenault sat down with Greg to talk about what they
found.

[ Jacques Arsenault: ] Can you tell me about the kinds of information
that FDA keeps in its IT systems?

[ Greg Wilhusen: ] Sure. It keeps quite a bit of sensitive information
that it receives from companies that submit products and drugs to FDA
for its review and approval. It also keeps the sensitive personal
information on its own employees, as well as data about the status of
its reviews and evaluations and approvals of products that have been
submitted for review. And this information can be very sensitive because
it could relate to a company's business proprietary information or trade
secrets relating to specifications on the products or drugs that it
submits as well as some of the manufacturing processes that it submits
as well.

[ Jacques Arsenault: ] And what are some of the threats that these
systems face?

[ Greg Wilhusen: ] Well these systems face a number of threats both from
internal sources because the information is very attractive and can be
used for financial gain. For example, learning before it becomes
publicly known that a drug has received FDA approval for marketing. That
information can be used by criminals, either insiders within FDA who use
that information for insider trading or criminals who seek financial
gain by manipulating the stock market. Another threat could be from
competitors who seek to know about information on their competitor's
processes and products.

[ Jacques Arsenault: ] So it seems like there could be some clear
motivations for these types of attacks. Is there any evidence that these
types of attacks or threats have materialized?

[ Greg Wilhusen: ] Well, yes there was an incident back in 2013, which
resulted in an intruder gaining access to the passwords and user ID's of
one of FDA's systems. And so this is definitely a very real and present
threat to FDA.

[ Jacques Arsenault: ] Well, let me ask you then, what is FDA doing to
protect these IT systems and the information that's in them?

[ Greg Wilhusen: ] Well FDA has taken a number of actions including
implementing various different types of information security controls.
For example, in 2015, it consolidated its systems and network operations
centers to provide greater situational awareness over the activities on
its network. In addition, it created a task force to look at the
long-term and short-term problems associated with securing its network.
However, what we found during our audit is that FDA systems and networks
were riddled with information security vulnerabilities that placed its
sensitive information at an elevated and unnecessary risk.

[ Jacques Arsenault: ] So given those vulnerabilities that still exist,
can you tell me about the recommendations that GAO's making in this
report?

[ Greg Wilhusen: ] Sure. We made about 166 specific actions and
recommendations to address the technical security control weaknesses
that we identified in FDA's networks and systems. In addition, we made
15 recommendations relative to FDA's information security program. And
these recommendations deal with more or less some of the underlying
causes for many of the technical deficiencies that we identified. It
relates, for example, in terms of updating and completing risk
assessments over its systems that we reviewed, updating and developing
security procedures for implementing various different types of security
controls and FDA's procedures for responding and detecting incidents all
need to be drastically improved.

[ Jacques Arsenault: ] Finally then, what would you say is the bottom
line of this report?

[ Greg Wilhusen: ] Well although FDA has taken actions to implement
security controls over systems and indeed during the course of our audit
has taken actions to start implementing some of our recommendations,
until FDA rectifies the multitude of security vulnerabilities that we
identified during our review and implements our recommendations, its
sensitive information including public health data and industry
sensitive information will remain at unnecessary and elevated risk of
unauthorized access, disclosure, modifications and loss.

[ Background Music ]

[Narrator:] To learn more, visit GAO.gov and be sure to tune in to the
next episode of GAO's Watchdog Report for more from the congressional
watchdog, the U.S. Government Accountability Office.