Hi, The Federal Aviation Administration system storing more than 3 million past and current airplane pilots' personal information, including medical data, has been riddled with information assurance protection holes for years, according to a Transportation Department inspector general report dated June 18.
Auditors conducted a 21 month investigation, which concluded in January, into FAA's management of the Medical Support System. They found "serious security lapses" and concluded that airmen's personal data remains at risk today from unauthorized access and use. The system contains the name, address, Social Security numbers and medical data of pilots, flight instructors and engineers, navigators and student pilots--anyone licensed to touch the dials in an airplane cockpit. Inside MSS is approximately 18 million medical records and 465,000 current medical certifications. About 9,000 people have access to system, 8,500 of which are contracted physicians or their staff, who enter in airmen medical data into the system via the Internet. Basic cybersecurity measures were missing from the system, the report states. Passwords were stored in clear text. Data in transition from MSS to other FAA systems was not encrypted en route and nor when it came to rest in the other systems. MSS wasn't properly configured nor patched. Auditors were able to gain unauthorized access to accounts because in some cases passwords were the same as user IDs. In addition, the system lacks an audit trail for detecting inappropriate user access. In its response to the audit, the FAA said audit trails will be in place by Sept. 30, 2011. In response to an auditor recommendation that the FAA restrict access to records of inactive airmen--entries on whom constitute up to 86 percent of MSS records--on a need-to-know basis, the FAA agreed but said the earliest it could do so is by Sept. 30, 2013. "FAA's implementation schedule is protracted and will continue to put at risk sensitive airman information beyond the time necessary for this control to be implemented," auditors state. The FAA disagreed with a recommendation that it implement multifactor user authentication for MSS, stating that it's not necessary since physicians and their staff can only access medical data that they themselves have entered into the system. Auditors also took issue with FAA response to a recommendation that the agency match active airman records against disability records from other federal agencies, such as from the Social Security Administration's disability payment database. Although the FAA states that it has completed the necessary legal steps to allow matching, Transportation auditors say FAA is essentially waiting for other agencies to act when it should "proactively engage" them. For More Informtion Ref: http://www.oig.dot.gov/sites/dot/files/MSS%20Final%20Report%20%28signed%29%206-18-2010.pdf -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
