Tuesday, January 11, 2011

User Access Security Vulnerabilities "Could Lead to Unfit Airmen Being Medically Certified to Fly" - DOT Inspector General

The Department of Transportation reported serious user access security vulnerabilities in the Federal Aviation Administration's (FAA) medical record systems.

According to the report, the FAA is not ensuring each user’s level of access is "commensurate with a need to know" and is not removing access once an employee changes jobs or is terminated.

The FAA airmen Medical Support Systems (MSS) contains the medical records of over three (3) million commercial and private pilots.
The potential falsification of medical certificates "could lead to unfit airmen being medically certified to fly." - Rebecca C. Leng, Assistant Inspector General
Inappropriate Access of PII and User Access Vulnerabilities
According to the report,the medical records system cannot detect inappropriate user access to personally identifiable information (PII). For example, while staff is authorized to access airmen PII to conduct medical examination, "accessing airman medical records for personal reasons is not appropriate and needs to be deterred."

Moreover, the names, addresses, Social Security numbers, medical data, and other PII of airmen are not properly secured to prevent unauthorized access and use.

Finally, former medical staff continued to have access to electronic medical records (EMR) even after their employment was terminated

Combined, the reports stated, these and other weaknesses make airmen’s personally identifiable information vulnerable to unauthorized access and use.
"To ensure aviation safety and protect the privacy of airmen, it is critical that this medical information be secure." - Rebecca C. Leng, Assistant Inspector General
On-Demand Service Detects Inappropriate User Access and Vulnerabilities(a)
Fortunately there is a new breed of on-demand identity and activity analytics that can identify terminated employees, excessive access rights, and inappropriate access using information an organization already has.

Moreover the Veriphyr pay-per-use identity and activity analytics service can be implemented in a matter of days not months, quickly mitigating the risk of inappropriate access to medical records or other sensitive data.

Learn how the Veriphyr Identity and Activity Analytics Service effectively prevents or quickly detects sensitive data loss or theft, even access by terminated employees.

Sources:
(a) Information security and privacy controls over the airmen medical support system - Report Number: FI-2010-060 at www.oig.dot.gov, June 18, 2010

No comments:

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.