The Federal Aviation Administration is failing to adequately protect the medical and personal data of airmen, according to a report released recently by the Inspector General.
The FAA requires airmen to have their medical and mental fitness certified by a medical professional in order to operate aircraft. However, the FAA, which stores around 18 million records on more than 3 million airmen, are failing to ensure the data is properly secured.
The report found “names, addresses, Social Security numbers, medical data, and other PII of airmen are not properly secured to prevent unauthorized access and use.”
The IG found “serious security lapses” in the way the FAA handles and stores the data for the airmen, including former staff still being able to access the system. The FAA has also failed to implement the required security controls put forth by the OMB, according to the report.
“In addition, FAA has not ensured secure configuration of MSS computers in accordance with the Department's baseline standards to reduce the risk of unauthorized access and corruption,” the report states. “Specifically, we found vulnerabilities on MSS computers, such as configuration allowing intruders to install malicious codes on FAA user computers.”
The serious security flaws leave airmen open to having their data stolen. Additionally, it means that stolen data could be used to fabricate false certificates allowing individuals not medically certified to operate aircraft.
However, the FAA is moving to rectify some of the issues cited by the IG.
“During the course of our review, FAA took immediate action to enhance security protection by working with doctors to remove thousands of separated medical staff’s access to MSS,” the report states. “However, additional improvements are needed to adequately secure PII data from unauthorized use.”