Pilots - Your MEDICAL Information - Security and Privacy - Are at Risk

A Transportation Department Inspector General (IG) report dated June 18 found "serious security lapses" in systems that the FAA uses to store pilots' personal information, including medical data. Information collected from roughly 465,000 current medical certifications is just the tip of the iceberg. The IG says the FAA's Internet-accessible Medical Support System (MSS) holds records for more than three million airmen, past and present. The IG listed names, addresses, Social Security numbers and other "personally identifiable information" as information "not properly secured." According to the report, the system's vulnerabilities allow for the "potential falsification of medical certificates," and more. "Failure to encrypt sensitive personal identifiable information and control remote access to MSS," says the report, "places airmen at unnecessary risk of identity theft, jeopardizes the integrity of the medical certification process, and increases risks of attacks on departmental networks." The FAA is responding and the IG believes the FAA's current and planned actions will positively address the IG's concerns in most cases.

FAA requires airmen to hold a medical certification of their medical and mental fitness to operate aircraft. 1

This review was requested by the Chairmen of the House Committee on Transportation and Infrastructure and its Subcommittee on Aviation. The objectives of our audit were to (1) determine if airmen’s personally identifiable information (PII) is properly secured from unauthorized use or access, and (2) assess FAA’s progress in establishing mechanisms to identify airmen holding current medical certificates while receiving disability pay. MSS currently stores more than 18 million medical records supporting the medical assessment of over three (3) million airmen. To ensure aviation safety and protect the privacy of airmen, it is critical that this medical information be secure. Also, coordination with other Federal agencies may improve aviation safety by identifying airmen who are receiving disability benefits and may not have disclosed potentially disqualifying medical conditions.

1 A medical certificate must be held when exercising any of the following privileges: airline transport pilot, commercial pilot, private pilot, recreational pilot, flight instructor, flight engineer, flight navigator, or student pilot. Except for a person employed by FAA, a branch of the military services or the Coast Guard, a person acting as an air traffic control tower operator must also hold a medical certificate.

RESULTS IN BRIEF

The names, addresses, Social Security numbers, medical data, and other PII of airmen are not properly secured to prevent unauthorized access and use. We found serious security lapses in FAA’s management of AMEs private medical support staff access to the system. For example, medical examiners’ former staff continued to have access to MSS. At the same time, FAA has not fully implemented security controls required by the Office of Management and Budget (OMB) and the Department to protect PII, such as multi-factor user authentication, audit trail reports to detect inappropriate access, and data encryption. In addition, FAA has not ensured secure configuration of MSS computers in accordance with the Department’s baseline standards to reduce the risk of unauthorized access and corruption. Specifically, we found vulnerabilities on MSS computers, such as configuration allowing intruders to install malicious codes on FAA user computers. Inadequate contingency planning also threatens the service continuity of MSS. Combined, these weaknesses make airmen’s PII vulnerable to unauthorized access and use and potential falsification of medical certificates that could lead to unfit airmen being medically certified to fly. During the course of our review, FAA took immediate action to enhance security protection by working with doctors to remove thousands of separated medical staff's access to MSS and retracting millions of PII records from the contractor’s site. However, additional improvements are needed to adequately secure PII data from unauthorized use.

FAA has made limited progress in identifying airmen who receive disability benefits while holding medical certificates. While FAA has a draft matching agreement with the Social Security Administration (SSA) to reconcile data in MSS and SSA’s disability benefits system, it has yet to establish a target date for completing the interface. Further, FAA has yet to coordinate with other benefits providers, such as the Department of Veterans Affairs and the Department of Labor. FAA continues to rely on airmen to disclose potentially disqualifying conditions when applying for medical certificates. FAA recently announced a onetime, limited opportunity for airmen to reveal previously undisclosed depression and use of antidepressant medications without being subject to FAA.

2 This step, however, does not take the place of a comprehensive approach to undisclosed medical conditions. Accordingly, FAA needs to expedite computer matching agreements with disability benefits providers, implement the checks under those agreements, and take appropriate enforcement action where falsifications are found.

To assist FAA, we are making a series of recommendations to strengthen the confidentiality, integrity, and availability of airmen PII and to ensure unqualified airmen do not receive a medical certification enabling them to fly.

BACKGROUND

MSS contains over 18 million medical records on more than 3 million airmen, of which over 465,000 have current medical certifications.3

In 2007, the Inspector General testified before the House Committee on Transportation and Infrastructure that some airmen failed to disclose to FAA any medically disqualifying information on their applications for medical certificates. Further, some airmen held current medical certificates while simultaneously receiving disability benefits for medically disabling conditions. In addition to medical information, the system contains other sensitive personal information, such as name, address, date of birth, and Social Security number of airmen. MSS is accessible to about 9,000 users, 8,500 of whom are AME––private physicians who function as FAA designees—or their staff, who enter the medical data into the MSS Web site on the Internet. AMEs and their staff have access to all information (including medical data) stored in MSS on airmen examined in their offices. In addition, they can access the name, address, date of birth, and partial Social Security number on all airmen examined by other AMEs and stored in MSS. Almost 300 AMEs reside in 89 foreign countries and conduct exams on airmen seeking to fly in the United States.

2 75 Fed. Reg. 17049 (April 5, 2010). Our testimony suggested that FAA work with the SSA and other disability benefits providers to expeditiously develop and implement a strategy to check for and take appropriate certificate regulatory enforcement action where falsifications are found, and to consider revising its application for the medical certificate to require applicants to explicitly identify whether they are receiving medical disability benefits.


3 FAA’s Civil Aerospace Medical Institute in Oklahoma City processes medical certificate applications in MSS.


4 Falsification of FAA Airman Medical Certificate Applications by Disability Recipients (CC-2007-063, July 17, 2007). OIG reports and testimony can be found on our Web page: www.oig.dot.gov.

SENSITIVE AIRMAN MEDICAL RECORDS ARE NOT PROPERLY SECURED FROM UNAUTHORIZED USE

DOT policy requires FAA to implement controls for removing medical record access rights when they are no longer required, to ensure user access is derived from a role-based validation process and each user’s level of access is commensurate with a need to know, and to document all users who have access to sensitive data.5

Medical Staff and Contractor Access Continued Despite A Need To Know However, such controls have not been implemented in MSS. At the same time, FAA has not implemented OMB guidance to secure PII in an automated information system or to properly configure MSS production and development computers to reduce the risk of tampering.

In addition, FAA had been sending millions of airman medical records from the MSS database to its contractor’s facilities, a practice that has been in place over the past decade. FAA’s contractor has been using this live data in its system testing procedures, but FAA had not justified the contractor’s need for using millions of live records—or considered the security implications of storing airman

5 DOT Information Technology and Information Assurance Policy Number 2006-22 – October 11, 2006 (revision 1): Implementation of DOT’s Protection of Sensitive Personally Identifiable Information (SPII).

PII at the contractor facility. After we requested documentation of support and approval of the data transference, FAA concluded there was no business need to maintain the data at the contractor’s site. Millions of PII records were purged from the contractor’s site.

The control weaknesses we identified are largely the result of FAA’s failure to provide adequate oversight of the contract by communicating the DOT requirements regarding access controls. Upon learning of these control weaknesses, we notified FAA, which responded in June 2009 (see Appendix A), stating that it had begun implementing corrective actions, such as working with doctors to remove access for separated medical staff. In addition, FAA purged millions of PII records from the contractor’s site. However, the lack of documentation about the application security features such as definitions of users’ ability to access data and perform critical functions continues to weaken FAA’s ability to administer effective security.