Charged with making sure the most modern medical treatments are safe and available to the public, the Food and Drug Administration is constantly testing the latest innovations in drugs and modern medicines. Now, the FDA is also looking to ensure that its own technology stays on the cutting edge — and remains secure.
As part of that effort, the FDA is undertaking a major overhaul of its IT, and last September released a plan that will carry the agency’s technology modernization through 2018. The plan spells out key milestones for the FDA to achieve, and rests on three pillars that are common among many agencies: quality, efficiency and security.
Yet for the FDA, there is quite a lot at stake. Brad Wintermute, deputy CIO of the FDA, said at the recent Appian World event in Washington, D.C., that “well over” 90 percent of the information the agency receives for the drugs, food, medical devices and other items it regulates comes in electronically. Included in that is a great deal of proprietary information, especially on new drugs, which might cost pharmaceutical companies $1 billion to produce over the course of a decade.
“We hold the ingredients to patented drugs,” Wintermute said, according to FedScoop. “We’re a ripe target ... of a lot of organizations. They want to get that data for not just a trophy, they want to actually be able to use it for some kind of competitive advantage.”
Changing a Culture, but Keeping Security in Mind
The FDA’s technology modernization plan calls on on the agency to improve customer satisfaction, awareness and accountability of services, collaboration and communication, partnerships with customers, and skill sets of its staff.
The plan also details how the FDA will use IT to improve the efficiency of its internal processes as well as how it uses technology, and help it cut costs.
Additionally, the plan lays out how the FDA will beef up security and increase its compliance with the Federal Information Security Modernization Act.
To accomplish all of that, the FDA will need to maneuver around financial and cultural hurdles. “What we’re trying to do through the strategic plan is get building blocks put in place and have a change in governance and philosophy,” Wintermute said, according to FCW.
The FDA’s plan notes that the agency’s Office of Information Management and Technology is not currently “providing enough cloud services to meet our customers’ needs. OIMT lacks an overall strategy for the resources, policies, processes, acquisition vehicles, governance and security approval process to fully support cloud solutions.”
To overcome that problem, the plan lays out numerous milestones for the FDA to more fully embrace the cloud, including building a secure provisioning solution that will allow provisioning of servers in a hybrid cloud environment, the evaluation and implementation of Platform as a Service, and developing a consumption-based model strategy where the customer would pay according to the resources used.
Getting past the old way of doing business will let the FDA embrace these cloud-based models, rather than rely on legacy IT systems, Wintermute said, according to FCW. There will likely be resistance to such updates, he said. As FCW reported: “Wintermute said FDA officials were initially excited by the prospect of increased digitization but became hesitant once the plans were ‘actually in writing.... I can see the resistance. It’s like, ‘Uh-oh, he's serious.’ ”
The FDA is looking to improve its cybersecurity posture. To that end, the plan calls on the agency to implement Continuous Diagnostics and Mitigation (CDM) using government-wide Information Security Continuous Monitoring (ISCM) tools to enhance its ability to “identify and respond, in real time or near real time, to the risk of emerging cyberthreats.” The FDA will also put in place Independent Verification and Validation for high-risk systems, and integrate cybersecurity governance requirements into its service and project management workflows.
Charting a New Course for Mobility
In April the FDA launched its “choose your own device” program, which allows employees to choose from several smartphones the agency had pre-approved. The plan includes enhanced mobile device management functionality to support such a program.
Additionally, the FDA wants to create an enterprise-wide mobile application program to provide a mechanism that will develop mobile apps that adhere to the agency’s IT standards. The agency also plans to create a mobility security team to develop strategies and policies to protect and secure mobile assets.
According to FCW, the agency believes that increased mobility would let FDA inspectors “check in and relay pictures, findings and geocoding data, and would improve coordination across agency divisions for quicker information sharing.”
"We have very few mobile apps in the environment today, but we really want to get to where we're using them across the board," Wintermute said, according to FCW.