The Federal Motor Carrier Safety Administration’s online registry of certified medical examiners was hacked and more than three months later remains out of service.
The hack occurred Dec. 1. The current offline status could delay June implementation of an agency final rule that would eliminate the need for truck drivers to carry a medical card as proof that they passed their medical exams, the agency said.
In a statement to Transport Topics, FMCSA said it believes no personal information was taken during the breach.
The statement said that on Dec. 15, the agency attempted to put the system back online but determined there were still security vulnerabilities and the system was taken offline again. It remained down as of press time.
The medical examiners database contains records of medical exams and sensitive information on the 58,000 examiners as well as exams administered to truck drivers, according to a privacy impact assessment of the website last year by the U.S. Department of Transportation.
Since May 2014, drivers have been required to use the website to identify physicians authorized by the agency to conduct medical exams.
A statement on the registry site reads: “The National Registry website is currently under construction with limited functionality.” That functionality allows drivers to plug in their zip codes to find certified examiners in their area.
In written response to a query from TT, the agency said it has not yet identified the hacker, but that the investigation is ongoing.
“The delay in restoring the site is due to the department’s commitment to ensure the security of the site,” FMCSA said. “The security of the data and privacy of drivers and medical examiners is the paramount concern.”
The agency noted the hack indicated that the information technology system safeguard needed enhancements to protect against certain risks that have surfaced since the site was first launched around 2011.
“We will continue to work to address those risks to ensure that when the site is up and running, we will be in a better position to avoid a repeat of what happened in December 2017,” FMCSA said.
The agency said the cost to make the fixes has not yet been determined but that the DOT chief information officer and FMCSA are working to “develop a roadmap and cost estimate to deploy services through an iterative methodology.”
Prior to the hack, the agency was on track to fully implement its 2015 “medical examiner’s certification integration” final rule by June 22.
The rule removes the requirement that drivers provide paper copies of their medical certifications to their state commercial driver license issuing agency. Therefore medical cards would no longer be considered valid proof of medical qualification for drivers with commercial driver licenses.
Under the new rule, medical examiners would electronically pass medical examination information to FMCSA, which would in turn pass it electronically to the state licensing agency, allowing law enforcement to make checks to validate medical driver qualifications.
Brian Morris, a member of FMCSA’s medical review board and Corporate Medical Director for Quadrant Health Strategies Inc., said the agency has not shared information with him on the hack.
“I can’t imagine what could be going on with the site being down for months,” Morris told TT. “I have no idea when the site is going to go back up.”
Morris said exams are still being performed, but with the website down, records of the exams cannot be entered into the database.
“The records have been piling up,” he said. “At some point we’re going to have to enter all that data. So it becomes quite burdensome.”
Although FMCSA said it has launched a static look-up function on the website for validity checks, Morris said since data has not been entered in recent months, any validity checks of exams likely would have to be verified with the examiner’s office.
There have been past indications that information technology systems at FMCSA and DOT have room for improvement in protecting personally identifiable information.
A DOT inspector general audit released in January recommended that DOT’s chief privacy officer establish a continuous monitoring program for security controls to ensure that personal, identifiable information systems remain compliant with the agency’s privacy risk management policy.
In a 2017 report on FMCSA’s information technology, the Government Accountability Office said the agency needed to strengthen its strategic planning and oversight to modernize legacy systems, including the medical examiners registry.
In 2016, a DOT inspector general audit of the Volpe Transportation Center, which contracted with FMCSA to develop and operate the medical examiners registry, said that some of the center’s management practices created security weaknesses that make its IT infrastructure vulnerable to compromise.