September 6, 2018 1:45 PM, EDT

FMCSA Medical Registry Hack Still Causes Delays Nine Months Later

doctor with medical filesTashi-Delek

An “incursion” nine months ago that shut down the Federal Motor Carrier Safety Administration’s National Registry of Certified Medical Examiners still is causing delays in registering new examiners and backlogs for medical examiners to upload truck driver examinations, officials said.

In an Aug. 22 update, FMCSA said that the examiners website remains offline, and as a result the agency is experiencing technical delays due to a “high call and e-mail volume.”

Meanwhile, officials are scurrying to rebuild the website that was closed down after a hack Dec. 1 but indicate they cannot say when it will become fully operational.

FMCSA screen grab


“At no time has any personally identifiable information been compromised,” FMCSA spokesman Duane DeBruyne said. “To ensure the long-term integrity of the national registry, the structural design is being augmented and the work is ongoing — to be completed as expeditiously as possible.”

DeBruyne said the investigation into the hack is continuing to be led by the U.S. Department of Transportation Office of Inspector General.

OIG did not return a phone message seeking comment.

The website is integral to the agency and drivers because it contains sensitive information on the 58,000 medical examiners as well as exams administered to truck drivers, according to a privacy impact assessment of the website last year by DOT. Since May 2014, drivers have been required to use the website to identify physicians who have passed a written exam and are authorized by the agency to conduct driver medical exams.

Although the national registry is currently under construction, certified medical examiners can continue conducting physical qualification examinations of commercial motor vehicle drivers and issuing paper medical examiner’s certificate Form MCSA-5876 to qualified drivers,” the update said. “Medical examiners should segregate all examinations completed during the outage and be prepared to upload them to the national registry system when it is back online, with no penalties.”

However, until the website is fully operational the agency has posted a cumbersome process for registering new examiner and examiner administrative assistant accounts and logging into the registry — including an 11-minute how-to video. Still, there will be a three-year delay for implementation of the IT process that would no longer require drivers to keep a copy of their physical exam certifications to verify they are qualified to drive.

Once the agency’s “medical examiner’s certification integration” final rule takes effect in three years, medical examiners would electronically pass medical examination information to FMCSA, which would in turn pass it electronically to the state licensing agency, allowing law enforcement to make checks to validate medical driver qualifications.

Brian Morris, a Boston medical doctor and member of FMCSA’s medical review board, said the hack has resulted in sometimes weekslong delays getting exam results information to the agency. “You’re pretty much supposed to be entering the data the same day as the exam, or close to it,” Morris said.

“I personally don’t understand why it’s taking so long to straighten the website out,” Morris told Transport Topics. “To me, these computer issues shouldn’t be major issues that cause confusion and inconvenience for months at a time.”

Although the agency said no sensitive personal information was accessed during the hack, there have been past indications that information technology systems at FMCSA and DOT have room for improvement in protecting what is known as “personal identifiable information.”

A DOT Inspector General audit released in January recommended that DOT’s chief privacy officer establish a continuous monitoring program for security controls to ensure that personal identifiable information systems remain compliant with the agency’s privacy risk management policy.

In a 2017 report on FMCSA’s information technology, the Government Accountability Office said the agency needed to strengthen its strategic planning and oversight to modernize IT legacy systems, including the medical examiners registry.