terça-feira, 29 de junho de 2010

Pilots - Your MEDICAL Information - Security and Privacy - Are at Risk

A Transportation Department Inspector General (IG) report dated June 18 found "serious security lapses" in systems that the FAA uses to store pilots' personal information, including medical data. Information collected from roughly 465,000 current medical certifications is just the tip of the iceberg. The IG says the FAA's Internet-accessible Medical Support System (MSS) holds records for more than three million airmen, past and present. The IG listed names, addresses, Social Security numbers and other "personally identifiable information" as information "not properly secured." According to the report, the system's vulnerabilities allow for the "potential falsification of medical certificates," and more. "Failure to encrypt sensitive personal identifiable information and control remote access to MSS," says the report, "places airmen at unnecessary risk of identity theft, jeopardizes the integrity of the medical certification process, and increases risks of attacks on departmental networks." The FAA is responding and the IG believes the FAA's current and planned actions will positively address the IG's concerns in most cases.

FAA requires airmen to hold a medical certification of their medical and mental fitness to operate aircraft. 1

This review was requested by the Chairmen of the House Committee on Transportation and Infrastructure and its Subcommittee on Aviation. The objectives of our audit were to (1) determine if airmen’s personally identifiable information (PII) is properly secured from unauthorized use or access, and (2) assess FAA’s progress in establishing mechanisms to identify airmen holding current medical certificates while receiving disability pay. MSS currently stores more than 18 million medical records supporting the medical assessment of over three (3) million airmen. To ensure aviation safety and protect the privacy of airmen, it is critical that this medical information be secure. Also, coordination with other Federal agencies may improve aviation safety by identifying airmen who are receiving disability benefits and may not have disclosed potentially disqualifying medical conditions.

1 A medical certificate must be held when exercising any of the following privileges: airline transport pilot, commercial pilot, private pilot, recreational pilot, flight instructor, flight engineer, flight navigator, or student pilot. Except for a person employed by FAA, a branch of the military services or the Coast Guard, a person acting as an air traffic control tower operator must also hold a medical certificate.


The names, addresses, Social Security numbers, medical data, and other PII of airmen are not properly secured to prevent unauthorized access and use. We found serious security lapses in FAA’s management of AMEs private medical support staff access to the system. For example, medical examiners’ former staff continued to have access to MSS. At the same time, FAA has not fully implemented security controls required by the Office of Management and Budget (OMB) and the Department to protect PII, such as multi-factor user authentication, audit trail reports to detect inappropriate access, and data encryption. In addition, FAA has not ensured secure configuration of MSS computers in accordance with the Department’s baseline standards to reduce the risk of unauthorized access and corruption. Specifically, we found vulnerabilities on MSS computers, such as configuration allowing intruders to install malicious codes on FAA user computers. Inadequate contingency planning also threatens the service continuity of MSS. Combined, these weaknesses make airmen’s PII vulnerable to unauthorized access and use and potential falsification of medical certificates that could lead to unfit airmen being medically certified to fly. During the course of our review, FAA took immediate action to enhance security protection by working with doctors to remove thousands of separated medical staff's access to MSS and retracting millions of PII records from the contractor’s site. However, additional improvements are needed to adequately secure PII data from unauthorized use.

FAA has made limited progress in identifying airmen who receive disability benefits while holding medical certificates. While FAA has a draft matching agreement with the Social Security Administration (SSA) to reconcile data in MSS and SSA’s disability benefits system, it has yet to establish a target date for completing the interface. Further, FAA has yet to coordinate with other benefits providers, such as the Department of Veterans Affairs and the Department of Labor. FAA continues to rely on airmen to disclose potentially disqualifying conditions when applying for medical certificates. FAA recently announced a onetime, limited opportunity for airmen to reveal previously undisclosed depression and use of antidepressant medications without being subject to FAA.

2 This step, however, does not take the place of a comprehensive approach to undisclosed medical conditions. Accordingly, FAA needs to expedite computer matching agreements with disability benefits providers, implement the checks under those agreements, and take appropriate enforcement action where falsifications are found.

To assist FAA, we are making a series of recommendations to strengthen the confidentiality, integrity, and availability of airmen PII and to ensure unqualified airmen do not receive a medical certification enabling them to fly.


MSS contains over 18 million medical records on more than 3 million airmen, of which over 465,000 have current medical certifications.3

In 2007, the Inspector General testified before the House Committee on Transportation and Infrastructure that some airmen failed to disclose to FAA any medically disqualifying information on their applications for medical certificates. Further, some airmen held current medical certificates while simultaneously receiving disability benefits for medically disabling conditions. In addition to medical information, the system contains other sensitive personal information, such as name, address, date of birth, and Social Security number of airmen. MSS is accessible to about 9,000 users, 8,500 of whom are AME––private physicians who function as FAA designees—or their staff, who enter the medical data into the MSS Web site on the Internet. AMEs and their staff have access to all information (including medical data) stored in MSS on airmen examined in their offices. In addition, they can access the name, address, date of birth, and partial Social Security number on all airmen examined by other AMEs and stored in MSS. Almost 300 AMEs reside in 89 foreign countries and conduct exams on airmen seeking to fly in the United States.

2 75 Fed. Reg. 17049 (April 5, 2010). Our testimony suggested that FAA work with the SSA and other disability benefits providers to expeditiously develop and implement a strategy to check for and take appropriate certificate regulatory enforcement action where falsifications are found, and to consider revising its application for the medical certificate to require applicants to explicitly identify whether they are receiving medical disability benefits.

3 FAA’s Civil Aerospace Medical Institute in Oklahoma City processes medical certificate applications in MSS.

4 Falsification of FAA Airman Medical Certificate Applications by Disability Recipients (CC-2007-063, July 17, 2007). OIG reports and testimony can be found on our Web page: www.oig.dot.gov.


DOT policy requires FAA to implement controls for removing medical record access rights when they are no longer required, to ensure user access is derived from a role-based validation process and each user’s level of access is commensurate with a need to know, and to document all users who have access to sensitive data.5

Medical Staff and Contractor Access Continued Despite A Need To Know However, such controls have not been implemented in MSS. At the same time, FAA has not implemented OMB guidance to secure PII in an automated information system or to properly configure MSS production and development computers to reduce the risk of tampering.

In addition, FAA had been sending millions of airman medical records from the MSS database to its contractor’s facilities, a practice that has been in place over the past decade. FAA’s contractor has been using this live data in its system testing procedures, but FAA had not justified the contractor’s need for using millions of live records—or considered the security implications of storing airman

5 DOT Information Technology and Information Assurance Policy Number 2006-22 – October 11, 2006 (revision 1): Implementation of DOT’s Protection of Sensitive Personally Identifiable Information (SPII).

PII at the contractor facility. After we requested documentation of support and approval of the data transference, FAA concluded there was no business need to maintain the data at the contractor’s site. Millions of PII records were purged from the contractor’s site.

The control weaknesses we identified are largely the result of FAA’s failure to provide adequate oversight of the contract by communicating the DOT requirements regarding access controls. Upon learning of these control weaknesses, we notified FAA, which responded in June 2009 (see Appendix A), stating that it had begun implementing corrective actions, such as working with doctors to remove access for separated medical staff. In addition, FAA purged millions of PII records from the contractor’s site. However, the lack of documentation about the application security features such as definitions of users’ ability to access data and perform critical functions continues to weaken FAA’s ability to administer effective security.

quinta-feira, 17 de junho de 2010

Turkish Airlines Flight 1951 B737-800 Accident

Turkish Air Lines Flight TK1951

Clicar no link abaixo para ver o video da animação com audio em inglês.


Transcrição do audio para português:
Atenção! Há inclusão de explicações detalhadas para leigos em aviação.

"Turkish Air Lines Flight TK1951, partiu de Istambul aos 25 minutos após as 8 horas da manhã do dia 25 FEV 2010. Primeiro voo para Armsterdam.

Um quarto de hora após as 10 horas, [10:15], a aeronave entra no espaço aéreo Deutch vindo de Este na aproximação para o aeroporto Schiphol. [Holanda]

Devido a uma falha, o Rádio Altímetro do lado esquerdo, um dos dois a bordo, indicava altitude incorreta de -8 pés. [menos 8 pés, embora a aeronave ainda estivesse passando na altitude de 7900 pés na descida AUTORIZADA para 4000 pés].

Neste caso enquanto a aeronave está descendo para o Nível de Voo 4000 [pés] e subsequentemente para 2000 pés, a altura incorreta no Rádio [Altímetro] causa 5 audíveis alertas completos,   serem ouvidos na cockpit.


O piloto notou estes alarmas.

Havia 3 pilotos na cockpit: o co-piloto, o qual estava voando a aeronave, está sentado à direita. Ele está recebendo do comandante, também instrutor, treinamento em rota, sentado no assento esquerdo.

O Primeiro Oficial atuando como Safety-Pilot, está sentado no assento do observador, localizado no centro e atrás deles.

A aeronave está agora voando 2000 pés no curso 265 graus como designado pelo Controle de Tráfego Aéreo. O Controle de Tráfego Aéreo determinou uma nova proa, 210 graus, em ordem para interceptar, o que é referido como Localizador antes do pouso na pista 18 da Direita. ***Localizador = projeção eletrônica do Eixo da Pista de pouso

A proa determinada resulta na interceptação do Localizador, 5.5 milhas náuticas antes da cabeceira da pista.

Um alinhamento curto seria esperado para um procedimento normal, o qual alinharia a aeronave no mínimo de 8 milhas náuticas da cabeceira da pista e na Rampa Eletrônica de Planeio. ***Glide Slope = Rampa Eletrônica de Planeio

A consequência foi que, o segmento de aproximação final foi mais curto. Nenhuma autorização para descida adicional para a Rampa Eletrônica de Planeio foi emitida, tal que a Rampa Eletrônica de Planeio para pouso na pista, agora seria interceptada de cima. ***O correto e usual, é a interceptação ser feita por baixo da Rampa.

Ruido característico do abaixamento do Trem de pouso.

Quando a aeronave intercepta o Localizador [ voando acima da rampa], as manetes de potência devem ser fechadas[reduzidas], para permitir a aeronave descer para a Rampa Eletrônica de Planeio [Glide Slope].
Devido à medição rigorosa incorreta pelo Rádio Altímetro esquerdo, o [sistema] AutoThrottle prematuramente muda para o modo de voo RETARD. Este modo é usualmente ativado na fase final durante o voo, em ordem para reduzir a velocidade quando acima da pista de pouso. O efeito imediato, todavia, é o mesmo que quando o sistema está funcionando corretamente. As manetes de potência fecham [são reduzidas para idle].
Interceptação da Rampa Eletrônica de Planeio, [descendo] de cima [dela], mascara a falha de operação do AutoThrottle [sistema automático de aplicação de potência dos motores]. Na altitude de 5000 pés, a Rampa Eletrônica de Planeio é interceptada. Neste ponto, a velocidade da aeronave está ainda acima da velocidade de pouso, 144 Knots. Quando a altitude determinada de 1000 pés for passada, a aeronave e tripulação deve estar totalmente preparada para o pouso de acordo com os procedimentos da companhia Turkish Linhas Aéreas. Isto, todavia, não é o caso. Ruido característico de abaixamento dos Flaps.

A velocidade permanece muito alta e a potência do motor muito baixa. Na posição final dos Flaps, o Pilot-Not-Flying permanece ainda engajado na [leitura] da lista de verificação para pouso [checklist]. Isto pode ter causado a velocidade diminuir no anúncio. O Piloto Automático mantém a aeronave na Rampa Eletrônica de Planeio. Em ordem para gerar suficiente sustentação, o nariz eleva-se muito bem acima do nível normal, o piloto não se conscientiza disto.

Quando a velocidade reduziu para 109 Knots, o Stick Shaker foi ativado.[vibração severa da coluna do manche]. Ruido característico do Stick Shaker atuando. É o som parecido com uma rajada longa e rápida de metralhadora.

Um aviso que a aeronave estava voando muito lentamente, e em risco de perder toda sustentação muito rapidamente. O piloto respondeu a isto,[empurra as manetes de potência para frente], mas inadequadamente [empurrou só parcialmente], [a potência é reduzida novamente], a aeronave sofre o acidente.

Nos segundos finais do Gravador de Dados de Voo [FDR], ele pode ser visto que, logo que o Stick Shaker foi ativado, o co-piloto desliza as manetes de potência totalmente para frente, e empurra a coluna de controle [manche], para baixar o nariz da aeronave. O comandante assumiu o controle, mas o  AutoThrottle não está DESATIVADO, o que significa que ele quase imediatamente  fecha [reduziu] a potência [dos motores] novamente. O AutoThrottle e o Piloto Automático, são então DESATIVADOS. Sete segundos depois, potência total é aplicada, mas neste ponto há insuficiente altura restante para recuperar do STALL [perda total de sustentação]. A aeronave acidenta-se num terreno localizado 1 milha da pista. Devido a posição elevada do nariz, a cauda atinge o solo primeiro, e a aeronave parte-se em 3 pedaços.