US Food and Drug Administration (FDA) officials have refused to say whether passwords that had been hacked into during an October intrusion into the agency's database had been encrypted, saying that to release that information would be to compromise its "IT security posture."
As first reported by Focuson 11 November, FDA had disclosed on 8 November to a select group of industry officials that databases within the Center for Biologics Evaluation and Research (CBER) had been hacked into on 15 October 2013,. That date coincides with when the agency was partially shut down as the result of a congressional budget impasse.
The affected databases included the Biologic Product Deviation Reporting System (eBPDR), the Electronic Blood Establishment Registration System eBER) and the Human Cell and Tissue Establishment Registration System (eHCTERS).
While these databases are not as highly trafficked and do not contain as much commercially confidential information as some of FDA's other databases, FDA said it was nevertheless aware that user names, user information, phone numbers, email addresses and passwords had all been accessed. In all, 14,000 accounts-both past and current-were accessed, FDA said.
Regulators indicated that they had taken steps to disable the systems, implement new security measures and reset passwords for around 5,000 of the active user accounts. In addition, it advised users to reset account information, and said they should monitor their credit reports for possible identify theft as well.
Was Data Encrypted?
And with the advice and effort to reset passwords, a question was raised: Were the passwords encrypted?
Focus raised this point in an email to FDA, but in a response the agency said it wasn't able to comment.
"With respect to your question regarding encryption, any security or vulnerability information related to this privacy breach cannot be discussed to ensure the confidentiality and integrity of our IT security posture," wrote Jennifer Rodriguez, a spokeswoman for CBER.
Encryption would ensure that even if a password was obtained by an unauthorized user, that he or she would be unable to use it without first decrypting it-an incredibly difficult task that remains impossible for nearly all users outside of (reportedly) the US National Security Agency (NSA).
Of course, government databases being hacked isn't exactly a new concept. FDA saw its database center hacked into in 2011, reportedly by Chinese-affiliated groups looking for information on drugs and drug trial information. More recently, FDA said that an effort to protect against the hacking of medical devices would, ironically, have to take into account the potential for rogue groups to hack into FDA's system looking to get hold of those same exploits.
Industry Weighs in (Where it Can)
But FDA's refusal to say if the passwords were encrypted-a fairly benign statement offered by manycompanies-isn't necessarily comforting.
When reached for comment, neither the Pharmaceutical Research and Manufacturers of America (PhRMA) nor the Biotechnology Industry Organization (BIO said they knew enough about the breach to comment on its specifics.
"We weren't aware of the incident [before Monday]," said Tracy Cooley of BIO, adding that she had reached out to several other organizations in an attempt to learn more. "We know that there are constant attempts and raised the issue of e-submission gateway security with FDA in August as part of a discussion around IT governance."
PhRMA, through spokeswoman Stephnie Fischer, said they were still working to "learn more of the extent of the security breach," but that the agency needed to be more transparent about its data security measures.
"It is FDA's legal obligation to protect companies' trade secrets and confidential commercial information," said Vice President of Scientific and Regulatory Affairs Sascha Haverfield. "FDA must have an adequate data security program to meet these obligations. These robust safeguards to ensure the security of information submitted to the FDA should be reflected in the comprehensive, strategic five-year information technology (IT) plan required by [the Food and Drug Administration Safety and Innovation Act] but not yet available for public review and comment."