Senior Republican members of the House Energy and Commerce Committee have opened an investigation into the hacking of several databases maintained by the Center for Biologics Evaluation and Research (CBER), saying information provided to the public indicates that its databases may not have been properly secured.
News of the hacking was first reported by Regulatory Focus on 11 November 2013, several days after the US Food and Drug Administration (FDA) quietly released a statement to members of industry that databases within CBER had been hacked into on 15 October 2013 when the agency was in the midst of a government shutdown.
The affected databases included the Biologic Product Deviation Reporting System (eBPDR), the Electronic Blood Establishment Registration System eBER) and the Human Cell and Tissue Establishment Registration System (eHCTERS).
While these databases are not as highly trafficked and do not contain as much commercially confidential information as some of FDA's other databases, FDA said it was nevertheless aware that user names, user information, phone numbers, email addresses and passwords had all been accessed. In all, 14,000 accounts-both past and current-were accessed, FDA said.
Regulators indicated that they had taken steps to disable the systems, implement new security measures and reset passwords for around 5,000 of the active user accounts. In addition, it advised users to reset account information, and said they should monitor their credit reports for possible identify theft as well.
Was the Data Encrypted?
But as Regulatory Focus reported on 13 November 2013, FDA has thus far refused to indicate whether the hacked data was encrypted-a best practice that would have ensured that even if data was obtained, it would be unusable without an encryption key.
FDA's statement that passwords needed to be reset seemed to indicate that there was a threat that the data wasn't encrypted at all.
When reached for a statement, Jennifer Rodriguez, a spokeswoman for CBER, said the agency wasn't able to confirm those details.
"With respect to your question regarding encryption, any security or vulnerability information related to this privacy breach cannot be discussed to ensure the confidentiality and integrity of our IT security posture," she said.
At the time, industry trade groups PhRMA and BIO said they were still looking into details surrounding the hacking, but raised general concerns about the safety of data maintained by FDA.
"It is FDA's legal obligation to protect companies' trade secrets and confidential commercial information," said Vice President of Scientific and Regulatory Affairs Sascha Haverfield. "FDA must have an adequate data security program to meet these obligations. These robust safeguards to ensure the security of information submitted to the FDA should be reflected in the comprehensive, strategic five-year information technology (IT) plan required by the Food and Drug Administration Safety and Innovation Act but not yet available for public review and comment."
Republican Letter to FDA
Senior Republican members of Congress have now raised the stakes further, issuing a letter to FDA Commissioner Margaret Hamburg expressing concern about the incident and FDA's handling of it.
Recounting the details of the hacking, legislators noted that FDA "did not notify members of industry about the breach until approximately 5:30 p.m. on 8 November 2013 (late Friday afternoon leading into the Veterans Day weekend), about the same time that FDA made the announcement about the security breach."
The gap between the hack and industry being made aware of it-as well as the manner in which they were notified-seemed to particularly irk the legislators.
The incident is also concerning, legislators wrote, given the amount of funding FDA receives for information technology (IT) programs. "FDA's IT expenditures and overhead account for about 12% of the total FDA budget, a 'significant investment' according to [FDA]," they observed, adding that the incident was "very troubling."
"It is essential to the fulfillment of FDA's mission that regulated industry and patients have confidence in the security of sensitive information they submit to the FDA," they continued. "To restore public confidence in the FDA's information security, we request that you immediately obtain a third-party audit from a qualified expert to assess and ensure the adequacy of FDA's corrective actions taken in response to this incident."
The agency was given until 19 December 2013 to respond to the letter, which also calls for specific information about the hacking, FDA's internal response to information about the hacking, how industry was notified, whether information was secured, and numerous other documents related to the incident.
A separate letter to the Government Accountability Office (GAO) calls for an outside investigator to look into FDA's information security controls, as well as those at other government healthcare agencies.
House Letter to FDA