A government audit of the US Food and Drug Administration (FDA), ordered last year after one of the agency's databases was compromised, has found the agency is vulnerable to hacking attempts which could lead to the loss of sensitive information.
In November 2013 FDA quietly reported that several databases maintained by its Center for Biologics Evaluation and Research (CBER) had been hacked into. Information on at least 14,000 accounts had been improperly accessed as a result of the breach, the regulator confirmed.
The affected databases included CBER's Biologic Product Deviation Reporting System (eBPDR), Electronic Blood Establishment Registration System (eBER) and Human Cell and Tissue Establishment Registration System (eHCTERS).
The unauthorized intrusion prompted legislators to raise questions regarding whether regulators were properly securing information, including databases controlled by other FDA centers. Regulators repeatedly declined to say if key details of the accounts, including passwords, had been encrypted—a step which would have rendered any hacked passwords practically useless.
"With respect to your question regarding encryption, any security or vulnerability information related to this privacy breach cannot be discussed to ensure the confidentiality and integrity of our IT security posture," one FDA spokeswoman told Focus at the time.
In a letter to FDA regarding the unauthorized access, legislators called for an outside investigation of FDA's information security controls, saying FDA stakeholders need to have "confidence in the security of sensitive information they submit to the FDA."
Government Report: FDA Vulnerable
Now the results of that audit have been released.
On 21 October, the US Department of Health and Human Services' (DHHS) Office of the Inspector General (OIG) released a report, Penetration Test of the FDA's Computer Network, assessing the strength of FDA's internal and external network security.
OIG officials said they conducted a "penetration test" of FDA's network and information systems over a three-week period starting in October 2013 through November 2013, just as FDA's network had been compromised.
"Overall, FDA needed to address cyber vulnerabilities on its computer network," the report concludes. Though OIG noted it did not obtain unauthorized access to FDA's networks, it said it found parts of FDA's network to be "inadequate."
Various problems—external systems lacked proper lockout procedures, external servers went without security assessments, and error messages and demonstration programs revealed sensitive information—could have led to the "unauthorized disclosure or modification of FDA data,” the report observed. Even if information was not obtained, it could have led to outages of "mission-critical" systems, OIG said.
In one of the most alarming lapses, OIG said it found improperly secured webpages which could have allowed malicious code to be placed on FDA's website, allowing it to hijack other users’ browsers and install malicious programs on their machines.
Recommendations have already been made to FDA, OIG said, noting that the report only contains vague details due to the sensitive nature of the findings.
FDA's budget for information technology, including cybersecurity, is currently $486 million per year, the report notes—"approximately 11% of the total FDA budget of $4.4 billion in fiscal year 2014, a significant investment."
Penetration Test of the FDA's Computer Network