OIG Cites FDA Network VulnerabilitiesAgency Claims It Has Remediated the Issues
An audit last year showed that the Food and Drug Administration had cybersecurity vulnerabilities on its computer network, according to a new report by the Department of Health and Human Services' Office of the Inspector General. But the FDA says it has remediated the issues.
Although the OIG says it did not obtain unauthorized access to the FDA network during the penetration testing that was conducted last fall, the watchdog agency says it identified several issues during its audit.
OIG writes that the problems could have led to unauthorized disclosure or modification of FDA data or FDA mission-critical systems being made unavailable.
Those vulnerabilities included:
- Web page input validation was inadequate;
- External systems did not enforce account lockout procedures;
- Security assessments were not performed on all external servers;
- Error messages revealed sensitive system information;
- Demonstration programs revealed sensitive information.
The watchdog agency makes seven recommendations to FDA to address the security vulnerabilities identified.
"In general, we recommended that FDA fix the Web vulnerabilities identified, implement more effective procedures to protect its computer systems from cyber attacks, and periodically assess the security of all of its Internet-facing systems," says OIG, noting that it provided more detailed recommendations directly to FDA.
OIG says that the FDA indicated in its written comments about the report that remediation actions have been appropriately applied. "We have not verified these actions because they took place after our audit period," the OIG report notes. "Implementation of our recommendations should further strengthen the information security of FDA's network and external Web applications. The timely implementation of our recommendations is important, and we plan to follow up with FDA on these audit results and its remediation action."
OIG says it conducted the penetration test from Oct. 21, 2013, through Nov. 10, 2013.
The OIG penetration testing began nearly a week after "a wide-scale cybersecurity breach involving an FDA system occurred that exposed sensitive information in 14,000 user accounts," the report notes.
In that incident, FDA staff detected unauthorized network access to the Center for Biologics Evaluation and Research's online submission system, which maintains the account information for the Biologic Product Deviation Reporting System, the Electronic Blood Establishment Registration System and the Human Cell and Tissue Establishment Registration System (see FDA Breach Raises Lawmakers' Hackles).
The breach resulted in some Republican leaders of the House Committee on Energy and Commerce expressing concerns that of FDA hadn't been immediately forthright in disclosing details about the incident.
Coincidentally, the new OIG report on FDA's data security was issued the same week that FDA hosted a two-day workshop on medical device cybersecurity for the healthcare sector (see Medical Device Security: A Higher Profile).