An audit of the FDA’s computer network immediately after a cybersecurity breach last year detected vulnerabilities in the agency’s system.
The report, released Tuesday by the Department of Health and Human Services’ Office of Inspector General, said investigators weren’t able to gain unauthorized access to the FDA network. However, they found problems that could allow unauthorized users to view or change FDA data and cause key FDA systems to go unavailable.
“In general, we recommended that FDA fix the Web vulnerabilities identified, implement more effective procedures to protect its computer systems from cyber attacks, and periodically assess the security of all of its Internet-facing systems,” the report said.
The report comes after a major cybersecurity breach last October in the Center for Biologics Evaluation and Research’s system that exposed sensitive information from 14,000 user accounts.
For the review, investigators conducted a penetration test of the agency’s network and information systems from Oct. 21 to Nov. 10, 2013. Investigators received permission from FDA officials to conduct the test, however, they requested that staff not be notified.
Investigators uncovered external FDA systems that did not enforce an automatic lockout after a certain number of consecutive invalid login attempts, as required by the National Institute of Standards and Technology. They also identified FDA Web pages that did not execute adequate input validation on data entered by the user. OIG officials told FedScoop, “An example could be the submission of malicious code as input to the vulnerable website, which then gets executed on the server or within a user’s browser.”
At the same time, they said they could not conduct tests on seven external systems because officials said they were mission critical and couldn’t risk going offline. Only one of those systems had previously undergone a security assessment – and only within a preproduction environment, the report said.
The OIG report said it made seven recommendations to FDA, but it did not list them “because of the sensitive nature of the information.”
When asked whether FDA had taken steps to put the OIG’s recommendations into place, Jeff Ventura, a spokesman for the FDA, said via email: “We worked with the IG back in 2013 to perform this assessment. As we informed the IG, we resolved the issues identified in this report expeditiously.”
Two months after the FDA breach incident, Republican leaders of the House Energy & Commerce Committee sent a letter to FDA Commissioner Dr. Margaret Hamburg requesting a third-party audit “to assess and ensure the adequacy of FDA’s corrective actions taken in response to this incident.” They also called on the Government Accountability Office to launch a review of cybersecurity protections in place at critical HHS agencies.
“To restore public confidence in the FDA’s information security, we request that you immediately obtain a third-party audit from a qualified expert to assess and ensure the adequacy of FDA’s corrective actions taken in response to this incident,” lawmakers wrote to Hamburg at the time.