FDA Flunks Data Security Exam

Last week, the HHS Office of Inspector General released a damning report on FDA’s data security:  “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.”  In short, they were vulnerable:

Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network, we identified the following issues:

  • Web page input validation was inadequate,
  • external systems did not enforce account lockout procedures,
  • security assessments were not performed on all external servers,
  • error messages revealed sensitive system information, and
  • demonstration programs revealed sensitive information.

According to OIG, “These [vulnerabilities] could have led to: (1) the unauthorized disclosure or modification of FDA data or (2) FDA mission-critical systems being made unavailable.”  While OIG reports that FDA says it has closed these holes, OIG also acknowledged that OIG has not verified FDA’s actions in this regard.


One thought on “FDA Flunks Data Security Exam

  1. Pingback: Cyber Insurance Top News | Cyber Insurance Update

Leave a Reply

Your email address will not be published. Required fields are marked *