Last week, the HHS Office of Inspector General released a damning report on FDA’s data security: “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.” In short, they were vulnerable:
Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network, we identified the following issues:
- Web page input validation was inadequate,
- external systems did not enforce account lockout procedures,
- security assessments were not performed on all external servers,
- error messages revealed sensitive system information, and
- demonstration programs revealed sensitive information.
According to OIG, “These [vulnerabilities] could have led to: (1) the unauthorized disclosure or modification of FDA data or (2) FDA mission-critical systems being made unavailable.” While OIG reports that FDA says it has closed these holes, OIG also acknowledged that OIG has not verified FDA’s actions in this regard.