One year after a breach at one of the nation's major federal agencies, it seems that cybercriminals may still be able to access sensitive information, according to Health IT Security. The U.S. Food and Drug Administration has key security flaws in its systems that could make it vulnerable to cyberintrusions, according to a report by the Office of the Inspector General (OIG). The federal watchdog said data breaches experienced by the FDA could lead to exposure of FDA data or unauthorized changes to this information. A cyberattack on the agency's systems could have also made information not available.
The cyberattacks in the health care industry have garnered the attention of both the public and private sectors, as the findings of the report showcase that the FDA still has vulnerabilities that could put consumer and even corporate information at risk. On October 2013, a data breach at the FDA affected users of an online system at the Center for Biologics Evaluation and Research, Reuters reported. The attack was on a network that held information related to various systems, including the electronic blood establishment registration system and the human cell and tissue establishment registration system.
"It is the legal obligation of the Food and Drug Administration to protect companies' trade secrets and confidential commercial information," PhRMA Vice President Sascha Haverfield said in a statement.
FDA Security Flaws Found in Report
In December 2013, pharmaceutical companies called on the FDA to have an independent security audit performed after a breach, Reuters reported.
While the OIG was unable to infiltrate the FDA's systems, according to the latest report, the agency has some issues related to external security measures. These include systems' inability to lockout accounts, as well as not have having security assessments done for external servers. In addition to lacking proper security, the report also noted that users may have been able to see potentially confidential system information from error messages and demonstration programs.
Besides having inadequate security, the FDA seems to lack basic defenses, including encryption for passwords, according to Health IT Security. After the breach last year, lawmakers sent a letter to FDA Commissioner Margaret Hamburg pointing out the security risks.
"The security breach of FDA's gateway system not only compromised the security of personal identifiable information, but also compromised the protection of confidential business information and medical privacy information of patients enrolled in clinical trials," the letter explained.
As the FDA is charged with protecting consumer information and company secrets, the agency is sure to face increasing pressure to improve its cybersecurity from organizations in and out of the public sector.