Last week, the HHS Office of Inspector General released a damning report on FDA's data security: "The objective of this review was to determine whether the FDA's network and external Web applications were vulnerable to compromise through cyber attacks." In short, they were vulnerable:
Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network, we identified the following issues:
- Web page input validation was inadequate,
- external systems did not enforce account lockout procedures,
- security assessments were not performed on all external servers,
- error messages revealed sensitive system information, and
- demonstration programs revealed sensitive information.
According to OIG, "These [vulnerabilities] could have led to: (1) the unauthorized disclosure or modification of FDA data or (2) FDA mission-critical systems being made unavailable." While OIG reports that FDA says it has closed these holes, OIG also acknowledged that OIG has not verified FDA's actions in this regard.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.