FDA computer network vulnerable to data breaches

A penetration test of the U.S. Food and Drug Administration's computer network conducted by the U.S. Department of Health and Human Services Office of Inspector General uncovered several vulnerabilities, according to a report published Oct. 21.

The report identified five problems with the network, including:

  1. Inadequate Web page input validation: "We identified FDA Web pages that did not perform adequate input validation on data entered by the user," the report's authors wrote. They added that exploitation could open the door for hackers to send "malicious input" to the agency's Web pages to hijack a user's Web browser or to redirect users to malicious pages.
  2. External systems that don't enforce account lockout: Despite repeated failed log-in attempts to the site, the report's authors found external systems that did not enforce account lockouts after a number of consecutive tries.
  3. A lack of assessments performed on external servers: OIG was not permitted by FDA to perform penetration testing on seven external systems it deemed mission critical.  "Hence, we could not verify whether security vulnerabilities existed within these systems and whether the vulnerabilities could be exploited to gain unauthorized access to FDA systems and data," the report said.
  4. Error messages that reveal sensitive information: Many times, the report's authors said, error messages generated via system applications revealed application code to attackers. However, according to the report, the National Institute for Science and Technology requires all federal information systems to generate error messages that reveal only enough information to take corrective measures.
  5. Demonstration programs that reveal system information: "Oftentimes, software may leave demonstration programs or sample scripts available as part of a default installation," said the report's authors, who identified demonstration programs that could be run on FDA systems. To that end, such programs "revealed sensitive internal system environment settings."

Last October, a hack of the FDA's online submission systems enabled unauthorized users to gain access to confidential business information, medical data belonging to patients enrolled in clinical trials and names, phone numbers, email addresses and passwords for 14,000 user accounts.

No unauthorized access was granted to FDA's network during the penetration test, according to OIG.

In a July blog post, FDA Deputy Commissioner for Operations Walter Harris talked about FDA's focus on restructuring its IT efforts to offer greater transparency and efficiency in customer support and services. In another recent FDA blog post, Taha Kass-Hout, the agency's chief health informatics officer, wrote about the FDA embracing cloud computing as part of its effort to build powerful tools to collect, store and analyze massive amounts of data.

To learn more:
- here's the OIG report (.pdf)