Lawmakers seek answers about FDA hack

Lawmakers are concerned that an October hack into the U.S. Food and Drug Administration's online submission systems hasn't been adequately investigated.

In a letter to FDA commissioner Margaret Hamburg, five representatives on the House Energy and Commerce Committee have asked for more details.

>> RELATED: FDA commissioner: mHealth requires scientific evidence

The breach occurred on Oct. 18, but FDA did not announce it until Nov. 8. An unauthorized user gained access to the electronic submission system, which hosts information on all medical product information for the FDA, including drugs and medical devices. The breach drew little media attention.

In addition to confidential business information, medical data belonging to patients enrolled in clinical trials also was accessed, as well as names, phone numbers, e-mail addresses, and passwords to 14,000 accounts. Of those, close to 5,000 accounts are active.

The way FDA handled the notification--advising account holders to change passwords, for instance--suggests the agency had not encrypted passwords and other information, the letter states.

It seeks more information by Dec. 23, about the nature of the breach and steps taken afterward.

In a second letter to Comptroller General of the United States Gene Dodaro, the committee members ask the Government Accountability Office to examine the information security controls over key computer networks at U.S. Department of Health & Human Services agencies and assess their effectiveness in protecting the confidentiality, integrity, and availability of each agency's information and information systems, according to a committee announcement.

Encryption is the single most essential technology to use for breach prevention, Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT, recently said.

After reports that existing encryption can be broken, however, the National Institute of Standards and Technology (NIST) has launched a formal review of its processes for establishing encryption standards.

The HHS Office of Inspector General's latest strategic plan makes the security and integrity of electronic health records will be one of highest priorities for 2014.

To learn more:
- read the FDA letter (.pdf)
- find the GAO letter (.pdf)
- here's the committee announcement