Sensitive US health and drug data left exposed by dozens of FDA security flaws

The US Food and Drug Administration hasn't had an OPM-style breach, but it's left plenty of doors wide open, says government watchdog GAO.
Written by Liam Tung, Contributing Writer

The GAO audit picked up weaknesses in the FDA's access controls, firewalls, encryption, and data-disposal systems.

Image: US Food and Drug Administration

The US Food and Drug Administration has been told to implement 166 recommendations to fix over 80 computer weaknesses that put trade secrets and health data at risk.

Congressional watchdog GAO reviewed seven of the FDA's computer systems and found 87 flaws that it said unnecessarily exposed sensitive data on public health and drugs, as well as personal information, to security breaches.

The FDA was given the report in August and has since been working to address the flaws.

The audit identified weaknesses in the FDA's access controls, firewalls, contingency planning, encryption, and systems to sanitize disposed tapes, disks, and hard drives.

According to the GAO, the FDA's IT systems are critical to its role in protecting public health since they're used to receive and maintain industry and public health data, as well as trade secrets contained in drug submissions.

"Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss," the GAO said.

In one example, the GAO found that improperly configured firewalls exposed FDA information to one of its service providers' untrusted networks.

Other access control shortcomings included failing to change passwords to a sensitive database server in the past five years. Other passwords to accounts giving access to industry information were set to never expire. Also, it lacked password controls for some network devices that deliver web applications to FDA users.

GAO also found the FDA was too liberal with system permissions for access to drug submissions.

For example, 49 admins and users unnecessarily had access to 392 servers and access to file shares containing industry submissions on adverse events. Also, over 4,500 users had access to file shares used to handle regulatory drug and biologic product submissions.

The FDA failed to audit and monitor equipment used by an IT contractor that supports the agency's internet and public network.

It also didn't keep forensic data relating to a 2013 attack on a backend server, leaving it unable to support subsequent investigations to determine whether the attacker had burrowed deeper into its network.

The GAO made 15 broad recommendations that the FDA would need to fully implement, including 166 specific actions.

FDA CIO Todd Simpson said it had fully implemented 12 of the 15 recommendations and 102 of the 166 actions.

"We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year," Simpson said.

He also defended the FDA's IT systems, arguing that the report did not reflect the state of its broader IT systems.

"The FDA appreciates and takes very seriously the GAO report's recommendations, but the report's limited findings should not be broadly applied to the FDA's entire IT enterprise," Simpson said.

"It is also important to note that the FDA has not experienced any major cybersecurity-related breaches that exposed industry or public health information."


Editorial standards