House Committee Slams FDA Handling of Cybersecurity Breach

A House Energy and Commerce Committee report on cybersecurity breaches at HHS blames the FDA for not acting forcefully enough to prevent a known web vulnerability that has been a security concern for the past decade.

The report, prepared by the majority staff and released earlier this month, also points to the agency’s failure to appoint a full-time chief information officer and permanent chief information security officer, which put information security at risk even as the FDA was operating servers in its data center that its own security auditors would not accredit.

Lawmakers called for an audit of all HHS computer systems to determine if information is secure after hackers broke into CBER’s online submission system in 2013. The investigation found that five HHS divisions, including the FDA, suffered security breaches over the last three years.

The CBER breach occurred in October 2013 during the government-wide shutdown when hackers were able to obtain user account information. Three weeks later, the agency posted a message about the hack on the CBER submission site that said information for certain users including their first and last names, phone numbers, email addresses, usernames and passwords had been compromised, and they should take measures to protect their online identity.

Under federal regulations, the FDA is required to hire a CIO to manage IT and ensure networks and sensitive data are protected and a CISO to focus solely on cybersecurity. The report notes that the FDA has had six CIOs since 2008 and was without a permanent CIO from February 2013 to May 2015. The current CISO has held the position for two years, but still holds the title “acting.”

FDA did not respond to a request for comment. Read the report at www.fdanews.com/08-12-15-cybersecurity.pdf — John Bechtel