Concerns about FDA IT security persist, House committee report says

The US House Energy and Commerce Committee is taking issue once again with the way the FDA manages its IT systems, according to a report released late last week.

The report centers on a 2013 data breach where an unauthorized user gained access to the account details of over 14,000 users of one of FDA’s information systems.

While the breach did not result in substantial harm to the agency’s network and users, it highlighted the susceptibility of FDA’s network to attacks and raised questions about the adequacy of FDA’s information security program,” the House committee says.

The vulnerability of information collected and maintained by the agency is of prime importance to many in the pharma and biotech industries because FDA has the legal obligation to protect companies’ trade secrets and confidential commercial information.

And with a $486m IT budget, the committee says that FDA had the resources to prevent the attacks that, according to one computer security expert speaking on background with committee staff, characterized as the equivalent of “leaving the front door open.”

The committee also found that FDA was operating servers in a data center that its own security auditors would not accredit.

In addition, FDA was without a permanent CIO from February 2013 to May 2015. During that two-year period, FDA’s Deputy Commissioner/Chief Operating Officer assumed the position, but the GAO (Government Accountability Office) indicated to committee staff that it is unusual for a federal agency not to have a full-time CIO for more than a year. FDA’s CISO (chief information security officer) is still in “Acting” status after filling that role for more than two years.

The inability of FDA to mitigate even this type of low-level threat raises the troubling questions about FDA’s preparedness for more sophisticated, and more dangerous, cyber threats,” the committee adds.