With the recent spate of security breaches — at Target, Home Depot, JP Morgan Chase, among other places — Ed Silverman at Pharmalot wonders whether the US Food and Drug Administration is at risk.
As he writes, though, FDA has already been subject to a "wide-scale" security breach that affected some 14,000 accounts.
According to a new report from the US Department of Health and Human Services' Office of Inspector General, the FDA computer system has a few vulnerabilities.
For instance, it noted that the system has inadequate validation on webpage input, which could allow an attacker to send malicious input to the FDA pages and hijack a user's web browser to install malicious programs or send that user to a malicious site. Additionally, the report found that some error messages the FDA site gives reveals sensitive information such as the version of the software the agency uses that could aid an attacker.
The OIG reviewed the FDA systems last year, at the agency's request, Silverman notes. Not all systems, though, were tested, as the agency didn't want to risk some "mission-critical" ones going offline.
FDA tells Silverman that the agency has resolved these issues, and the OIG says a third party will be performing penetration testing, adding that such testing "will be of use until such time that we can actually perform a retest."