News Feature | October 28, 2014

Penetration Test Reveals FDA Vulnerabilities

Christine Kern

By Christine Kern, contributing writer

FDA EHR Pilot Program

Test found FDA network and systems had vulnerabilities that could lead to unauthorized access.

A recent Penetration Test performed by the Office of Inspector General (OIG) on the Food and Drug Administration’s (FDA) network and systems found there were a number of potential vulnerabilities that could pose serious risks to data and performance.

As Health Data Management reports, the audit was conducted to assess any existing vulnerabilities in the FDA’s network and external web applications that could lead to compromise through cyber-attacks. As a result of the test, auditors discovered vulnerabilities with the potential to allow unauthorized disclosure or modification of FDA data, or to cause a lack of availability of FDA mission-critical systems.

This audit was one of a series that was conducted by the OIG using penetration testing to determine the security of networks run by HHS and its operating divisions. One reason for the penetration testing was an earlier wide-scale security breach of an FDA system involving some 14,000 user accounts. The earlier breach occurred in October 2013.

As part of the audit, the OIG “identified FDA web pages that did not perform adequate input validation on data entered by the user. Exploitation of this vulnerability could result in malicious input being sent from an attacker to FDA web pages to hijack a user’s web browser application, install malicious programs, or redirect users to malicious web pages.”

The audit was conducted from October 21, 2013 through November 10, 2013, with the full knowledge and consent of the PDA officials.

Among the issues identified by the penetration testing were the FDA “web page input validation was inadequate, external systems did not enforce account lockout procedures, security assessments were not performed on all external servers, error messages revealed sensitive information, and demonstration programs revealed sensitive information.” Each of these vulnerabilities could potentially lead to unauthorized disclosure or modification of FDA data or the disabling of FDA mission-critical systems.

According to the report, “In written comments to our draft report, FDA indicated that our findings have been addressed by the system owner(s) and remediation actions have been appropriately applied. We have not verified these actions because they took place after our audit period.”