OIG audit finds FDA cybersecurity vulnerabilities
An Office of the Inspector General (OIG) audit found cybersecurity vulnerabilities in the FDA's network that could put its data at risk.
The audit focused on the FDA network and websites active between Oct. 21, 2013, and Nov. 10, 2013. The OIG attempted to exploit vulnerabilities via external penetration tests and gathered information on FDA's applications running on exposed hosts; application and supporting server structure; domain name server records; host names; hosts exposed to the internet; network address ranges; and operating system and application version information.
The external penetration test found several vulnerabilities that could have made mission-critical systems unavailable or allowed for unauthorized disclosure or modification of data. These vulnerabilities include inadequate web page input validation that hackers could use to install malicious programs, redirect users to malicious web pages or hijack a user's web browser; and error messages that revealed sensitive information, such as application code, which could be used to exploit programs' vulnerabilities.
OIG's audit report offered several recommendations to protect against data breaches such as FDA fixing vulnerabilities and performing periodic security assessments of its internet-facing systems.
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.