Hack of FDA databases raises cybersecurity questions

In the flurry of chatter about the implications of last month's government shutdown, cybersecurity experts tried to get one point across--the furloughing of staff makes us vulnerable. With fewer staff guarding the U.S., the fear was hackers would strike. Now, the experience of the FDA shows fears were well founded.

On October 15, the day before the shutdown ended, Center for Biologics Evaluation and Research (CBER) databases were hacked, Regulatory Focus reports. The security breach exposed the names, details, phone numbers, email addresses and passwords of 14,000 accounts, around 5,000 of which are active. While other FDA databases contain more commercially sensitive information, the event is at the very least an annoyance and potential risk to individual users.

The FDA advised the 5,000 active users to change their passwords and keep an eye on their credit reports in case the hackers have stolen their identity. The breach has raised questions about whether the FDA encrypts users' passwords. The FDA isn't answering, though. "With respect to your question regarding encryption, any security or vulnerability information related to this privacy breach cannot be discussed to ensure the confidentiality and integrity of our IT security posture," CBER spokesperson Jennifer Rodriguez said.

Hacks of company databases have shown some organizations are far more vigilant than others when it comes to protecting user information. The recent theft of details for 150 million Adobe ($ADBE) accounts revealed the software giant's systems fell well short of the cybersecurity ideal. In other cases, such as the breach of Apple ($AAPL) news blog MacRumors, the use of a cryptographically hashed format with a unique salt has protected user passwords.

Where the FDA fits on the spectrum of protections is unclear, but the hack has increased scrutiny of its security procedures. "It is FDA's legal obligation to protect companies' trade secrets and confidential commercial information. FDA must have an adequate data security program to meet these obligations," PhRMA VP Sascha Haverfield said. The FDA is due to detail its cybersecurity plans in a 5-year information technology strategy document but is yet to share a draft with the industry.

- read the Regulatory Focus article
- check out the Adobe case