Even though the government shutdown is behind us—for the moment anyway—news continues to surface about its implications. A particularly troubling recent revelation is that some Food and Drug Aministration databases were hacked during the shutdown, as the drastic reduction in staff increasee vulnerability. The FDA’s recently admitted to the cyber invasion of the Center for Biologics Evaluation and Research (CBER). If we’re smart, will provide a valuable lesson going forward.
The hack occurred on October 15, the last day of the shutdown, and the FDA says that they disabled the system and executed security measures, such as resetting passwords. CBER reviews and regulates biological products, like vaccines, blood, tissue, and cellular and gene therapies. It also educates the public about these products and how to safely and effectively use them. In other words, this is just the kind of information we want vulnerable to security breaches.
We're sorry, but we will not be tweeting or responding to @ replies during the government shutdown. We'll be back as soon as possible!
— U.S. FDA (@US_FDA) October 1, 2013
The hackers were able to retrieve names and information, including phone numbers, email addresses, and passwords, of 14,000 accounts, a third of which are currently active. Active account holders were notified three days later and encouraged to change their passwords and monitor their credit reports carefully for signs of identity theft. Other industry members weren’t notified until November 8. The FDA reported no signs of alterations to system data and the agency continues to monitor and analyze the system to be sure that no unauthorized logins occur.
The biggest concern is that the hackers obtained passwords that could give them access to biologic manufacturer accounts, other FDA or CDER databases, or even private accounts. One of the alarming details exposed by the breach is that it seems the FDA may not encrypt user passwords. The agency would not confirm or deny their password-encryption practices because of confidentiality and the “integrity of our IT security posture.” Interesting that they used the word “posture.” Some conclude that the suggestion that users change their passwords means they didn’t employ password encryption. Well, if they didn’t encrypt passwords before, I bet they’ll start doing that now, especially given that its security procedures will be examined particularly closely now. Apparently, the FDA is supposed to draft and share a five-year cyber-security plan, but that document hasn’t been released, yet.
The FDA isn’t the only government agency vulnerable to such security breaches. Hackers have also tried to attack the already problem-plagued Affordable Care Act website. For better or for worse, hacking seems to be one of the only consistently effective ways to flip the government the bird.