House Committee Releases Report on the Vulnerabilities of HHS Information Security Practices
by Carson Martinez
The House of Representatives Committee on Energy and Commerce Chairman Fred Upton and Oversight and Investigations Subcommittee Chairman Tim Murphy released a report on August 6 addressing data protection at the Department of Health and Human Services (HHS) and its operating divisions and its vulnerability to cyber-breaches. The report, Information Security at the Department of Health and Human Services, was prompted by the October 15, 2013 FDA cyber breach.
As the U.S.’s primary consumer protection and health agency and part of the HHS, the Food and Drug Administration (FDA) relies on information technologies to store large amounts of sensitive and confidential information. FDA is legally obligated to implement a sufficient data security practice to protect companies’ trade secrets and confidential commercial information. On October 15, 2013, a malicious actor gained unauthorized network access to FDA’s Center for Biological Evaluation and Research (CBER), an online submission system that houses approximately 14,000 current and former accounts and user information. The intruder gained access to user’s first and last name, phone number, email address, username and password of each account within the submission system. The Committee launched an investigation following the breach. The breach was confirmed to have been accomplished through relatively unsophisticated means, Structured Query Language (SQL) injection attacks. FDA, with a $486 million IT budget, had the resources to prevent SQL injection attacks, but did not, according to the Committee’s report, take adequate steps to avoid the breach.
The investigation into the 2013 FDA breach revealed five other HHS operating breaches within the last three years also using unsophisticated means. Examination of these breaches exposed the deficiencies of information security practices at HHS and its operating divisions. Currently, the practice is overseen by the Chief Information Officer (CIO), who ensures data is adequately managed and protected, and the Chief Information Security Officer (CISO), who is responsible for information security. The root cause of the breaches principally stemmed from the organizational relationship and division of authority between CIO and CISO, which resulted in poor security management. When information security is placed under the authority of CIO, operational concerns are prioritized and security concerns are disregarded, downplayed, or deferred. CIO-CISO hierarchy and the subordination of security to operational concerns revealed a flaw in structure that contributed to the vulnerability of HHS to cyber-attacks.
FDA’s inadequate preparations to protect against a simple threat like SQL injection attacks raised troubling questions about FDA’s preparedness for protecting important information in the face of more sophisticated cyber threats. To combat these concerns, the Committee has issued a set of recommendations, including separation of information security from information operations by reformation of the CIO-CISO organizational structure within HHS and its operating divisions, with the CISO designated as the “primary authority for information security,” and moving all information security responsibilities to the general or chief counsel’s office. The Committee’s recommendations aim to create a structure that provides a better security-operation balance and properly addresses the legal obligations arising from information security concerns.
HHS Seeking Comments on Human Research Subjects
by M. S. Frankel
The U.S. Department of Health & Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM) seeking comment on “proposals to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators.” To receive consideration, comments must be received by 5 p.m. on December 7, 2015.
The NPRM notes that “Since the Common Rule was promulgated, the volume and landscape of research involving human subjects have changed considerably. Research with human subjects has grown in scale and become more diverse…Yet these developments have not been accompanied by major change in the human subjects research oversight system, which has remained largely unchanged over the last two decades.” The NPRM then goes on to list the goals of the proposed rule: “to increase human subjects’ ability and opportunity to make informed decisions; reduce potential for harm and increase justice by increasing the uniformity of human subject protections in areas such as information disclosure risk, coverage of clinical trials, and coverage of IRBs; and facilitate current and evolving types of research that offer promising approaches to treating and preventing medical and societal problems through reduced ambiguity in interpretation of the regulations, increased efficiencies in the performance of the review system, and reduced burdens on researchers that do not appear to provide commensurate protections to human subjects. It is hoped that these changes will also build public trust in the research system.”