A U.S. House committee examination of HHS and FDA information system security revealed that five divisions within the organizations have been breached in the last three years using "unsophisticated means."
The report addresses several points of concern about how the HHS and FDA have handled those recent data breaches, including the following.
• Information security officials were not always permitted full visibility into their own networks as a result of their relationship with agency contractors.
• Two data breaches in two different operating divisions resulted from misconfigurations.
• Officials in one operating division misidentified a list of hacker aliases as a list of security vulnerabilities.
• Officials at two operating divisions were unable to provide accurate information about security incidents within their own networks.
"Of concern to the committee, officials at the affected agencies often struggled to provide accurate and sufficient information on the security incidents during the committee's investigation," the authors wrote.
The authors concluded their investigation demonstrates placing operations and security oversight within the same office can mean sacrificing security for operations.