FDA, CISA advise on genomic device software vulnerabilities

A software patch is available to prevent cybersecurity threats to patient care, genomic data and provider networks from software vulnerabilities in Illumina's benchtop and production-scale genomic sequencing instruments.
By Andrea Fox
09:33 AM

Photo: FDA

While Illumina has yet to receive any reports indicating this vulnerability has been exploited, according to a letter to healthcare providers from the U.S. Food and Drug Administration, bad actors could take control of the devices, alter the software and patient test results or compromise a provider's network and exfiltrate protected data.

WHY IT MATTERS

The FDA released a statement Thursday for healthcare providers and laboratory personnel about the required actions that need to be taken to mitigate cybersecurity risks in Illumina's sequencing instruments – MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000 and NovaSeq 6000.

The cybersecurity vulnerability affects the universal copy service in various versions of device control and operating software, according to the Cybersecurity and Infrastructure Agency medical advisory.

FDA is urging genomic device owners to review the urgent medical device recall notice or product quality notification for researchers sent on April 5, install the patch and contact Illumina for support or to report suspicion of device compromise.

The agency notes that some laboratories may be using Illumina genomic sequencing devices for clinical diagnostic use.

Illumina is fresh from ringing the bell at the Nasdaq MarketSite in Times Square on March 30, according to its website. 

The 25-year-old genomics company supports researchers and providers of genetics programs, like those at Children’s Mercy Research Institute working on Genomic Answers for Kids.

"The more than 9,500 researchers and clinicians we serve are using these incredible advances in science to transform human health in ways that were unimaginable 25 years ago,” Susan Tousi, chief commercial officer for Illumina said. 

“Like diagnosing rare disease in a matter of days. Or, catching the deadliest cancers at Stage 1 or Stage 0… or using genetics to fight climate change."

The GA4K program in Kansas City, Missouri, aims to sequence 30,000 children and their parents and announced a recent milestone of providing more than 1,000 rare disease diagnoses to families, Illumina says.

THE LARGER TREND

In addition to FDA and CISA, the Federal Bureau of Investigation is also urging healthcare organizations to stay on top of medical device cybersecurity.

The agency says risks stemming from outdated software and a lack of security features in older hardware in unpatched, active medical devices are increasingly being targeted. The vulnerabilities can affect patient safety, data confidentiality and integrity and interrupt care delivery.

Genomic data is of particular concern in a data breach. 

A notable cyber breach of Massachusetts General Hospital's neurology department exposed the protected health information, including genetic information, of approximately 10,000 people.

According to a Washington Post about genetic data risks, the stakes may be highest at a geopolitical level. Last year, when French President Emmanuel Macron met with Russian President Vladimir Putin, Macron refused a Russian coronavirus test and they sat at opposite ends of a dining table that could comfortably seat 18-20 people, WaPo noted.

The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology recently published a draft internal report on genomic data cybersecurity describing how the data can be used for population surveillance, oppression and extortion.

NCCoE says current policies, guidance and technical controls inadequately address these risks and accepted public comments on the report through April 3.

"The characteristics of genomic data compared to other high-value datasets raises some correspondingly unique cybersecurity and privacy challenges that are inadequately addressed with current policies, guidance and technical controls," NCCoE said in a statement.

ON THE RECORD

"The FDA is working with Illumina and coordinating with the CISA to identify, communicate and prevent adverse events related to this cybersecurity vulnerability," the agency said in its letter to healthcare providers.

"The FDA will continue to keep health care providers and laboratory personnel informed if new or additional information becomes available."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.