Getty Images/iStockphoto

FDA Urges Healthcare to Patch Severe Illumina Cybersecurity Vulnerabilities

The FDA urged organizations to immediately patch cybersecurity vulnerabilities that impact certain Illumina medical devices.

The US Food and Drug Administration (FDA) urged healthcare organizations to immediately patch severe cybersecurity vulnerabilities impacting certain Illumina medical devices. The vulnerabilities impact some Illumina In Vitro Diagnostic devices that run on Local Run Manager (LRM) software.

If exploited, an unauthorized user could take control of the instrument remotely, alter settings, configurations, and data on the customer’s network, or impact patient test results by causing the instruments to produce no results, incorrect results, or altered results, the FDA stated. At the time of publication, the FDA and Illumina had not received any reports of exploitation relating to these vulnerabilities.

The vulnerabilities impact LRM software found in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, the FDA explained.

The Cybersecurity and Infrastructure Security Agency (CISA) released a detailed advisory about the vulnerabilities and noted that Illumina developed a patch to protect against remote exploitation, and is “actively working to provide a permanent software fix for current and future instruments.”

CISA recommended that users take defensive measures to minimize risk, including minimizing networ exposure, isolating devices behind firewalls, and using VPNs when remote access is required.

“These instruments are medical devices that may be specified either for clinical diagnostic use in sequencing a person’s DNA or testing for various genetic conditions, or for research use only (RUO). Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode,” the FDA noted.

“Devices intended for RUO are typically in a development stage and must be labeled ‘For Research Use Only. Not for use in diagnostic procedures.’ – though many laboratories may be using them with tests for clinical diagnostic use.”

The FDA urged users to review Illumina’s safety notification, which Illumina sent to impacted customers on May 3. Customers should also immediately download and install the software patch on every affected instrument.

“The FDA is working with Illumina and coordinating with the CISA to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability,” the notice concluded.

“The FDA will continue to keep health care providers and laboratory personnel informed if new or additional information becomes available.”

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) stressed the importance of immediate patching by releasing final guidance regarding enterprise patch management to help organizations prevent vulnerabilities and exploitation within their IT systems.

NCCoE positioned patching as a “cost of doing business,” emphasizing that a thorough enterprise-wide patch management strategy is crucial to avoiding adverse events.

“By default, an organization accepts the risk posed by using its software. Software could have vulnerabilities in it at any time that the organization does not know about, and sometimes previously unknown vulnerabilities are exploited – a zero-day attack,” NCCoE noted.

“Once a new vulnerability becomes publicly known, risk usually increases because attackers are more likely to develop exploits that target the vulnerable software.”

Next Steps

Dig Deeper on Cybersecurity strategies