DNA Sequencing Device Vulnerability Highlights Weakness in Healthcare Cyberinfrastructure


When you think of cybersecurity attacks, you most likely think of them as occurring on common vehicles, such as cell phones, work computers, and even university networks more recently. Chances are you wouldn’t be considering a cyberattack on your lab’s next-generation sequencing device, but that’s exactly what the FDA warned late last week.

In a letter to lab personnel and healthcare providers on Thursday, the Food and Drug Administration (FDA) warned of a cybersecurity vulnerability affecting the software of some Illumina next-generation sequencing instruments.

The FDA says an unauthorized user could exploit the vulnerability by taking control of the instrument remotely or operating the system to change settings, configurations, software, or data on the instrument or network. ‘a customer. Hackers can even attack the vulnerability to impact patient test results in instruments intended for clinical diagnostics, including causing instruments to provide no results or incorrect results, altered results, or potential breach Datas.

Affected devices include: Illumina NextSeq 550Dx, MiSeqDx, NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq next-generation sequencing instruments.

At this time, the FDA and Illumina have received no reports that this vulnerability has been exploited.

Since discovering and disclosing the issue to affected customers on May 3, Illumina has developed a hotfix to protect against this vulnerability and is working to provide a permanent hotfix for current and future instruments.

New guidelines, legislation

The FDA letter sheds light on today’s weak medical device cybersecurity protocols. A January report from healthcare cybersecurity firm Cynerio showed that more than half of internet-connected devices used in hospitals have a vulnerability that could put patient safety, confidential data or usability at risk. of a device.

The report analyzed data from more than 10 million devices in more than 300 hospitals and healthcare facilities around the world. Researchers found that the most hackable device was infusion (IV) pumps, which ironically are also the most common type of internet-connected device in hospitals. The team discovered that 73% of infusion pumps have a cybersecurity vulnerability.

Even so, there is currently no law that expressly requires medical device manufacturers to address cybersecurity. Anticipating the problem, the FDA issued cybersecurity guidelines for manufacturers in 2014, then replaced them with updated draft guidelines four years later. Now, as technology continues to advance, the federal agency has once again drafted new guidelines.

“Cybersecurity threats to the healthcare industry have become more frequent, more severe, and more clinically impactful,” the FDA said in a statement. “The rapidly changing landscape and increased understanding of threats and their potential mitigations require an updated approach.”

The new draft guidelines were released in April but are open for public comment until July 7. Significant changes from the 2018 guidelines include recommendations for comprehensive cybersecurity risk management throughout the total product lifecycle, as well as requiring manufacturers to include software nomenclature. (SBOM) with all new products so that users know which components of their devices are or may be subject to cyber threats.

In fact, in the FDA’s proposed budget for fiscal year 2023, the agency is asking for $5.5 million for “medical device cybersecurity,” a $5.0 million increase from fiscal year. 2022. The proposal says the money will allow the FDA to begin development of a cybersecurity program for medical applications. medical devices, help manage legacy device risks, and quickly address new medical device cybersecurity vulnerabilities.

Beyond the need for an SBOM, the FDA is seeking express authority to require premarket submissions that include evidence demonstrating assurance of the device’s safety and efficacy for purposes of cybersecurity. The agency also wants to require that devices have the ability to be updated and patched in a timely manner, and that device manufacturers publicly disclose any cybersecurity vulnerabilities and provide instructions to users to reduce risk.

“These authorities are critical, as the FDA has already seen and responded to multiple incidents of ransomware and other malware in the healthcare sector,” the agency wrote in the budget proposal. “Adoption of the FDA’s proposal would reduce the likelihood of harm to patients, disruption of access to devices, and loss of market share or withdrawal from the market for devices for which a vulnerability is identified at the suite of cybersecurity incidents.”

Congress is also doing its part to protect the cyberinfrastructure of the US healthcare system. In April, Senators Bill Cassidy, MD (R-LA) and Tammy Baldwin (D-WI) introduced the bipartisan Protecting and Transforming Cyber ​​Health Care (PATCH) Act.

The PATCH law:

  • implement critical cybersecurity requirements for manufacturers seeking premarket approval from the FDA,
  • enable the manufacturer to design, develop and maintain processes and procedures to update and correct the device and associated systems throughout the lifecycle of the device,
  • establish an SBOM for the device that will be provided to users,
  • requiring the development of a plan to monitor, identify, and address post-market cybersecurity vulnerabilities, and
  • request coordinated vulnerability disclosure to demonstrate the security and effectiveness of a device.

“Throughout the pandemic, there has been a spike in ransomware attacks within medical devices and broader networks,” said U.S. Representative Michael Burgess, MD (R-TX), who presented the supplementary legislation in the House of Representatives. “These attacks affect hospitals, the medical device industry and, most importantly, American patients. This legislation will implement cybersecurity protocols and procedures for manufacturers seeking premarket approval through the FDA to ensure users are properly equipped to deal with foreign or domestic ransomware attacks. It’s time to look at how to modernize and protect our health care infrastructure.


Comments are closed.