Analysis
Attacks and Vulnerabilities
CISA
Malware, Phishing & Ransomware
Medical
News
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

CISA, FDA warns of cybersecurity vulnerabilities in software used in Illumina DNA sequencing offerings

June 06, 2022
CISA, FDA warns of cybersecurity vulnerabilities in software used in Illumina DNA sequencing offerings

The U.S. ​​Cybersecurity and Infrastructure Security Agency (CISA) warned of multiple vulnerabilities in Illumina Local Run Manager software. Additionally, the ​U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) agency informed laboratory personnel and healthcare providers about the cybersecurity vulnerability that affects software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next-generation sequencing instruments. 

CISA said that the security loopholes include path traversal, unrestricted upload of files with dangerous types, improper access control, and cleartext transmission of sensitive information. Exploiting these vulnerabilities may allow an unauthenticated malicious hacker to take control of the affected product remotely and take any action at the operating system level. “These vulnerabilities could impact settings, configurations, software, or data on the affected product and interact through the affected product with the connected network,” according to its Industrial Controls Systems Advisory (ICSA) advisory.

The security agency identified the Illumina vulnerabilities as four reporting ‘critical severity’ and one classified as ‘high severity.’ Pentest Ltd. reported these vulnerabilities to Illumina. Illumina reported these vulnerabilities to CISA.

Deployed globally across the healthcare and public health sectors, the Illumina instruments are medical devices that may specify, either for clinical diagnostic use in sequencing a person’s DNA or testing for various genetic conditions or for research use only (RUO). “Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are typically in a development stage and must be labeled ‘For Research Use Only. Not for use in diagnostic procedures,’ – though many laboratories may be using them with tests for clinical diagnostic use,” the FDA said in its advisory.

FDA said that the cybersecurity vulnerability affects the LRM software. “An unauthorized user could exploit the vulnerability by taking control of the instrument remotely, operating the system to alter settings, configurations, software, or data on the instrument or a customer’s network; or impacting patient test results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results or incorrect results, altered results, or a potential data breach.”

On May 3, 2022, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability, FDA said. 

“At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited,” the advisory added. 

Illumina has developed a software patch to protect against the exploitation of this vulnerability and is actively working to provide a permanent software fix for current and future instruments. However, the FDA wants laboratory personnel and health care providers to be aware of the required actions to mitigate these cybersecurity risks.

The FDA is working with Illumina and coordinating with the CISA to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability. In addition, the FDA will continue to keep healthcare providers, and laboratory personnel informed if new or additional information becomes available, it added.

To deal with such cybersecurity risks, the FDA announced in April the availability of draft guidance that provides recommendations to the healthcare industry regarding cybersecurity device design, labeling, and the documentation that the agency recommends to be included in premarket submissions for devices with cybersecurity risks. These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.

In February, the HHS received reports of data breaches from 578 healthcare organizations in 2021, impacting over 41.45 million individuals. Additionally, the agency revealed that 38 organizations affecting close to two million individuals were already targeted by data breaches last month, indicating that the cybercriminals intend to continue carrying out cyberattacks against the healthcare sector in 2022.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation