FDA warning: Illumina medical devices at risk.
N2K logoMay 1, 2023

Illumina medical instruments may be at risk after a vulnerability impacting the Universal Copy Service software within the devices was discovered to contain a vulnerability.

FDA warning: Illumina medical devices at risk.

The US Food and Drug Administration (FDA) is warning healthcare providers of a vulnerability affecting the Universal Copy Service (UCS) software in a multitude of Illumina devices.

A vulnerability impacting devices used for genetic sequencing and research.

The vulnerability impacts a range of devices and instruments used primarily in sequencing DNA for diagnosing potential genetic medical conditions, as well as research. The FDA lists affected devices, which include “Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 sequencing instruments.” The vulnerability allows for an unauthorized user to remotely control, alter settings, configuration, software, or data, and can alter genomic data outcomes to show no results at all, or an incorrect or altered version of the results.

Illumina warns affected users, and issues a patch.

The FDA reports that on April 5 of this year, Illumina notified affected parties of the vulnerability, and advised checking the relevant devices for signs of exploitation. No exploitations have so far been reported. Illumina’s chief technology officer, Alex Aravanis, wrote in a LinkedIn post that the company has developed a software update for the vulnerability, which he says will be free and require “little to no downtime for most.” For any issues, including issues with installation of the update, lack of a notification, as well as suspicion of exploitation, the FDA advises contacting techsupport@illumina.com.

Cyber experts provide comments on healthcare sector risks and the evolution of the sector’s responses to cyberattacks.

Roy Akerman, Co-Founder & CEO at Rezonate, discusses the risks to the healthcare sector and IoT devices:

“Healthcare providers continue to be a main target for attackers and therefore need to be on top of their game in terms of preventative actions, continuous patching, and further ability to monitor and detect attempts to exploit and compromise identity and data. While traditional endpoints and network protection have improved for the past years, IOT devices continue to lag behind in terms of visibility and effective controls which the Healthcare system is highly dependent on for critical procedures and diagnosis.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented on the evolution of responses to cyberattacks and vulnerabilities on medical devices:

"Attacks and vulnerabilities against medical devices have been a problem for decades. In the past, getting a medical device approved took years, if not over a decade, and even fixing a vulnerability could take years...putting more people at risk than necessary. That's changing. The medical device regulatory space has significantly improved regulations and processes so that devices can be more up to date when they go to market and be fixed more easily and faster when vulnerabilities are found. It's not perfect, but it's tons better than it used to be just a few short years ago."