Illumina sequencing devices vulnerable to critical hacking risks, FDA warns

Illumina has discovered multiple cybersecurity flaws in software embedded in several of its genetic sequencing instruments, potentially opening a door for hackers to access or alter patients’ sensitive health data, the FDA warned in a June 2 notice to healthcare providers.

The affected sequencers include the NextSeq 550Dx, MiSeqDx, NextSeq 500, NextSeq 550, MiSeq, iSeq and MiniSeq devices. They span a mix of indications: for research use only, clinical use—to sequence a patient’s DNA or diagnose genetic conditions—or a combination of both.

Illumina began alerting clinical diagnostic labs and researchers who use the devices to the hacking risks in early May, when it sent notices to all affected customers. The company has already put out a short-term software patch for the cybersecurity issues, which all users are asked to immediately download and install. A permanent fix is in the works.

“We are supporting our customers to install the software patch for this issue immediately and to promptly implement the long-term solution when available. Illumina will continue to assess and enhance our systems to maintain a strong cybersecurity posture to support continuous innovation in healthcare,” Illumina said in a statement (PDF). “It is essential that all participants in the connected healthcare system are proactive and vigilant about cybersecurity, including adopting best practices and implementing short- and long-term solutions to identified vulnerabilities.”

The issue revolves around the Local Run Manager software used in the sequencers to design sequencing runs, monitor run status, analyze genomic data and access the results of each analysis. The software can be accessed either directly through the devices’ online platforms or in an off-instrument version, depending on the device.

Illumina identified five specific cybersecurity risks within the software, three of which garnered a score of 10 on the common vulnerability scoring system (CVSS)—indicating the highest possible risk level—according to a notice from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA.

The three most critical openings create instances where an unauthorized person could remotely upload and execute malicious code to the software, potentially giving them access to private sequencing data and allowing them to change the software’s settings and configurations, resulting in inaccurate genetic analyses.

Another vulnerability was given a CVSS score of 9.1—still within the “critical” range—and could allow a hacker to “inject, replay, modify and/or intercept sensitive data,” per CISA, since the software doesn’t automatically require authentication or authorization for access.

The final flaw scored a 7.4 on the CVSS, indicating a “high” severity. It stems from the fact that certain versions of the Local Run Manager program haven’t implemented transport layer security encryption, potentially giving a bad actor the ability to intercept sensitive data as it’s sent from the sequencer to the analysis software.

Neither Illumina nor the FDA has received any reports of the vulnerabilities being exploited, the agency said.

In the meantime, as the company continues to develop a long-term fix for the issues, it “strongly advised” users to implement firewalls and other privacy tools to restrict both inbound and outbound access to the software, and to deploy the sequencing tech within the smallest subsection of a facility’s network possible, using only trusted devices.