When you think of cybersecurity attacks, you most likely think of them occurring to the common vehicles, like cell phones, work computers and even university networks more recently. Odds are, you don’t consider a cyberattack on the next-generation sequencing device in your lab—but that’s exactly what the FDA warned of late last week.
In a letter Thursday to laboratory personnel and health care providers, the Food and Drug Administration (FDA) warned of a cybersecurity vulnerability affecting software in specific Illumina next-generation sequencing instruments.
The FDA says an unauthorized user could exploit the vulnerability by taking control of the instrument remotely or operating the system to alter settings, configurations, software, or data on the instrument or a customer’s network. Hackers can even attack the vulnerability to impact patient test results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results or incorrect results, altered results or a potential data breach.
The affected devices include: Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next generation sequencing instruments.
At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited.
Since it discovered and disclosed the issue to affected customers on May 3, Illumina has developed a software patch to protect against this vulnerability and is working to provide a permanent software fix for current and future instruments.
New guidance, legislation
The FDA letter shines a renewed light on the weak cybersecurity protocols of today’s medical devices. A report published in January from healthcare cybersecurity company Cynerio showed over half of internet-connected devices used in hospitals have a vulnerability that could put patient safety, confidential data, or the usability of a device at risk.
The report analyzed data from more than 10 million devices at over 300 hospitals and health care facilities globally. The researchers discovered that the most hackable device was infusion (IV) pumps—which ironically are also the most common type of internet-connected devices in hospitals. The team found that 73% of infusion pumps have a cybersecurity vulnerability.
Even so, there is currently no law that that expressly requires medical device manufacturers to address cybersecurity. Foreseeing the problem, the FDA issued cybersecurity guidance for manufacturers in 2014, and then replaced those with updated draft guidelines four years later. Now, as technology continues to advance, the federal agency has once again drafted new guidance.
“Cybersecurity threats to the healthcare sector have become more frequent, more severe and more clinically impactful,” the FDA said in a statement. “The rapidly evolving landscape and the increased understanding of the threats and their potential mitigations, necessitates an updated approach.”
The new draft guidance was issued in April but is open for public comment through July 7. Significant changes from the 2018 guidance include recommendations for comprehensive management of cybersecurity risks throughout total product life cycle, as well as asking manufacturers to include a Software Bill of Materials (SBOM) with all new products so users know which components of their devices are or may be subject to cyber threats.
In fact, in the FDA’s proposed FY2023 budget, the agency asks for $5.5 million for “Medical Device Cybersecurity,” an increase of $5.0 million from FY 2022. The proposal says the money will allow the FDA to begin development of a cybersecurity program for medical devices, help address risks with legacy devices and rapidly address new medical device cybersecurity vulnerabilities.
Beyond necessitating a SBOM, the FDA seeks to have express authority to require premarket submissions that include evidence demonstrating assurance of the device’s safety and effectiveness for purposes of cybersecurity. The agency also wants to require devices have the capability to be updated and patched in a timely manner, and have device manufacturers publicly disclose of any cybersecurity vulnerability and provide direction to users to reduce risk.
“These authorities are critical, as FDA has already seen and responded to several ransomware and other malware incidents within the health care sector,” the agency wrote in the budget proposal. “Enacting FDA’s proposal would reduce the likelihood of harm to patients, interrupted access to devices, and loss of market share or market withdrawal for devices for which a vulnerability is identified as a result of cybersecurity incidents.”
Congress is also doing their part to protect the US health care system’s cyber infrastructure. In April, Senators Bill Cassidy, MD (R-LA) and Tammy Baldwin (D-WI) introduced the bipartisan Protecting and Transforming Cyber Health Care (PATCH) Act.
The PATCH Act would:
- implement critical cybersecurity requirements for manufacturers applying for premarket approval through the FDA,
- allow for the manufacturer to design, develop, and maintain processes and procedures to update and patch the device and related systems throughout the lifecycle of the device,
- establish a SBOM for the device that will be provided to users,
- require the development of a plan to monitor, identify, and address post market cybersecurity vulnerabilities, and
- request a Coordinated Vulnerability Disclosure to demonstrate safety and effectiveness of a device.
“Throughout the pandemic, there was spike in ransomware attacks within medical devices and larger networks,” said US Representative Michael Burgess, MD (R-TX), who introduced the companion legislation in the House of Representatives. “These attacks affect hospitals, the medical device industry, and, most importantly, American patients. This legislation will implement cybersecurity protocols and procedures for manufacturers applying for premarket approval through the FDA to ensure users are properly equipped to deal with foreign or domestic ransomware attacks. It is time to examine how to modernize and protect our health care infrastructure.”