DNA-sequencing equipment vulnerability adds new twist to medical-device cyberthreats

A major vulnerability in the software used by gene sequencers produced by genetic-research equipment maker Illumina highlights the dangers of software vulnerabilities in medical devices, but also demonstrates the positive impact of legislation in strengthening cybersecurity in the medical field.

The vulnerability, originally discovered during an internal Illumina assessment, allows an unauthenticated attacker to exploit the system and execute code at the operating system level, according to an advisory published by the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability — and a second less serious flaw — raise the possibility of attackers specifically targeting medical research facilities and forensics laboratories.

While the cybersecurity of medical devices is critical, security issues in DNA sequencing and synthesis equipment pose specific risks, says Josh Corman, vice president of cyber safety strategy at Claroty, a cyber-physical security provider, and a former chief strategist with CISA.

“Anything that touches DNA — yes, it’s a privacy concern — but also think about digital forensics or think about custom cancer treatments, right?” he says. “If you could taint evidence for a crime, if you could mess with someone’s treatment, if you cast doubt on a particular device manufacturer — this is an integrity attack to me, not so much just attacking the availability of the device or using it as a jumping off point for ransomware.”

Yet the vulnerabilities also demonstrate the impact of the current legislative and regulatory push to force the makers of connected devices to improve their overall cybersecurity posture. In December, the omnibus federal budget bill changed the requirements for manufacturers of medical devices as of March 29, 2023, requiring that they provide a software bill of materials (SBOM), have a plan to address post-market vulnerabilities and exploit, and have a secure development lifecycle. The Biden administration’s National Cybersecurity Strategy also called for tighter cybersecurity requirements and potential liability for those who failed to take action, while a bipartisan bill — the Protecting and Transforming Cyber Health Care (PATCH) Act — will require medical devices makers to focus more on cybersecurity.

Both the Food and Drug Administration (FDA) and CISA are doing more to focus medical device-makers on cybersecurity. The FDA issued a letter to healthcare providers on April 27 advising them of the vulnerabilities and that Illumina had issued a patch for their products and worked with the FDA and CISA to communicate information to its users.

“On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability,” the FDA stated in its letter, adding: “The FDA wants healthcare providers and laboratory personnel to be aware of the required actions to mitigate these cybersecurity risks.”

Cybersecurity With a Twist

The Illumina Universal Copy Service vulnerability highlights how widespread the healthcare impact of vulnerabilities can be on medical systems and devices. Using the vulnerability (CVE-2023-1966), an attacker could modify configurations and settings, install additional software, and access sensitive data on vulnerable products, according to CISA’s April 27 advisory. A second, less serious vulnerability (CVE-2023-1968) would also allow attackers to turn the sequencer into a network-monitoring device.

The obvious threat for an organization with these devices is that the devices could be used as a beachhead into a network, allowing the compromise of lab equipment and computers on the same network. Because that equipment is often not managed by the organizations’ IT security groups, an attacker may be able to have a greater impact.

To read the complete article, visit Dark Reading.