(1 votes, average: 5.00 out of 5)
The U.S. government has rung the alarm regarding a critical software vulnerability found in genomics giant Illumina’s DNA sequencing devices, which malicious users can exploit to alter or steal sensitive medical data of patients.
FDA and the U.S. Cybersecurity Infrastructure Security Agency (CISA) issued separate advisories on Thursday alerting the security flaw, also known as CVE-2023-1968. The vulnerability received a maximum severity rating of 10 out of 10. It could enable cybercriminals to gain unrestricted remote access to a compromised device over the internet.
“An unauthenticated malicious user could upload and execute malware remotely at the operating system level, which could allow a hacker to change configurations, settings, software, or access sensitive data on the affected product,” a CISA alert issued yesterday.
Considering the increasing use of genetic sequencing in medicine, this vulnerability could have serious consequences. Illumina is a California-based medical technology organization that develops and manufactures advanced bioanalysis and DNA sequencing machines.
The company extensively uses its products for DNA sequencing in clinical settings, research organizations, universities, biotechnology firms, and the pharmaceutical sector in more than 140 countries. Using Illumina sequencing technology, healthcare professionals and researchers can examine a patient’s DNA and find genetic mutations connected to various diseases. An unauthorized modification of genomic information has been leading to the risk of causing inaccurate diagnoses, ineffective therapies, and serious health risks to patients.
The advisories also warn of a second vulnerability, CVE-2023-1966, rated 7.4 out of 10 for severity. The flaw might provide hackers access to the operating system level, where they could upload and run malicious programs to change settings and access private information on the impacted product.
These items, used worldwide in the healthcare industry, are made for clinical diagnostic use when sequencing a person’s DNA for genetic diseases or research needs.
In January, Illumina’s CEO, Francis deSouza, said the business has over 22,000 installed sequencers. According to a LinkedIn post by Illumina CTO Alex Aravanis, the vulnerability was discovered during standard software testing while searching for vulnerabilities and exposures.
Aravanis said that when the vulnerability was identified, “our team worked to develop mitigations to protect our instruments and customers.” “We then contacted the appropriate authorities and customers and closely collaborated with them to address the issue with a simple, cost-free software update, requiring little to no downtime for the most.”
The FDA said last month that medical device manufacturers must comply with specific cybersecurity requirements when applying for a new product. This news of the Illumina vulnerability follows that announcement. Device makers must submit a strategy outlining how they intend to track and mitigate vulnerabilities and a software bill of materials listing all the elements and materials detailing every component in a device. This vulnerability highlights the expanding significance of cybersecurity in the healthcare sector, especially considering the increasing digitization and interchange of medical data. The incident emphasizes the necessity of protecting sensitive patient data and ensuring the security of medical devices. To reduce the danger of such vicious events, the CISA has recommended healthcare organizations employ security best practices and frequent vulnerability assessments.