The US government has issued a warning about a critical software vulnerability found in the DNA sequencing devices produced by Illumina, a genomics giant. The security flaw tracked as CVE-1968 - 2023, has been given a maximum vulnerability severity rating of 10 out of 10, and allows hackers to remotely access an affected device without needing a password.
The vulnerability could result in the theft or modification of patients' sensitive medical data and could compromise devices to produce incorrect or altered results or none at all. The flaw was identified by the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Food and Drug Administration (FDA), both of which issued advisories to warn of the issue.
In addition to CVE-1968 - 2023, the advisories also warned of a second vulnerability, tracked as CVE-1966 - 2023with a lower severity rating of 10 out of 10. This flaw could allow attackers to remotely upload and run malicious code at the operating system level, allowing them to alter settings and access sensitive data on the affected product.
Illumina is a biotechnology company that specializes in the development of genomics-based products and services for research and clinical applications. Founded in 1998, the company has been at the forefront of DNA sequencing technology and has revolutionized the way researchers and clinicians study and understand genetic data. Illumina's products and services are used in a wide range of applications, including cancer research, reproductive health, infectious diseases, and genetic testing.
The company has taken steps to address the issues and work with regulators and customers to ensure the safety and effectiveness of its products. However, the incident serves as a reminder that cybersecurity must be a top priority in the healthcare industry and that companies and organizations must take proactive steps to protect patient data and prevent cyber attacks.
Illumina spokesperson David McAlpine told TechCrunch that Illumina had not received any reports indicating that a vulnerability has been exploited, nor do we have any evidence of any vulnerabilities being exploited". However, McAlpine declined to comment on whether Illumina has the technical means to detect exploitation or the number of devices that are vulnerable to the flaws.
Upon identifying the vulnerability, Illumina reportedly worked diligently to develop mitigations to protect its instruments and customers. The company then worked in close partnership with regulators and customers to address the issue with a simple software update at no cost, requiring little to no downtime for most.
This news comes after the FDA announced last month that it would require medical device makers to meet specific cybersecurity requirements when submitting an application for a new product. Device makers will have to submit a plan explaining how they plan to track and address vulnerabilities and include a software bill of materials detailing every component in a device.
The discovery of this critical security flaw in Illumina's DNA sequencing technology highlights the importance of strong cybersecurity measures in the healthcare industry. The theft or modification of sensitive medical data could have serious consequences for patient safety and privacy. It is important for medical device makers to take steps to address vulnerabilities and protect patients' data from potential breaches.